Phishing attacks are a form of social engineering attacks that offer a wide range of targets depending on who the attacker is. In some instances it can be a generic scam email that is looking for anyone with a PayPal account while in other cases it can be a more well thought out and directed attack to an individual.
Regardless of the different types of attacks out there, the end goal is the same: obtain sensitive information from a user.
Phishing at this point has grown into something highly sophisticated to the point that even the most cautious of individuals could fall prey to these types of attacks. It’s no wonder that ransomware accounts for over 97% of all phishing emails according to PhishMe Research.
But getting into the specifics, there are four key types of phishing:
- Spear Phishing
- Email Phishing
- Search engine phishing
Since phishing sounds so similar to fishing, it makes sense that the types of phishing will involve some variations to fishing terms. Case and point: spear phishing. Just like actual spear fishing, the goal is to target a specific fish (i.e. person) with this attack.
Spear phishing though isn’t just focusing on a specific individual but rather it could target a specific group of people, like a company’s system administrator. Unlike the fishing technique, spear phishing has to be more carefully crafted as well. For example, these attacks take general pieces of information to target people.
An example of this could be if their target is a business owner, a cybercriminal can use that information to pose as a Better Business Bureau agent and say they received an abuse or a claim that the business violated a law. The phishing attack specifically would entail having the person click a link that is in the email.
Similar to spear phishing, whaling is even more specific, though it’s focusing on larger targets. In terms of people, these are the CEO, CFOs of companies. The big wigs of big corporations. A whaling email can follow along the lines of the example I mentioned above: that the company is facing legal consequences and that if they want information on those details, they have to click on a link.
That link would then send them to a site where critical data about the company will be asked to access it. Things like tax IDs and bank account numbers.
One other type of attack that goes under the radar is smishing which involves sending an attack via text messaging or short message service (SMS). A common tactic from these attacks is to deliver a message to a cell phone that has a clickable link or a return phone number.
While email is the preferred method, these attacks are not that different from their email ones. A common one is from your “banking institution”. It tells you your account is compromised and that you need to respond immediately. When you call them or respond, they ask to verify your bank account number and other personal details.
Another variant is vishing which focuses on phishing attacks, though the emphasis is more on voice calling people, hence the “v” over the “ph”.
Common vishing attacks include people claiming to be Microsoft representatives calling you about issues with your computer. They claim that a virus has infected your computer and they they have anti-virus software available but need your credit card information to enable it.
Of course that’s a lie and what’s worse is the anti-virus software the attacker downloaded is filled with malware.
The most common one that many of us are all familiar with. It’s your regular run of the mill email phishing. Out of all the techniques, this one is easy to spot as they are usually riddled with spelling and grammatical errors. The contents of the email also are broad such as the email saying a specific account of yours is compromised and that you need to click on the provided link for more details.
Of course, not every single one of these phishing attacks are exactly that. Some can be more carefully crafted as well. The key is to check the email source as well as the link that you’re being directed to. Note suspicious language or typos that can give you clues to whether the source is legitimate or not.
Search Engine Phishing
Also called SEO poisoning or SEO Trojans, this attack is where hackers work to become the top spot of a search engine using search engine optimization tactics. When effective, users who click on their link within search engines will direct you to the hacker’s websites. From there, they can steal your information whenever you interact with their site or enter sensitive data. Hacker sites can pose as any type of site, however prime candidates are banks, money transfer, social media, and shopping sites.
Mtek Digital Managed Business Service
Mtek Digital provides help with virtually any business technology requirement. From IT services to cybersecurity, we’re capable of servicing the tech industry throughout Canada. Contact us today.