Phishing attacks are one of the most common cyber threats that people face today. These attacks are designed to steal sensitive information, such as usernames, passwords, credit card numbers, sensitive or financial data of an organisation, and other personal or business data. The attackers deploy a large variety of sophisticated phishing attacks to trick their victims into giving up this information, including email scams, fake websites, and social engineering.
In this article, we will explore 25 different types of phishing attacks and how to identify them through some examples. This list of types of phishing attacks will increase your awareness to protect yourself and your organization from falling victim to these scams.
Table of Contents
25 Types of Phishing Attacks And How To Identify Them
First step towards increasing the efficacy or your organisation’s cybersecurity awareness, it is important to know what are the different types of phishing attacks. Organisations usually opt for Phishing Simulation Platforms and Anti Phishing Services to combat phishing attacks at organisational level and protect themselves.
1. Deceptive phishing
Deceptive phishing is the most common type of phishing attack, in which attackers send emails that appear to come from a legitimate source, such as a financial institution or a social media site. The email may contain a link that takes the user to a fake website that looks identical to the legitimate site. The user is then asked to input sensitive information, such as login credentials or credit card numbers, which the attacker can then use to gain access to the user’s account.
Example of Deceptive Phishing:
An attacker may send an email impersonating a bank and ask the recipient to update their login credentials. According to the Anti-Phishing Working Group (APWG), in Q1 2021, there were 67,135 phishing attacks reported globally.
2. Spear phishing
Spear phishing is a type of phishing attack that is targeted at a specific individual or organization. The attacker will send an email that appears to come from a legitimate source, but the email will contain a link that leads to a fake website. The fake website will ask the user to input sensitive information, such as login credentials or credit card numbers. The attacker can then use this information to gain access to the user’s account.
Whaling attacks are similar to spear phishing, but they target high-profile individuals such as CEOs, CFOs, or other executives. These attacks usually involve a very convincing email that appears to be from a legitimate source, such as a government agency or financial institution.
Vishing is a type of phishing attack that uses voice calls or VoIP (Voice over IP) instead of email. The attacker will try to trick the victim into giving them personal information or financial data over the phone.
Smishing is a type of phishing attack that uses SMS (Short Message Service) texts instead of email. The attacker will send a text message that appears to be from a legitimate source, such as a bank or government agency. They will then try to trick the victim into giving them personal information or financial data.
6. Clone phishing
Clone phishing is a type of phishing attack where the attacker creates an exact replica of a legitimate email that has been sent previously. The only difference is that the malicious link or attachment has been replaced with a new one. This can be difficult to spot, especially if the victim doesn’t have the original email to compare it to.
Typosquatting is a type of phishing attack where the attacker uses a domain name that is very similar to a legitimate website. When victims make a typo when trying to visit the legitimate site, they will end up on the attacker’s fake site instead. The attacker can then try to trick the victim into giving them personal information or financial data.
Pharming is a type of phishing attack where the attacker redirects victims to a fake website, even if they typed in the correct URL. This can be done by infecting DNS servers or by using browser hijacking software. The attacker can then try to trick the victim into giving them personal information or financial data.
9. Malware-based phishing
Malware-based phishing is a type of phishing attack where the attacker uses malware to infect the victim’s computer. The malware can then be used to steal personal information or financial data.
10. Password reset phishing
Password reset phishing is a type of phishing attack where the attacker uses a fake password reset email to trick the victim into giving them their personal information or financial data.
11. CEO Fraud:
CEO fraud, also known as “Business Email Compromise (BEC) Scam,” is a type of phishing attack that specifically targets businesses and organizations, with the aim of gaining access to sensitive data, financial information, and intellectual property. In a CEO fraud attack, scammers pose as high-level executives or authorized personnel, such as CEOs, CFOs, or managers, and request employees to make unauthorized transactions, transfer funds, or disclose sensitive information.
12. Man-in-the-Middle (MitM) Attack
A Man-in-the-Middle (MitM) Attack is a type of cyber attack where a hacker intercepts communication between two parties who believe they are communicating directly with each other. The attacker may be able to view, steal or alter the information being exchanged, without the knowledge or consent of either party.
13. Search Engine Phishing
Attackers create a fake website that looks like a legitimate one and use search engines to direct victims to the fake site.
14. Content Injection Phishing
Content injection phishing is a type of phishing attack that involves inserting malicious content into legitimate web pages or emails. The objective is to trick the user into believing that the content is legitimate and then persuading them to take some action, such as entering sensitive information, clicking on a malicious link, or downloading a file.
For example, a content injection phishing attack may involve inserting a fake login form into a legitimate website.
15. Session Hijacking
Session hijacking, also known as session fixation, is a type of cyber attack where a hacker gains unauthorized access to a web user’s session with a website or application. The attacker aims to exploit a vulnerability in the website or application’s authentication process, allowing them to impersonate the user and take control of their session.
Real-world examples of session hijacking attacks include the 2011 attack on LinkedIn social network, where hackers were able to steal the login credentials of millions of users, and the 2008 attack on the European Commission’s website, where attackers were able to take control of user sessions and steal sensitive data.
Tabnabbing is a type of phishing attack that involves changing the content of a browser tab after the user has moved away from it. The attacker typically waits for the user to switch to another tab or application and then replaces the content of the original tab with a fake login page or other type of malicious content. When the user returns to the original tab, they may unknowingly enter their login credentials or other sensitive information into the fake page, allowing the attacker to steal their information.
17. DNS Spoofing
DNS Spoofing is a type of cyber attack where the attacker intercepts the communication between a user and a DNS server to redirect the user to a fake website. DNS (Domain Name System) is responsible for resolving website domain names into their corresponding IP addresses so that computers can communicate with each other over the internet.
In DNS Spoofing, the attacker alters the DNS cache of the user’s computer or the DNS server to redirect the user to a fake website, which looks identical to the legitimate one. The user then unknowingly provides sensitive information such as login credentials, credit card information, or personal data, which is captured by the attacker.
18. URL Spoofing
URL spoofing is a type of cyber attack where an attacker creates a fake or fraudulent website that imitates a legitimate website. The attacker typically uses a similar or identical URL (web address) to the legitimate website, often by making use of common misspellings or typos.
19. Homograph Attack
A homograph attack is a type of cyber attack that exploits the similarity of characters in different scripts or character sets to create fake or spoofed websites that appear legitimate. This attack is based on the use of homographs, which are characters from different scripts that look similar or identical.
For example, a homograph attack might use the Cyrillic letter “а” instead of the Latin letter.
20. Zero-Day Attack
A zero-day attack, also known as a zero-day exploit, is a type of cyber attack that takes advantage of a vulnerability in software or hardware that is unknown to the software vendor or manufacturer. This vulnerability, known as a zero-day vulnerability, allows the attacker to gain unauthorized access to a system or data.
21. Watering Hole Attack
A watering hole attack is a type of cyber attack in which the attacker compromises a website that is frequently visited by the target group or individuals. The goal of this attack is to infect the target group with malware, usually by exploiting vulnerabilities in the visitors’ web browsers or plugins.
Ransomware is a type of malicious software (malware) that encrypts the victim’s files or locks their device and demands a ransom payment in exchange for restoring access. The ransom is typically demanded in a cryptocurrency such as Bitcoin, which is difficult to trace.
Example of Ransomware Attack:
In 2017, a major ransomware attack called WannaCry affected hundreds of thousands of computers in more than 150 countries. The attack targeted computers running Microsoft Windows operating systems and exploited a vulnerability in the Windows Server Message Block (SMB) protocol.
The ransomware encrypted the victims’ files and demanded payment in Bitcoin in exchange for the decryption key. The attack impacted numerous organizations, including healthcare providers, government agencies, and businesses.
23. Rogue Software
Rogue software, also known as rogue security software or scareware, is a type of malicious software that is designed to deceive users into purchasing or downloading software that is unnecessary or harmful.
Example of Rogue Software:
In 2018, a group of hackers used rogue software to infect over 500,000 routers with malware. The malware, known as VPNFilter, was distributed through a fake software update and was able to steal sensitive information and remotely control infected devices.
24. Angler Phishing
Angler phishing is a type of phishing attack that involves the use of a personalized and targeted approach to deceive victims into providing sensitive information or performing a certain action. This type of phishing attack is also known as spear phishing or targeted phishing.
Example of Angler Phishing
In 2015, a spear phishing attack targeting employees of a major health insurer, Anthem, resulted in the theft of personal information of nearly 80 million individuals. The attackers sent targeted emails to employees with the subject line “Important Message From HR,” which included a link to a spoofed website designed to steal the employees’ login credentials.
25. Social Engineering
Social engineering is the use of psychological manipulation and deception to influence individuals or groups of people to divulge sensitive information or perform actions that may not be in their best interests. It involves exploiting human vulnerabilities such as trust, fear, greed, and curiosity to gain access to sensitive information or systems.
Example of Social Engineering:
In 2016, a massive phishing campaign targeted Gmail users, resulting in the theft of over one million email account credentials. The attack was carried out using a fake login page that closely resembled the real Gmail login page, and was sent to victims via a malicious email that appeared to be from a trusted source. The fake page captured victims’ usernames and passwords, which were then used by the attackers to access their email accounts and steal sensitive information.
Google, the owner of Gmail, was quick to issue a statement urging users to enable two-factor authentication and to be vigilant against phishing attacks. The incident highlighted the ongoing threat posed by social engineering and the importance of user education and security measures to prevent such attacks.
What are the most common types of phishing attacks?
There are several types of phishing attacks, but some of the most common ones are:
1. Deceptive Phishing
2. Spear Phishing
4. Close Phishing
7. Malware-based phishing
8. CEO Fraud
What is an example of a phishing attack?
An example of a phishing attack is when a person receives an email that appears to be from their bank, asking them to click on a link and log in to their account to verify some information. The email may use official branding and logos, making it appear legitimate, but the link actually takes the person to a fake website that looks like their bank’s website. Once the person enters their login credentials on the fake website, the attacker can then use those credentials to access the person’s real bank account and steal their information or money.
Here are some Phishing attacks templates that we use at PhishGrid for simluations.
What are 3 different methods of phishing?
There are many different methods of phishing, but here are three common ones:
Email phishing: This is the most common type of phishing attack, and it involves sending an email that appears to be from a legitimate source, such as a bank or social media site.
Spear phishing: This is a more targeted form of phishing that is directed at a specific individual or organization.
Smishing: This is a type of phishing attack that uses SMS or text messages to trick the victim into providing sensitive information.
What is whaling?
Whaling is a type of phishing attack that targets high-profile or senior individuals within an organization, such as executives, board members, or other high-ranking employees. These individuals are referred to as “big fish” or “whales,” hence the term “whaling.”
What is smishing?
Smishing is a type of phishing attack that uses SMS or text messages to trick people into providing sensitive information or clicking on a malicious link.
What is website spoofing?
Website spoofing is a type of cyber attack where an attacker creates a fake website that looks like a legitimate one in order to trick users into entering their sensitive information such as login credentials, credit card numbers, or personal information. The goal of website spoofing is to gain unauthorized access to a user’s account or steal their information.
What is deceptive phishing?
Deceptive phishing is a type of phishing attack that involves tricking the victim into providing sensitive information, such as login credentials or financial information, by disguising the communication as a legitimate request
What are some common phishing tactics?
Phishing attacks use a variety of tactics to trick their targets into divulging sensitive information. Here are some common phishing tactics:
6. Social Engineering
Phishing attacks are evolving and becoming more sophisticated with time. To combat them effectively, it is recommended to opt for a phishing attack simulation platform, at PhishGrid we provide basic phishing simulations attacks for free. To schedule a free phishing simulation for your organisation, you can contact us and schedule a call.
You can also run phishing attack simulations on your own by following our guide on how to design a phishing attack simulation. Now that you know about different types of phishing attacks and how to identify them, you’d be vigilant and aware when you experience such incidents at work or personally.
Further Read: PhishGrid Vs. PhishMe