If you have ever gotten a phone call or an email from a questionable or suspicious source asking for personal information, you have encountered a phishing attack.
Phishing is a type of cyberattack propagated either by email, phone number, or text messages where an attacker impersonates a trusted source to lure individuals into sharing personal information. This stolen personal data then can result in financial loss or identity theft.
So, how does phishing attacks work? What are the most common frequent types of phishing? Let’s find out!
What is Phishing?
Phishing is a type of cyberattack where an attacker disguises themselves as a trusted source to trick the recipient into sharing sensitive and personal data. The term “phishing” is similar to its source word, “fishing”. Like fishing, the attacker uses bait (phishing email or message) and expects you to bite. The main goal or the “catch” is to steal sensitive data like login information, financial data or install malware on the victim’s machine.
Even though the frequency of phishing attacks varies from industry to industry, 75% of organisations worldwideexperienced at least one form of phishing attack in 2020. 96% of phishing attacks are delivered via email, while malicious websites account for 3% of the attacks. An analysis of phishing attacks also shows that only 1% of phishing attacks are carried out by phone, which has decreased significantly compared to the past.
How Does Phishing Work?
As mentioned previously, the three primary channels of phishing attacks are emails, messages, and calls. The attacker or the phisher uses publicly available data to study their target and prepare the bait. The more information they can collect about their target, the more sophisticated and effective the attack gets.
For example, a phishing email can appear to come from your bank and ask you to click on a phishing link or download an attachment. These links can then prompt you to provide your login credentials — that the attacker can use later. The attachments often contain malware to access the data on your computer or to take control of your computer.
Phishing comes in other forms as well, such as text messages or calls. Phishing calls, commonly referred to as vishing, can impersonate well-known organizations such as IRS or the FBI and ask you to comply with their instructions. They can ask for PINs, passwords, social security numbers or other personal data.
Types of Phishing Attacks
Emails are the most used channel in phishing attacks. Phishers typically register fake domain names to mimic real organizations and send thousands of spam emails to victims. The counterfeit domains are often spelt differently or might include a subdomain which can be tricky to tell apart.
The email phishing messages can include requests or command such as –
- To go to a link to a malicious website to install malware on your device
- To download an infected attachment to infect your device
- To click a link to a fake website and prompt you to fill in personal data
- To reply to the sender with personal information
Spear phishing is a type of phishing where the phisher use specifically designed emails to target individuals or businesses. Before launching the attack, the phisher uses advanced techniques to collect the targets’ personal data to appear trustworthy and familiar. Stealing sophisticated data or spreading malware is the main target of spear-phishing emails. Spear phishing is usually more effective than phishing due to its clever design.
Whaling is similar to spear-phishing attacks, but they are typically targeted towards senior management and other highly privileged roles. Senior employees of organisations usually have access to sensitive information, which is the main target of whaling.
In whaling, the attacker uses highly personalised messages using personal data they unveil during their research about the target. For example, whaling attackers use fake tax returns to discover sensitive data about the victim. Then they can pretend to be the IRS (US), or HMRC (UK) or someone from the government to attack their victim.
Smishing and Vishing
Smishing and vishing are phishing attacks via SMS or phone calls. Smishing or phishing via SMS is rare nowadays as people are less likely to use phone SMS or interact with them in any way.
In a voice phishing attack, the attacker can pretend to be a customer care operator or an investigator for a bank or a credit card company. They will often inform you about some issues with your online purchase or your credit card and ask you to provide your credentials to resolve the issue. In some cases, they might also ask you to transfer money to their account by claiming your account is not safe.
Angler phishing attacks use fake social media accounts impersonating well-known organizations. These fake accounts will often use a social media handle similar to the original with a spelling error or an extra word (e.g. “@burgerkings”) and use the same profile picture as the actual company account.
Consumers tend to make complaints and request assistance from brands using social media channels. When they mistakenly use the fake account to contact the original brand, the attacker might ask the customer to provide personal information. Additionally, the attacker can provide links to phoney customer support pages, which, in reality, is a malicious website.
How to Protect Yourself from Phishing Attacks?
Spam email is the most commonly used tool in phishing attacks. Phishers usually collect your email address when it’s visible on the web, either on social networking sites or from other spam lists. If they don’t know your email address, they cannot target you — as simple as that. To prevent phishing attacks, the first thing you need to do is to keep your email address out of the attacker’s reach.
To check your email address visibility, go to Sniff Email — an online platform dedicated to finding out if your email address exists on the Internet. Enter your email address in the search field and click fetch to find out if your email address exists on the web within a few seconds. Based on the results, you can take appropriate action to remove it.