Common Phishing Attacks and How to Protect Against Them

Phishing is a malicious attempt to deceive individuals into divulging sensitive information such as usernames, passwords, credit card numbers, or other personal data. These attacks are typically carried out by masquerading as a trustworthy entity in electronic communications. Phishing can take many forms and has evolved to become more sophisticated, making it imperative for individuals and organizations to be aware of the different types and how to protect against them.

This scourge is extremely popular among malicious actors because it works. According to IBM's Cost of a Data Breach report, phishing is the most common data breach vector, responsible for 16% of all incidents. Moreover, the report revealed that phishing-related breaches cost organizations an average of $4.76 million, exceeding the overall average breach cost of $4.45 million.

The Most Popular Types of Phishing Attacks (and How to Spot Them)

Email Phishing: Bait and Hook

Email phishing is the most popular type of phishing. Attackers send emails that appear to come from reputable sources, such as banks, social media platforms, or online services. These emails often contain a sense of urgency, prompting the recipient to click on a malicious link or download an attachment.

How to Spot Email Phishing:

• Check for generic greetings like "Dear Customer" instead of your name.
• Look for spelling and grammar errors.
• Be wary of urgent requests for sensitive information.
• Double-check the sender's email address for any barely noticeable misspellings or unusual characters.
• Avoid clicking on links; instead, hover over them to see the actual URL.

Spear Phishing: Phishing with Precision

Spear phishing is a more targeted and sophisticated form of phishing aimed at specific individuals or groups within an organization. Unlike generic phishing attacks, spear phishing involves extensive research on the targets to gather personal and professional information. Cybercrooks craft highly personalized messages that often include the victim’s name, job title, and other relevant details such as recent projects, colleagues' names, or organizational hierarchies.

These messages are designed to defy all but the closest scrutiny and may mimic internal communications or trusted external contacts. The goal is to deceive the recipient into clicking on malicious links, downloading infected attachments, or providing sensitive information, such as login credentials or financial data. Due to the tailored nature of these attacks, spear phishing poses a real danger, as it can bypass traditional security measures and exploit trust, natural biases, and familiarity within an entity.

An instance of spear phishing occurred five years ago when fraudsters crafted convincing fake emails that appeared to come from Quanta employees in Taiwan to Facebook and Google employees who regularly handled multimillion-dollar transactions with Quanta. As a result, these employees unwittingly transferred over $100 million to the fake company’s bank accounts, according to prosecutors.

How to Spot Spear Phishing:

• Unexpected requests from known contacts.
• Personalized messages that seem out of character.
• Emails that request sensitive information or immediate action.
• Look for inconsistencies in the sender's email address and domain.

Whaling: Harpooning the High-Rollers

Whaling targets high-profile individuals within a firm, such as executives, CEOs, or board members. These attacks are meticulously planned and executed, leveraging detailed research on the target’s professional role, personal interests, and social connections.

Attackers often craft highly convincing emails or messages that appear to come from trusted sources, such as business partners or colleagues, and may include personalized information to enhance credibility. The potential rewards are significant, as gaining access to an executive’s credentials can lead to unauthorized access to sensitive company data, financial assets, or strategic information, potentially causing substantial harm to the company.

One infamous case of whaling was the world’s largest toy manufacturer, Mattel, that got taken for $3 million when a finance executive was tricked into authorizing an offshore payment to China, only to discover that the funds were sent to a criminal network instead.

How to Spot Whaling:

• Emails addressed to high-ranking individuals.
• Content related to sensitive business matters, legal issues, or financial transactions.
• Personalized and formal language.
• Verification through direct contact or alternate channels is crucial.

The Business Email Compromise Epidemic

A business email compromise is similar to whaling, but it impersonates them instead of attempting to pull the wool over the executive’s eyes. BEC is a major scourge, with research revealing that almost half (49%) of all detected spam emails are from BEC scams. These attacks involve the compromise of legitimate business email accounts to conduct unauthorized transfers of funds. Attackers often pose as company executives or trusted vendors, instructing employees to make financial transactions.

Puerto Rico's government suffered a significant financial loss due to a BEC scam executed via a hacked email account belonging to a Puerto Rico Employment Retirement System employee. Most of the misappropriated funds originated from the Puerto Rico Industrial Development Company (PRIDCO), which transferred $63,000 to fraudulent accounts in December 2019 and over $2.6 million in January 2020. Additionally, the Puerto Rico Tourism Company transferred $1.5 million in January.

How to Spot BEC:

• Unusual requests for wire transfers or payment changes.
• Emails from executives with slightly altered email addresses.
• Requests that do not follow standard financial procedures.
• Verification via an alternate communication method can help confirm legitimacy.

Vishing: The Voice of Deceit

Vishing involves fraudulent phone calls where attackers masquerade as legitimate entities such as banks, government agencies, or tech support. These scammers often use sophisticated techniques, including spoofing caller IDs to make the call appear to come from a trusted source.

Again, they might create a sense of urgency or fear, claiming there is an issue with your bank account, a tax problem, or a computer virus that needs immediate attention. The goal is to extract sensitive personal information, such as Social Security numbers, passwords, or credit card details, or to prompt financial transactions by convincing victims to transfer money or provide payment information.

How to Spot Vishing:

• Unexpected calls requesting personal information.
• Callers attempting to instill a sense of urgency or fear.
• Requests to verify identity by providing sensitive information.
• Hang up and call the official number of the entity to verify the call's authenticity.

Angler Phishing: Help at a High Price

Angler phishing takes place on social media platforms. Attackers create fake profiles or hijack legitimate ones to deceive users into revealing personal information or downloading malware. These fake profiles often mimic customer service accounts of well-known companies, responding to complaints or inquiries with malicious links.

Malicious actors may also use these profiles to send direct messages, luring victims with fake offers, giveaways, or urgent issues requiring immediate action. Moreover, hijacked legitimate profiles lend an air of authenticity, making it easier to trick users into trusting and interacting with the malicious content.

How to Spot Angler Phishing:

• Unsolicited messages from social media contacts.
• Requests for personal information or credentials through direct messages.
• Suspicious links or attachments in messages.
• Verify the sender's profile and report suspicious activity to the platform.

Clone Phishing: Duped by Duplicates

Clone phishing involves creating a nearly identical copy of a legitimate email that has been previously sent to the victim. Malefactors obtain the original email, often through prior compromise or intercepting communications, and then clone it, retaining the same content, sender, and formatting. However, the cloned email includes a malicious link or attachment that looks identical to the original, tricking the recipient into believing it is legitimate.

These emails are often sent as follow-ups to earlier conversations, making them appear even more authentic. The subtle changes in the cloned email, such as a slightly altered URL or a new attachment, are designed to bypass the recipient's suspicion and security measures. This method leverages the trust established by the original email to lure the victim into clicking on the malicious content, leading to credential theft, malware installation, or further compromise of sensitive information.

How to Spot Clone Phishing:

• Receiving an email that looks identical to a previous one but contains a different link or attachment.
• Slight variations in the email content or sender's address.
• Unexpected requests for sensitive information or action.
• Confirm with the original sender if you receive a duplicate email with new instructions.

Smishing: Texting Trouble

Smishing uses text messages to deceive people. These messages often contain a link to a fraudulent website or a phone number to call, aiming to steal personal information or install malware. Attackers may disguise their messages as urgent alerts from banks, package delivery notifications, or security warnings, encouraging recipients to act quickly.

The links typically lead the unsuspecting victim to fake websites that mimic legitimate ones, where they are tricked into entering their credentials or financial information. In some cases, the messages might instruct the recipient to call a phone number, where a scammer posing as a trusted entity will attempt to extract even more sensitive details. Additionally, smishing messages can include malicious attachments that, once opened, install malware on the victim's device, compromising their security and privacy.

How to Spot Smishing:

• Texts from unknown numbers with links or requests for personal information.
• Messages that create a sense of urgency or offer rewards.
• Poor grammar and spelling errors.
• Avoid clicking on links in text messages and verify through official channels.

Prevention Tips and Best Practices

Preventing phishing attacks requires a multi-faceted approach, combining technical measures with user awareness and education. Here are some effective strategies:

Regular training sessions for employees on how to recognize and respond to phishing attempts are crucial.  This includes identifying suspicious emails and messages, avoiding clicking on links or downloading attachments from unknown sources, and reporting phishing attempts to the IT department or security team.

Implementing MFA also adds an extra layer of security, requiring users to provide two or more verification factors to gain access to accounts. This can include something you know (password), something you have (smartphone or security token), and something you are (biometric verification).

Keeping software and systems up to date ensures that vulnerabilities are patched, reducing the risk of exploitation by phishing attacks. This includes operating systems, browsers, email clients, and anti-malware software.

Finally, before providing sensitive information or executing requests, always verify the source. This can be done by contacting the sender through an official channel, checking for inconsistencies in email addresses and domains, and confirming requests through alternate communication methods.

A Significant Threat

Phishing attacks are a real danger to individuals and companies alike. Understanding the different types of phishing and how to recognize them is the first step in protecting against these attacks.

By implementing robust prevention techniques, such as regular training, multi-factor authentication, software updates, and a strong reporting culture, the risk of falling victim to phishing can be greatly reduced. Vigilance and proactive measures are key to maintaining security. 

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.