10 Common Types of Phishing Attacks & How to Prevent Them
Which type of phishing attack can cost your company millions? Understanding different attacks can help protect against them and could boost your bottom line.
What are the top types of phishing attacks?
The top phishing attacks are as follows:
- Deceptive Phishing
- Email Phishing
- Spear Phishing
- HTTPS Phishing
- Clone Phishing
- Evil Twin Phishing
What Are Phishing and Social Engineering Attacks?
Of all the cybersecurity threats on the internet, phishing seems to be the most prevalent. Per a report published by Verizon, phishing is the most common attack in 2021, with 43% of all breaches originating from these attacks. According to the same report, 74% of U.S. businesses experienced a successful attack, 30% higher than the global average.
Phishing, as a form of social engineering, uses communication technologies (primarily email) to send deceptive messages to members of the organization to entice them to disclose information. “Social engineering” is the use of non-digital, social channels (emails, phone calls, in-person interactions, even physical interactions at office locations) to gain information that aids in the unauthorized access to resources.
These emails can use tricks to hide email addresses or model important messages from a legitimate organization to get recipients to provide login credentials or other pieces of data. The following are some of the most common tricks and techniques to look out for:
- Pretending to Be Members of an Organization: Phishing attacks can obfuscate the sender’s email (called “spoofing”) to look like it came from someone inside the organization. Emails that look like they come from management can entice recipients to respond without thinking twice.
- Pretending to Be a Third-Party Company: Many emails will attempt to present themselves as originating from a legitimate company.
A study performed by the KnowBe4 security firm shows that many emails will contain subject lines that include the name of a popular platform like Twitter, Zoom, or Google. Many will use HTML editing tools, copied logos, and formatting to make their emails look as if they were sent from the company.
- Pretending to Be a Security Warning From a Common Application: Alongside the previous approach, many messages will use security warnings to elicit worry and immediate action. Warnings could include a message that the user’s account has been compromised, that multi-factor authentication (MFA) has been triggered, or that a platform has updated its security policies.
Hackers might also make phone calls to people in an organization, pretending to be IT support or another department in that organization, to gain access to information. Some social engineers dive into dumpsters to find documents with sensitive data.
For the most part, educated employees can see through these tricks. More importantly, well-formed email policies can help non-technical employees recognize problematic emails and report them. But even in large organizations, all it takes is one person to provide a password to compromise an entire system.
Why are these attacks so powerful? In short, they bypass technical security controls and target people where they least expect it. Phishing is a form of social engineering, where the attackers use social or communicative means to gain information about an organization that can facilitate an attack.
What Are Types of Phishing Attacks?
A phishing attack can be launched from nearly anywhere, using multiple technologies, and prove difficult to trace depending on the countries they are launched from.
Some common forms of phishing include the following:
The most common type of phishing is the practice of hackers impersonating legitimate companies to fool recipients to give up usernames and passwords associated with those companies. For example, a hacker or hacking group might spam an email stating that it is from their bank’s security department attempting to access a user’s bank account.
Email is by far the most common form of phishing. Attackers will often send mass emails to the public or to members of an organization under a specific domain (like “@companyname.com”) to find users who might fall for the trick. Because many major corporations can have hundreds or thousands of employees, it’s common that at least one person will fall for the trick.
Spear phishing is a specific type of attack that, Instead of using a mass email approach, will use knowledge of the organization and personnel to spoof emails, create tailored emails, and target specific people in the organization. While spear phishing takes more time and effort, it typically results in higher success rates.
Whaling is another form of phishing. While it uses the same approaches as spear phishing, it will involve targeting higher-profile targets like managers, administrators, or executives. A successful attack at this level of the organization can expose a system to more security risk because these users will typically have more access to sensitive information.
Attacks can often have multiple stages, one of which involves sending the user to a malicious landing page or website where the user enters their information (or ends up with an infected computer).
The common advice for HTTPS attacks is to determine the site’s security. For example, if a site is using Secure HTTP (HTTPS), then .
However, modern hackers have found ways to get security certificates, a necessary part of implementing HTTPS security. This makes even illegitimate landing pages seem legit, fooling victims.
Pharming, the combination of “phishing” and “farming,” combines an initial attack with a lingering hack. Pharming starts by tricking a user into clicking a link or visiting a website that installs malicious code into their system. This code will intercept internet traffic coming into that system and reroute it to a malicious website.
Second, the attack will propagate to a central IT system, like a server, and do the same. At this point, any user attempting to route to that server will go to the malicious site, often without noticing it.
Vishing, short for a voice phishing attack, is a traditional attack performed over the phone rather than by email. More aligned with old-school social engineering, vishing attacks are common from illegal call centers in India or Russia, where callers attempt to trick people into providing bank information or sending cash or gift cards to third parties.
Smishing, is the practice of phishing for credentials or scams over SMS texting—an increasingly common form of attack. While not as common as email phishing attacks (right now), frequencies of these attacks in the UK increased almost 700% in 2020, and cost U.S. businesses over $54 million in the same year.
Clone attacks use legitimate emails (either cloned from widespread customer support messages or hacked email boxes), modify them with malicious links, and resend them as a forward or an accidental email. These messages may go unnoticed, but others might use the email as if it were the original.
Evil Twin Phishing
In a world of Wi-Fi and mobile networks, hackers are getting more and more creative in their attacks. An evil twin attack uses a fake Wi-Fi network as a phishing method. The hacker will set up a Wi-Fi hotspot with a similar network name to a legitimate one (for example, one associated with a public business Wi-Fi). And users connecting to this network will expose their network traffic (and all their information) to the hacker.
Phishing Resistance Means Strong Training and Identity Verification
Phishing is the most prominent form of attack on the web. It’s tempting to blame this on users, but in reality people cannot be expected to understand every potential vulnerability and attack vector. Training and awareness are critical to preventing attacks, as are strong authentication systems.
Modern authentication has moved away from password-only schemes, which has helped prevent some attacks—but it isn’t enough. A combination of passwordless security with advanced biometrics and identity proofing can make it so that a user cannot actually give out usable credentials through an attack.
1Kosmos BlockID provides this type of authentication and identity management for enterprise businesses. We do this through the following features:
- Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
- Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through identity credential triangulation and validation.
- Integration with Secure MFA: BlockID readily integrates with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.
- Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.
- Privacy by Design: 1Kosmos protects personally identifiable information in a private blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification.
Sign up for our newsletter to learn more about how BlockID can support real security and help mitigate phishing attacks. Also, make sure to read our whitepaper on how to Go Beyond Passwordless Solutions.