IT Cyber Security Nuggets - 8 Types of Phishing + Real-Life Examples
Phishing is a type of cybercrime in which criminals pose as a trustworthy source online to lure victims into handing over personal information such as usernames, passwords, or credit card numbers.
A phishing attack can take various forms, and while it often takes place over email, there are many different methods scammers use to accomplish their schemes. This is especially true today as phishing continues to evolve in sophistication and prevalence. While the goal of any phishing scam is always stealing personal information, there are many different types of phishing you should be aware of.
1. Email Phishing
Arguably the most common type of phishing, this method often involves a “spray and pray” technique in which hackers impersonate a legitimate identity or organization and send mass emails to as many addresses as they can obtain.
These emails are often written with a sense of urgency, informing the recipient that a personal account has been compromised and they must respond immediately. Their objective is to elicit a certain action from the victim such as clicking a malicious link that leads to a fake login page. After entering their credentials, victims unfortunately deliver their personal information straight into the scammer’s hands.
2. Spear Phishing
Example of Spear Phishing
Armorblox reported a spear phishing attack in September 2019 against an executive at a company named one of the top 50 innovative companies in the world. The email contained an attachment that appeared to be an internal financial report, which led the executive to a fake Microsoft Office 365 login page. The fake login page had the executive’s username already per-entered on the page, further adding to the disguise of the fraudulent web page.
3. Whaling
Whaling closely resembles spear phishing, but instead of going after any employee within a company, scammers specifically target senior executives (or “the big fish,” hence the term whaling). This includes the CEO, CFO or any high-level executive with access to more sensitive data than lower-level employees. Often, these emails use a high-pressure situation to hook their victims, such as relaying a statement of the company being sued. This entices recipients to click the malicious link or attachment to learn more information.
Example of Whaling
In November 2020, Tessian reported a whaling attack that took place against the co-founder of Australian hedge fund Levitas Capital. The co-founder received an email containing a fake Zoom link that planted malware on the hedge fund’s corporate network and almost caused a loss of $8.7 million in fraudulent invoices. The attacker ultimately got away with just $800,000, but the ensuing reputational damage resulted in the loss of the hedge fund’s largest client, forcing them to close permanently.
4. Smishing
SMS phishing, or smishing, leverages text messages rather than email to carry out a phishing attack. They operate much in the same way as email-based phishing attacks: Attackers send texts from what seem to be legitimate sources (like trusted businesses) that contain malicious links. Links might be disguised as a coupon code (20% off your next order!) or an offer for a chance to win something like concert tickets.
Example of Smishing
In September 2020, Tripwire reported a smishing campaign that used the United States Post Office (USPS) as the disguise. The attackers sent SMS messages informing recipients of the need to click a link to view important information about an upcoming USPS delivery. The malicious link actually took victims to various web pages designed to steal visitors’ Google account credentials.
5. Vishing
Vishing—otherwise known as voice phishing—is similar to smishing in that a phone is used as the vehicle for an attack, but instead of exploiting victims via text message, it’s done with a phone call. A vishing call often relays an automated voice message from what is meant to seem like a legitimate institution, such as a bank or a government entity.
Attackers might claim you owe a large amount of money, your auto insurance is expired or your credit card has suspicious activity that needs to be remedied immediately. At this point, a victim is usually told they must provide personal information such as credit card credentials or their social security number in order to verify their identity before taking action on whatever claim is being made.
Examples of Vishing
In September of 2020, health organization Spectrum Health System reported a vishing attack that involved patients receiving phone calls from individuals masquerading as employees. The attackers were aiming to extract personal data from patients and Spectrum Health members, including member ID numbers and other personal health data associated with their accounts. Spectrum Health reported the attackers used measures like flattery or even threats to pressure victims into handing over their data, money or access to their personal devices.
6. Business Email Compromise (CEO Fraud)
CEO fraud is a form of phishing in which the attacker obtains access to the business email account of a high-ranking executive (like the CEO). With the compromised account at their disposal, they send emails to employees within the organization impersonating the CEO with the goal of initiating a fraudulent wire transfer or obtaining money through fake invoices.
Example of CEO Fraud
Inky reported a CEO fraud attack against Austrian aerospace company FACC in 2019. This attack involved a phishing email sent to a low-level accountant that appeared to be from FACC’s CEO. The email relayed information about required funding for a new project, and the accountant unknowingly transferred $61 million into fraudulent foreign accounts.
7. Evil Twin Phishing
Evil twin phishing involves setting up what appears to be a legitimate WiFi network that actually lures victims to a phishing site when they connect to it. Once they land on the site, they’re typically prompted to enter their personal data, such as login credentials, which then goes straight to the hacker. Once the hacker has these details, they can log into the network, take control of it, monitor unencrypted traffic and find ways to steal sensitive information and data.
Example of Evil Twin Phishing
In September 2020, Nextgov reported a data breach against the U.S. Department of the Interior’s internal systems. Hackers used evil twin phishing to steal unique credentials and gain access to the department’s WiFi networks. Further investigation revealed that the department wasn’t operating within a secure wireless network infrastructure, and the department’s network policy failed to ensure bureaus enforced strong user authentication measures, periodically test network security or require network monitoring to detect and manage common attacks.
8. Social Media Phishing
Example of Social Media Phishing
In August 2019, Fstoppers reported a phishing campaign launched on Instagram where scammers sent private messages to Instagram users warning them that they made an image copyright infringement and requiring them to fill out a form to avoid suspension of their account.
One victim received a private message from what appeared to be an official North Face account alleging a copyright violation, and prompted him to follow a link to “InstagramHelpNotice.com,” a seemingly legitimate website where users are asked to input their login credentials. Victims who fell for the trap ultimately provided hackers with access to their account information and other personal data linked to their Instagram account.
Next Week we will continue on How to SPOT and PREVENT phishing Attacks. Thank you. And Stay Cyber Safe.
For more information, please contact the IT Department by emailing itsupport@concept-
Regards,
Systems and Network Administration.