1. Spear Phishing
Spear phishing is an email or electronic communications scam targeted towards a specific individual, organisation, or business. It is a malicious tactic utilising emails, social media, instant messaging, and other platforms to get users to share personal information or perform actions that can cause network/system compromises or data/financial loss. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware or ransomware on a targeted user’s device.
Typically, spear phishing is used in targeted attack campaigns to gain access to an individual’s account or impersonate a specific individual, such as a ranking official or those involved in confidential processes within the company.
A whaling attack is a method used by cybercriminals to masquerade as a senior official within an organisation and directly target other ranking or important individuals. The aim of whaling attacks is typically to steal money, gather sensitive information, or gain access to their computer systems for criminal purposes.
Also known as CEO fraud, whaling is similar to regular phishing attacks in that it uses methods such as email and website spoofing to trick targets into performing specific actions, such as revealing sensitive information or transferring funds.
Cybercriminals specifically choose to impersonate someone with senior or influential roles within the organisation. Think of them as the ‘big phish’ or ‘whales’ of the company (i.e., CEO or finance managers). Impersonating people in these roles adds an extra element of social engineering, as staff may be reluctant to refuse a request from someone they deem to be important.
Voice phishing (shortened to ‘vishing’) is a form of phishing that uses phones to steal confidential information. Vishing relies on convincing victims they are doing the right thing by responding to the caller. Often the scammer will pretend to be calling from the government, tax department, police or the victim’s bank.
Using threats and persuasive language, cyber criminals will make their victims feel like they have no other option but to provide the information requested. Some scammers will use forceful language that suggests they are helping the victim avoid criminal charges, while other scare tactics involve leaving threatening voicemails requesting the victim call back immediately or risk arrest, loss of funds, or worse.
The cybercriminal may ask for bank account information, credit card details, mailing addresses, tax information, or medical records. They may also ask the victim to take action by transferring funds, emailing confidential work documents, or providing details about their employer.
Once the criminal has obtained this information, they may drain the victim’s bank account, commit identity theft, use the victim’s credit card to make unauthorised purchases, or access their email accounts to trick the victim’s colleagues into giving up confidential information.
SMS phishing (also known as text phishing, or ‘smishing’) is a phishing attack carried out over mobile text messaging. Victims are deceived into giving sensitive information to a disguised attacker. It occurs across many mobile messaging platforms, including non-SMS channels like WhatsApp, Facebook, Instagram or other data-based mobile messaging apps.
Cybercriminals manipulate a victim’s decision-making through three driving factors:
- Trust: by masquerading as a legitimate individual or organisations, cybercriminals lower their target’s scepticism.
- Context: cybercriminals use a situation could be relevant to targets allows them to build an effective disguise. The message feels personalised, which helps it override any suspicion that it may be spam.
- Emotion: by heightening a target’s emotions, attackers can override their target’s critical thinking and spur them into rapid action.
5. Angler Phishing
Angler phishing is a recent type of cyberattack that targets social media users. People disguise themselves as a customer service agent on social media in order to reach a disgruntled customer and obtain personal information or account credentials.
Fake accounts will answer people are airing complaints on social media, and will disguise themselves under a user handle or profile that includes the name of the financial institution with the hopes that upset victims won’t realise they are not a valid account.
Once they have baited their disgruntled victim, the fake account will offer a link they claim will take the victim directly to an agent to talk to them. However, that link will either install malware onto their computer, or lead them to a fake website that will try get information and money from them.
Pharming is a type of cyberattack in which criminals redirect internet users trying to reach a specific website to a different, fake site. These fake (or ‘spoofed’) websites aim to capture a victim’s personally identifiable information (PII) and login credentials, such as passwords, social security numbers, account numbers and so on, or else they attempt to install pharming malware on their computer. Pharmers often target websites in the financial sector, including banks, online payment platforms, or ecommerce sites, usually with identity theft as their ultimate objective.
7. Pop-up Phishing
Pop-up phishing involves using fraudulent messages that pop up for users when they are surfing the web. Cybercriminals infect legitimate or otherwise trustworthy websites with malicious code that enables these pop-up messages to appear when people visit the website.
Often, these messages warn unsuspecting website visitors about the security of their computer and will prompt the visitor to either download a tool (such as an antivirus application) which is in fact malware, or to call a fraudulent number for support.
Example of successful pop-up phishing:
A potential victim was browsing the internet on his MacBook Pro, when he encountered a pop-up message alerting him to a problem with his computer. The scammers behind the pop-up provided a phone number to call for support.
The cybercriminal disguised as an ‘Apple support representative’ prompted the user to establish a remote connection so the ‘representative’ could diagnose the issue. The scammer showed the user his AppleCare had expired and required renewal for $499 and navigated the victim to a webpage requesting his credit card number for AppleCare renewal.
8. Clone Phishing
Clone phishing refers to an email that has been cloned from an original message sent by an authentic organisation. The cloned email appears to be legitimate and can trick the user into giving up information.
Clone phishing has evolved into a cyber threat that is often targeted at high-profile people such as individuals working in politics, banks, or large enterprises because clone phishing offers a way for attackers to extract sensitive, financial, confidential, or sensitive information.
Some clone phishing messages appear to be sent by a real person at the company the target works for or is involved with and is accompanied by copy and pasted content and information from a genuine message, with links or attachments that have been replaced by malware or fake website. Other spoofed emails include attachments claiming to contain important information such as invoices or shipping notices. Often, these attachments will contain malware or ransomware that compromise the victim’s device.
9. Evil Twin Phishing
An evil twin attack is a form of cyberattack that tricks a victim into connecting to a fake Wi-Fi access point that mimics a legitimate network. It is the wireless version of common phishing attacks. Once a user is connected to the ‘evil twin’ network, cybercriminals can inject malware or access the victim’s network traffic, sensitive data, and private login credentials.
The danger in evil twin attacks is that victims are often not aware they have been targeted by an evil twin attack because, for all intents and purposes, it feels no different from connecting to any other Wi-Fi network. The main difference is that once they have connected, everything they do online can be tracked and even controlled by the cybercriminal. If the victim logs into an unsecured bank or email account, the cybercriminal is able to intercept the login details and transactions.
Once the cybercriminal has identified a Wi-Fi network or hotspot to spoof, they will create a counterfeit wireless access point with the same name, one that closely resembled it or a name that could tempt users (e.g., Free Wi-Fi). Open networks are a prime target as users can connect automatically with requiring a password.
10. Watering Hole Phishing
Watering hole attacks compromise users within a specific industry by infecting websites they typically visit and luring them to a malicious site. Watering hole attacks are also known as strategic website compromise attacks.
Cybercriminals attempting attacks for financial or gain or to build their botnet can achieve this by compromising popular consumer websites. They will look for a known vulnerability in the website, compromise the site, and infect it with their malware before they lie in wait for baited users.
On top of this, attackers will prompt victims to visit the sites by sending them seemingly harmless and highly contextual emails directing them to specific parts of the compromised website. Often these emails seem completely legitimate, as they are sent through the website’s automatic email notifications and newsletters that go out to their client or subscription base.
As with most cyberattacks, the user’s machine may be compromised by a drive-by-download that provides no clues to the victim that their machine has been attacked and compromised by the site.
11. HTTPS Phishing
HTTPS phishing refers to the landing page or watering hole site that a user arrives at. SSL certificates have in the past been a way to ‘prove’ that a website is trustworthy. However, now it has become relatively easy for scammers to encrypt SSL on their fake or spoofed websites. Cybercriminals can now get their own SSL certificates to secure pages used in their phishing campaigns, and can often do so without having to reveal much information about who they really are. Other criminals may abuse pages hosted on cloud services, which sometimes allow them to automatically inherit the security certificate.