Phishing scams are one of the most prevalent online attacks we face today. People fall victim to phishing scams daily, resulting in compromised devices, identity theft, and financial fraud. When you add AI into the mix, phishing is poised to attack more people with more sophisticated attacks that can be remarkably convincing.
In this post, we examine the most common phishing techniques and attacks, providing an overview of how they operate and offering tips on how to avoid them.
Let’s start.
What is phishing?
Phishing is a type of cyberattack designed to deceive its victim(s) into revealing sensitive information, such as usernames, passwords, credit card numbers, and other personal data. The term “phishing” is (rather obviously) derived from the analogy of fishing, where attackers use bait to lure unsuspecting victims into their traps. In a phishing attack, the bait will typically be a message (email, SMS, or even a phone call) that mimics a legitimate contact or business with which the victim has a relationship, such as a bank, online service, delivery company, or any other trusted organization.
The message will invariably claim that there’s a time-constrained emergency you need to address. This creates a sense of urgency designed to elicit an emotional response that effectively shuts off your rational thought processes. Conveniently, there will be a link or an attachment you can click on to sort out the issue.
If you follow the message’s advice and click the link, one of two things will happen:
- Your device downloads malware that harvests your personal information and delivers it to the attacker.
- You’re taken to a fake website designed to look legitimate, which prompts you for your personal information and delivers it to the attacker.
Phishing can take several forms, each employing different tactics. Email phishing is the most common type, where attackers send emails that appear to be from a legitimate contact or business. These emails often contain links to fake websites or attachments that contain malware (which can harvest your personal information). Similarly, SMiShing involves sending fraudulent text messages that compel victims to click on malicious links or provide personal information.
While some types of phishing attacks can be extremely targeted, as we’ll see below, they typically cast a very wide net, targeting hundreds or thousands of people at a time. The attacker only needs a few people to take the bait to get a return on their investment.
Signs of a phishing attack
Regardless of the specific type, phishing attacks all follow the same playbook. It’s based on a psychological tactic known as social engineering. Here is a step-by-step breakdown of a typical phishing attack:
- Research and reconnaissance: The attacks start by amassing a list of targets, gathering personal and contact information from social media, public records, data brokers, and data breach dumps. This allows them to craft personalized and convincing phishing attempts.
- Crafting the bait: Using the information they’ve collected, the attackers create a seemingly legitimate email, message, or website that appears to be from an organization with which the victim has a relationship. These messages are designed to create a sense of urgency or fear, prompting the victim to take immediate action.
- Delivering the payload: The attackers then deliver their phishing attempt, whether it’s through an email, a text message, or a social media post. They often employ tactics such as spoofing email addresses or impersonating trusted contacts to make the message appear more authentic.
- Exploiting the victim: If the victim falls for the phishing attempt and clicks on the malicious link or provides their sensitive information, the attackers can then use that data to infiltrate secure systems, hijack accounts, and steal money.
Here are the two main giveaways you should look out for:
- The message instills a strong sense of urgency requiring you to take action immediately to prevent something terrible from happening to you, like asset seizure, account lockout, or even arrest
- The message will either contain an attached file that you need to download or a link to a website with fields for personal information, such as a login page
Remember that in a phishing attack, the attacker aims to collect information that you wouldn’t typically share with anyone. To do that, they need you to think that you’re dealing with someone in authority and that they have a valid reason for collecting this information.
Let’s look at some specific phishing attacks in more detail.
Spear phishing
Spear phishing is a particularly insidious form of phishing. That’s because spear phishing attacks are highly targeted and tailored to specific individuals or organizations, unlike generic phishing scams that tend to cast a wide net.
In spear phishing scams, attackers conduct extensive research to gather detailed personal information about their targets. They’ll troll the internet to uncover personal information from social media, public records, or even previous data breaches to produce convincing and seemingly legitimate emails and/or text messages that appear to come from trusted sources, such as colleagues, superiors, or even government agencies.
The goal of a spear phishing attack is to manipulate the target into divulging sensitive information, such as login credentials, financial data, or other confidential details. Once the scammer has this information, they can use it to infiltrate secure systems and commit identity and financial fraud.
What makes spear phishing so insidious is its level of personalization and attention to detail. Attackers invest significant time and effort to ensure their phishing attempts are as convincing as possible, making them difficult, even for tech-savvy individuals, to detect.
As AI technology continues its relentless march, the threat of spear phishing is only growing. AI can be leveraged in scams to automate the research and creation of these highly targeted messages. AI can also be used to create fake websites that look identical to the real thing, making these scams even harder to detect.
Whaling (CEO phishing)
Whaling, also known as CEO phishing, is a type of spear phishing attack that specifically targets high-profile individuals within an organization, such as executives or senior management. Whaling is a high-precision strike, meticulously crafted to deceive its intended victim. The stakes are extremely high in a whaling attack, as the payload will often be sensitive company information, financial data, and, in extreme cases, the ability to transfer funds.
The tactics employed in whaling typically involve extensive research on the target. Attackers will spend significant time researching their target to gather as much personal information as possible, to construct a convincing narrative for their victim.
If they fall victim to a whaling attack, organizations stand to lose massive amounts of money on top of the reputational damage that ensues. Similarly, as with spear phishing, AI can enhance these attacks by making them more sophisticated, convincing, and successful. Be on the lookout.
Vishing
Vishing, also known as voice phishing, is a type of phishing attack. However, vishing sets aside emails and text messages in favor of phone calls, taking the art of deception to a more personal level and using the human voice to create a sense of both urgency and trust, thereby obtaining the victim’s personal information.
Vishing has been around for years, but AI voice cloning capabilities have given it a massive boost. Attackers can now create convincing, deep-faked voices of individuals to help them trick victims into visiting phishing sites and divulge private information.
In a vishing attack, the attacker typically poses as a representative from a legitimate organization, such as a bank, government agency, or tech support. They often use caller ID spoofing to make it appear as though the call is coming from that trusted source or a local number. They’ll then inform the victim of an issue with their account, a suspicious transaction, or any other problem requiring immediate attention. The goal is to create anxiety, fear, and urgency to compel the victim to act quickly without thinking critically.
Vishing attacks are particularly effective in exploiting human emotions. The personal touch of a phone call can make the scam feel more legitimate, and many people are less cautious when speaking to someone directly. This often leads people to lower their guard and hand over highly sensitive information, such as banking details and even Social Security numbers.
Always verify the caller’s identity and never share sensitive information over the phone unless you initiated the call.
SMiShing
SMiShing, or SMS phishing, is a phishing attack that occurs over text message (SMS). As mobile devices have become ubiquitous, cybercriminals have also adapted their tactics to exploit this communication channel. SMiShing is a traditional phishing attack that occurs via text messages. And just like traditional phishing and vishing, SMiShing relies on manipulation and urgency to trick victims into opening up.
What makes SMiShing particularly effective is the inherent trust many people place in text messages. Unlike emails, which can be filtered into spam folders, SMS messages tend to feel more direct and personal. This can lead individuals to lower their guard and act quickly without taking the time to verify the message’s legitimacy.
How to avoid falling for phishing attacks
First off, don’t panic. No matter what that email, phone call, or website says, it’s never as bad as they make it out to be. If there were a real issue with your accounts, the bank or company wouldn’t be contacting you through a pre-recorded message, an email, or a random pop-up ad while you’re browsing online. If you feel rushed to make a decision, take a moment to think.
When legitimate companies detect suspicious activity on your account, their standard policy is to decline the transaction and have their fraud prevention team contact you to verify if it’s a legitimate purchase. They won’t just send you an email demanding immediate action.
If an email does contain a link, it’ll likely be to the company’s main website or a login page. To check where the link goes, simply hover your mouse over it without clicking. A small pop-up will display the actual URL, which may differ significantly from what the link text suggests. If you’re on a mobile device, long-press the link to inspect it.
Even emails from people you know could be spoofed, so it’s always a good idea to double-check the header details, especially on any messages that require immediate action. Large companies, such as banks and PayPal, typically do not send emails with attachments. Their messages will notify you of updates to your online account.
Pay attention to how the email is addressed. If it’s not personalized to you, it’s likely a phishing attempt. Vigilance is key. You can get it right 100 times, but falling for the scam just once can have serious consequences. Even a 1% success rate can still yield hundreds of stolen identities or credit card numbers for attackers to sell on the dark web or use for other scams.
What to do if you’ve fallen victim to phishing
If it’s too late and you fell for the bait, you’re not alone. Act quickly to minimize the damage from malware, identity theft, and unauthorized account access. The steps below are a good start.
- Shut down your computer immediately in case of a malware infection
- If it’s a work computer, notify your IT team right away.
- Run an antivirus scan on your device to detect and remove the malware.
- If the above steps do not yield any results and you have backups of your system, restore it to a point before the infection occurred.
- Change your passwords for all online accounts, starting with your banking and financial accounts.
- Contact major credit agencies to place a fraud alert on your credit and monitor your credit closely for the next few years.
- Report any compromised debit or credit cards to your bank, and consider closing the affected account.
- If you can’t access the hijacked account, contact the company immediately to report the account takeover.
Where to report phishing emails
Most people who receive phishing emails will simply delete them, and that’s fine. But if one slips through your spam filter and seems particularly effective or dangerous, or if you’re just fed up and want to take a more proactive role in stopping phishing, then you can report phishing emails to the authorities.
In the US, you have a few places to report phishing. Forward the email to:
- The FTC: spam@uce.gov
- The Anti-Phishing Working Group: reportphishing@antiphishing.org
- The United States Computer Emergency Readiness Team (US-CERT): phishing-report@us-cert.gov
You may also want to report the incident to the impersonated entity. The FTC recommends including the full email header, which includes the display names and email addresses of both the sender and recipient, the date, and the subject. Some of this information is hidden by default in specific email clients, so you may need to search for instructions on how to display it.
UK residents can report phishing scams on the Action Fraud website. Users just need to answer a few questions about the phishing attempt and who it impersonated to get the appropriate email address to forward it to.
Wrapping up
So, that was an overview of the most common types of phishing attacks. They come in many forms – from generic mass emails to highly targeted spear phishing. However, regardless of the specific tactics employed, the goal remains the same: to deceive the victim into disclosing sensitive information that can be exploited for identity theft and fraud.
The key is to remain vigilant and skeptical of any unsolicited messages claiming to be from legitimate organizations. Phishing is a persistent threat that will likely persist for years to come, but with a little knowledge and a healthy dose of caution, you can protect yourself.
Stay safe.
Related: Phishing stats
Great round up of all the different kinds of phishing scams out there in the wild. Being involved in the phishing protection industry – its always good to see others putting out information that educates users and creates awareness.
phishers and hackers are definutely aware that over 90% of their target market is unaware.
the faster we educate people, the better it is. it really is a race to get people educated. i do see mimecast / phishprotection.com and some others like proofpoint – pushing education and awareness campaigns.