What are The Types of Phishing Attacks?

types-of-phishing-attacks

Phishing scams have existed since the beginning of the World Wide Web. Phishing attacks were initially widely disseminated in the mid-1990s when cybercriminals used the America Online (AOL) service users to gain access to personal information such as passwords and credit card details. While social engineering techniques are still used in recent attacks, fraudsters have developed more sophisticated methods.

The definition of a phishing attack is one of the famous cyber security terms and its types include an attack technique that employs social engineering to trick a person into doing something counterproductive to their interests. Organizations can better safeguard their users and their data if they are thoroughly aware of the twelve types of phishing attacks. There are various types of phishing attack examples.

Overview of the Top 7 Types of Phishing Attacks

Phishing is one of the most common cyber threats today. It is an attack that tries to trick users into revealing sensitive information, such as passwords and credit card numbers, by posing as a legitimate entity. There are various types of phishing attacks, and it is essential to be aware of them to protect yourself from becoming a victim. This list will provide an overview of the top 5 phishing attacks so you can be better prepared against these malicious attempts.

1. Phishing via Email

Email phishing, often known as “deception phishing,” is a typical cyberattack. Emails sent by bad actors pose as legitimate companies to trick consumers into clicking on links or downloading files by creating a false feeling of urgency through social engineering techniques.

Usually, clicking on these links will take you to a rogue website that will steal your login information or infect your device with malware. Malicious code is embedded in the downloaded files—typically PDFs—and is activated when the user opens the file. It is among the different types of phishing attacks.

Recognizing Phishing Emails

Most individuals know the most common red flags that indicate an email might be a phishing attempt. However, as a reminder, some of the more common things to keep an eye out for when attempting to lessen risk are:

It would be best to verify the sender’s legitimacy by looking for clues such as the correct spelling of the sender’s name or the use of the proper domain in the sender’s email address.
Harmful and safe software: Watch for files or links that appear to be misspelt since they may contain code designed to mislead Exchange Online Protection (EOP).
Reduced link lengths: Avoid shortening a link in an email; this practice is used to trick Secure Email Gateways.

False brand logo: Look for legitimate symbols, which may include harmful HTML characteristics that will only work if you click them.
Minimal copy: Ignore emails with simple images and very little content, as the photos could contain malware.

2. Phishing via a Secure HTTPS Connection

Because of the added security provided by encryption, links with the hypertext transfer protocol secure (HTTPS) designation are generally believed to be trustworthy. Nowadays, all reputable businesses should have an HTTPS protocol instead of an HTTP one. However, hackers now use HTTPS in their phishing emails’ embedded URLs.

Where to look for signs of a phishing website that uses HTTPS

This is a more subtle version of the typical email phishing assault. It’s essential to think about the following factors when deciding whether or not a link is trustworthy. Here are some areas to check:

Domain name: Phishing websites often use domain names that mimic legitimate websites to deceive users. Carefully inspect the domain name of the website in question. Look for misspellings, extra characters, or slight variations from the proper domain name. For example, a phishing website may use a domain like “paypa1.com” instead of “paypal.com”.

SSL certificate: HTTPS websites use SSL (Secure Socket Layer) certificates to encrypt data between the user’s browser and the web server. Check for an SSL certificate by looking for a padlock icon in the browser’s address bar or an “https://” prefix in the website’s URL. However, having an SSL certificate alone does not guarantee the legitimacy of a website, as phishing websites can also obtain SSL certificates.

Security warnings: Modern browsers often display security warnings for potentially unsafe websites. If you encounter a sign that the website you are visiting may be dangerous, proceed with caution and carefully evaluate the website’s legitimacy.

Content and design: Phishing websites may have poor design quality or contain suspicious content. Look for signs of poor grammar, spelling errors, or inconsistent formatting on the website. Phishing websites may also attempt to create a sense of urgency or use emotional manipulation to trick users into providing personal information.

Links and redirects: Phishing websites may use misleading links or redirects to take users to web pages asking for personal information. Check the URLs of links on the website and hover over them to see if they match the legitimate domain name or if they redirect to suspicious websites.

Shortened link: Ensure the link is in its original, long-tail format and shows all URL elements. Links that appear to be part of the text but lead to a different website are called hypertext.

Trustworthiness: Consider the overall reliability of the website. Does it match the typical behaviour and appearance of a legitimate website? It may be a phishing attempt if something feels off or too good to be true.

3. Spear Phishing

Although spear phishing employs email, it takes a more focused approach. Cybercriminals use open source intelligence (OSINT) to obtain information from published or publicly available sources like social media or a company’s website. And then, they send emails to particular people at the company, posing as coworkers by using their genuine names, titles, and work phones. Ultimately, the recipient complies with the request since they think it was sent from within the company.

Recognizing Spear Phishing:
Abnormal request: Look out for internal requests that originate from people in different departments or seem out of the usually given job function.
Exchanged drive links: Be aware of links to documents saved on shared drives like Google Suite, O365, and Dropbox because these can redirect to a phoney, dangerous website.
Records that require a password to access: There is a risk that any paperwork asking for a user ID and password is an attempt to steal those details.

4. Whaling/CEO Fraud

Another corporate phishing that exploits OSINT is whale phishing, often termed whaling or CEO fraud. Cybercriminals look for CEO or other high-ranking company officials by searching for their names on social media and company websites. They then spoof that person using a similar email address. The email can ask for a money transfer or request that the recipient check a paper.

How to identify CEO fraud:

Unusual request: If a high-up executive has never contacted you, you should proceed cautiously.
Please make sure any legitimate request is made to a business email rather than a personal one, as many people now use email software that connects all their email addresses.

5. Vishing

The term “vishing” refers to phishing in which a cybercriminal phones a phone number and makes the recipient feel pressured into countering their best interests. During very trying circumstances, you may receive one of these calls. During tax season, for instance, many people get phone calls from someone pretending to be from the Internal Revenue Service (IRS), saying they want to conduct an audit and require their social security number. Callers utilize scare tactics to get victims to reveal sensitive information, such as bank account details.

How to spot Vishing:

Caller number: The number can be from a strange location or blocked.
The call came at a particularly stressful time of year or life event.
The caller is asking for information that seems out of character for the type of call they are making.

6. Smishing

Malicious actors often apply similar strategies to different sorts of technologies. In communication via mobile device, “smishing” refers to sending a text message with a specific request. These represent the next step in Vishing’s development. The text may contain a link that, when visited, will download and install malicious software on the user’s computer.

Knowing the signs to look for in smishing:

Change in the Delivery Status: Always check your email or visit the delivery service’s website to see your package’s current status if you have received a text message asking you to take action on a delivery.
Disturbed dialling pattern: Verify the area code with your contacts before replying to an SMS or following the advised action.

7. Angler Phishing

Phishing attempts have spread from email to social media as cybercriminals shift between several attack routes. Angler phishing, like its more well-known cousins, Vishing and smishing, occurs when a hacker uses a social media app’s notification or direct messaging functions to trick a user into giving up sensitive information.

Recognizing the Signs of Angler Phishing:
Notifications: Be aware of alerts claiming you’ve been added to a post, as they can contain infected links.
Unusual, direct communications: Be wary of receiving direct messages from infrequent users, as their accounts could be faked.

Never click a link in a direct message, regardless of how trustworthy it may appear unless the sender routinely sends you fascinating links.

Avoiding Phishing Attacks

While social engineering is where phishing began, modern methods can be challenging for consumers to spot. Phishing risks can be reduced by taking numerous measures to stop hostile actors from breaking into systems, networks, and software.

Prepare Your Workforce
Information security begins with a well-trained staff. Rather than relying solely on phishing emails as a means of instruction, you should adapt your training to account for the changing tactics of cybercriminals. Newer methods, such as watering hole phishing attacks, should be incorporated into any phishing awareness training.

Install Email Filtering Software
Email filters, more commonly known as “spam filters,” can also check for additional hazards that may indicate a phishing assault attempt. Active content, or the coding that enables things like reading and editability in a PDF, is a common place for cybercriminals to conceal dangerous malware. To lessen the possibility of users falling for malicious phishing emails, it is essential to have an effective email filtering solution.

Put Notifications on Websites In Your Browser
There is a greater need than ever before to take precautions against visiting rogue websites. Since most businesses now actively monitor incoming email, hackers have shifted their focus to website source code. Users should be warned about visiting malicious sites by having browser warnings enabled.

Frequently Update Your System With Security Patches
Many phishing attempts use CVEs, or commonly exploited vulnerabilities and exposures. Maintaining up-to-date protections against these threats is essential.

Schedule Frequent Data Backups
Phishing attempts frequently leave malware, including ransomware, in their wake. Building a data backup procedure with three copies of data on two different media and one copy stored offsite will help protect your business from the effects of ransomware.


Phishing websites that use HTTPS (Hypertext Transfer Protocol Secure) can be challenging to detect, as HTTPS is a widely used and trusted protocol for secure online communication. However, there are still some signs that you can look for to identify potential phishing websites that use HTTPS.

Remember, it’s always important to exercise caution and verify the legitimacy of websites, especially when providing personal information or engaging in online transactions. If you suspect a website is a phishing attempt, do not provide personal information and report it to the appropriate authorities or the legitimate website owner.

Read also the Upguard’s blog about this attacks.

Partners