10 most common phishing attacks
Phishing is one of the most common ways for scammers to steal information. Through social engineering or deception, fraudsters attempt to trick people into handing over personal or confidential information to then use it for malicious purposes. With some basic information like your full name and address, a scammer could make you vulnerable to identity theft and with a username and answers to privacy questions, they might even be able to get into your online banking accounts.
Corporations are especially at risk, and despite the commonality of phishing attacks, many people remain unaware of how to spot him. According to a Verizon cybersecurity report, there was 9,576 email phishing incidents reported in 2015, and 916 resulted in a data breach. This means that almost 1 in 10 phishing attempts are successful. For people in the tech field, this might seem like a crazy number, but the target is usually someone outside of the bubble, unfamiliar with what a phishing attempt looks like.
Phishing simulations & training
The fact is that there are many different types of phishing attacks. Some are generic emails that are easy to spot but more others can be especially tailored to the victim and might be difficult to warn users about.
These are the 10 most common types of phishing attacks.
Deceptive phishing
Deceptive phishing is by far the most common type of phishing attack in which scammers attempt to replicate a legitimate company's email correspondence and prompt victims into handing over information or credentials. Often, they are creating a sense of urgency to make people act quickly and without checking. Two-factor verification can be used to protect yourself. You should also always look for tell-tale signs such as grammar and spelling mistakes throughout the email or broad addressing terms.
Spear phishing
Spear phishing attacks are specifically tailored to one victim. Using knowledge gained from your social media profiles and other public information, a scammer can craft a legitimate-looking email to trap the victim into responding. Many times, these emails appear to come from a trusted source, like a business or a friend and ask for revealing information. Victims that respond to such emails can suffer from identity theft, malware, credit card fraud, and even blackmail.
Whaling / CEO fraud
Whaling is an attempt to go after the "big fish." First attackers will target high-level employees and executives to gain access to their email accounts or spoof them. If they're able to do that, it puts the entire business at risk.
When the CEO or the head of a department asks for some files, most people wouldn't question it, even if it's an odd request. That's what makes these types of attacks so dangerous. Not only that but with some less protected corporations, someone with access to a high-level account can also gain access to employees' information, hold the network hostage, and cause financial loss.
Vishing
Vishing is a type of attack done through Voice over IP (VoIP). Because a VoIP server can be used to appear as virtually anything, and the caller ID can be changed, vishing attempts can be very successful. It might appear that someone close to the corporation is calling or like an important outside entity like a bank or the IRS.
SMiSHing
Similar to Vishing, SMiSHing is done over the phone but in the form of text messages. These can be extremely wide-reaching as the scammer can send out bulk amounts of the same text to many different numbers. Sometimes, the scammer attempts to trick people into believing that they've won a contest, but the less obvious ones pose as banks and credit card companies. They will then attempt to get the person's information either by a link in the text or a prompt to call a number.
W2 phishing
W2 phishing can be a form of whaling. An attacker will use an executive's email or make one that appears similar and attempt to collect W2s and W9s of the employees to gain private information such as social security numbers and addresses. Tax season is usually the peak time to see these attacks since everyone is getting their information and files ready. Sometimes instead of coming from an executive, these attacks appear to come from the IRS which might seem obvious but when done effectively, can go under the radar.
Pharming
Many people can spot a phishing email from a while away, so some scammers have turned to more sophisticated ways to defraud their victims. This has led to pharming, a type of attack that uses Domain Name System (DNS) cache poisoning. By using cache poisoning, an attacker changes the IP address associated with a website name and redirects it to a malicious website. The best way to protect against pharming is only to use HTTPS protected and secured sites when entering personal information.
Ransomware phishing
Many phishing emails contain a link to download malware, sometimes in the form of ransomware. Instead of looking for information, ransomware phishing attacks hold the infected computer hostage until the victims pay up. Unfortunately, many people that fall prey to this kind of attack also pay the ransom to get their files released, thereby contributing to the chance that this attack will happen again.
Dropbox phishing
Dropbox, a file-sharing platform is particularly interesting to scammers looking for personal information. A Dropbox phishing attack uses an email that appears to be from the website and prompts the victim to log in. Then, this information is logged by the attacker and used to log in to the victim's Dropbox. This often gives them the ability to access private files and photos as well as to take the account hostage. This type of attack is best prevented against by enabling two-factor verification.
See Infosec IQ in action
Google Docs phishing
In the same as Dropbox phishing, Google Docs phishers spoof a legitimate-looking log in prompt to trick their victims into handing over their passwords. Through Google Docs, the attackers can then get into files, videos, documents, spreadsheet and whatever else is stored there. Again, two-factor verification may be used to protect yourself against this threat.
Educating employees is key to combatting these types of phishing attacks. To learn more about creating an effective security awareness program, read our best security awareness training article.
In this Series
- 10 most common phishing attacks
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
