Learn about the different types of phishing attacks facing organisations today and the challenges with keeping your data safe
Phishing has been a common cyberthreat for many years now, but as technology advances, the methods used by cybercriminals to breach your systems and steal your data have grown in complexity. This has led to an increase not just in incidents of phishing attacks but the different types of phishing attacks facing businesses today.
“In the past year, 83% of all cyberattacks in the UK were phishing attacks.” ‘Cyber Security Breaches Survey 2021’, Gov.uk
A successful phishing attack typically leads to a data breach or ransomware attack. Both financially and in terms of a company’s reputation, this can be devastating. Unsurprisingly, the damage it causes often results in customers taking their business elsewhere. The stakes have never been higher.
In this article, familiarise yourself with the fundamentals of phishing, the different types of phishing attacks in use today and how you can protect your data and your organisation against the growing risk of phishing attacks — before it’s too late.
What is phishing?
Phishing attacks are attempts by cybercriminals posing as a trusted person or organisation to trick an individual into opening a fraudulent email, SMS, or instant message. Once opened, this message is designed to deceive the victim into sharing sensitive information or clicking a link that will run malicious code.
It’s often referred to as a form of social engineering because it leverages human interactions and psychological manipulation to bypass firewalls and other network security measures.
While all phishing attacks can be thought of as social engineering attacks, that doesn’t mean all phishing attacks operate in the same way. Today, there are five different types of phishing attacks against which organisations need to protect themselves. What do they look like?
Targeting a specific individual or business.
Sending a large number of untargeted phishing emails.
Phishing attacks targeting a company’s executives.
Phishing attacks performed over the phone or VOIP.
Attacks using text messaging.
5 different types of phishing attacks and examples
1. Bulk phishing
The most common type of phishing attack is known as bulk phishing. As its name suggests, bulk phishing attacks are carried out as scale, involving large numbers of fraudulent emails distributed to employees and other individuals.
Bulk phishing attacks are more easily recognised by their targets because they’re not personalised. Their strength lies in the sheer volume of attacks carried out. It only takes one person to unthinkingly or unwittingly open the email and click the link for the attack to be successful.
Examples of bulk phishing attempts include emails relating to winning a prize, issues with the user’s account, or emails stating that a password has expired and needs to be changed.
Some of these can easily be spotted due to poor grammar, spelling and design of the email, however others are nearly indistinguishable from an official email.
2. Spear phishing
When threat actors take the step to personalise phishing attacks to the recipient, this is known as spear phishing.
Spear phishing involves more research on the part of the cybercriminal but has generally higher success rates because targets are more likely to engage with emails that include personal details, making them more susceptible to malicious links or files.
Examples of spear phishing include emails that contain the victim’s name or place of work, emails imitating a supplier, or outreach from third-party technical support requiring the user to send their password for security reasons.
When a phishing email targets a company’s executives, this is known as whaling. Whaling attacks are typically aimed at stealing senior executives’ login credentials. Understandably, this can be devastating when it is successful as executives’ accounts often have comprehensive access to the company network along with employee and customer data.
It is important for the entire company to be made aware and educated about cybersecurity, including the C-suite and other executives.
Some cybercriminals will use spear phishing attacks to gain access to an employee’s email account before using that account to ‘whale’ the executive. These types of attacks are especially dangerous as individuals are more likely to trust emails from other employees.
Vishing, or ‘voice phishing’ attacks are performed over the phone or a Voice over Internet Protocol (VoIP). You’ll most likely recognise them as scam calls.
Victims tend to fall for these kinds of attacks because they are voice-based and so more trusting but also because the types of organisations they typically imitate are often perceived as authoritative and credible. Targets can learn to spot them as a company will never ask for personal information over the phone.
Vishing attacks often take the form of calls or messages imitating a bank or technical support asking for account information for security purposes.
Smishing or SMS phishing, is carried out using text messages to mislead or deceive a victim. This is a good example of how phishing has evolved to reflect the changing ways people prefer to communicate. As more companies embrace WhatsApp, text and other digital channels, victims who might consider an email or even a phone call suspicious may not think twice about replying — or even prefer to reply! — to text communications.
You might receive a text from what appears to be your bank with an ‘urgent message’ about your credit card or unusual account activity. Other attackers may attempt to engage the recipient with humour to lure them into engaging with or even forwarding the message.
Gone phishing: how to protect your company’s data
Phishing has been a common cyberthreat for a long period of time, and it is unlikely to stop anytime soon, especially as cybercriminals are constantly changing their methods to be more complex and difficult to identify. It is important that all employees are aware of phishing methods to avoid being victim to an attack. However, it only takes one employee opening a malicious link or file to have a company-wide data breach. It is in a company’s best interest to have software that uses AI to block phishing attacks before they even land in your inbox.
We offer protection from phishing attacks along with a suite of email protection tools that will ensure that your company’s data stays secure, and you do not lose customers due to a cyberattack. If you want to find out more on how to protect your business speak to us today.
Key takeaways to protect against phishing attacks
The best defence against all different types of phishing attacks is awareness. Taking the steps to educate your people to the potential threats and how to spot them will go a long way towards helping to protect your data, your organisation and your customers.
Consider the following tips and how you might share them across the organisation to keep your systems safe. Alternatively, if you’d like to speak to us about this or any other aspect of phishing protection, including security defences and email protection tools to keep your data secure, we can help. Our Opus Secure services help you to manage cybersecurity threats of all kinds, including improving employee digital behaviour to help your business stay secure.
- Always check where an email has come from and look for different spellings of the email address or URLs in the text.
- Always verify suspicious email requests in person if possible and never share your password or other personal information with others.
- If you receive a suspicious call or voice message, check to see if the number that has called is listed on the official company website and not a known scam phone number.
- Apply the same level of scrutiny to text messages that you would an email or phone call, as it is just as dangerous an attack vector.
- Implement policies and software to avoid employees at all levels of the company from being phished.
- If you’re ever in doubt, it’s always safer to not open an email.