www.itgovernance.eu
Open in
urlscan Pro
20.76.184.47
Public Scan
URL:
https://www.itgovernance.eu/blog/en/the-5-most-common-types-of-phishing-attack
Submission: On November 20 via manual from US — Scanned from NL
Submission: On November 20 via manual from US — Scanned from NL
Form analysis 2 forms found in the DOM
POST https://www.itgovernance.eu/blog/en/wp-comments-post.php
<form action="https://www.itgovernance.eu/blog/en/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p>
<p class="comment-form-comment"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true"></textarea></p>
<p class="comment-form-author"><label style="display:none" for="author">Name*<span class="required"></span></label><input id="author" name="author" type="text" placeholder="Name*" value="" size="30"></p>
<p class="comment-form-email"><label style="display:none" for="email">Email*<span class="required"></span></label><input id="email" name="email" type="text" placeholder="Email*" value="" size="30"></p>
<p class="comment-form-url"><label style="display:none" for="url">Website</label><input id="url" name="url" type="text" placeholder="Website" value="" size="30"></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="25454" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="2f5d39c884"></p>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1700441583085">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://www.itgovernance.eu/blog/en
<form method="get" id="searchform" class="search-form" action="https://www.itgovernance.eu/blog/en" _lpchecked="1">
<fieldset>
<input type="text" name="s" id="s" value="" placeholder="Search the site" x-webkit-speech="x-webkit-speech">
<input id="search-image" class="sbutton" type="submit" value="Search">
</fieldset>
</form>Text Content
ProtectComplyThrive
IT Governance European Blog
* About Us
* Visit our Webshop
* Menu
* Blog Home
* Irish Blogs
* Business Continuity
* Cyber Security
* ISO 27001
* Risk Management
* Data Protection / GDPR
* IT Best Practice
* PCI DSS
* Other Blogs
THE 5 MOST COMMON TYPES OF PHISHING ATTACK
Luke Irwin 31st January 2023
Practically every business in the world is vulnerable to phishing. According to
Proofpoint’s 2022 State of the Phish Report, 83% of respondents fell victim to a
scam attack last year.
What makes phishing so frustrating is that most of us know what it is and how it
works, but we still get caught out.
Scammers have a handful of tricks up their sleeves to fool people into clicking
malicious links or handing over their personal information, and they use the
same approach time after time.
Each phishing campaign might differ superficially – with the pretext referring
to one organisation or another – and the attackers’ finding new ways to bypass
security filters, but their phishing techniques rarely change.
Unfortunately, these slight adjustments are often enough to catch us out. Thanks
to timeless strategies or carefully orchestrated social engineering tactics,
each new campaign looks genuine enough to trick overworked or negligent
employees.
We help you see through fraudsters’ tactics in this blog, as we take a look at
five of the most common phishing scams that you’re likely to receive.
--------------------------------------------------------------------------------
1. EMAIL PHISHING
Most phishing attacks are sent by email. The crook will register a fake domain
that mimics a genuine organisation and sends thousands of generic requests.
The fake domain often involves character substitution, like using ‘r’ and ‘n’
next to each other to create ‘rn’ instead of ‘m’.
In other cases, the fraudsters create a unique domain that includes the
legitimate organisation’s name in the URL. The example below is sent from
‘olivia@amazonsupport.com’.
The recipient might see the word ‘Amazon’ in the sender’s address and assume
that it was a genuine email.
There are many ways to spot a phishing email, but as a general rule, you should
always check the email address of a message that asks you to click a link or
download an attachment.
2. SPEAR PHISHING
There are two other, more sophisticated, types of phishing involving email.
The first, spear phishing, describes malicious emails sent to a specific person.
Criminals who do this will already have some or all of the following information
about the victim:
* Their name.
* Place of employment.
* Job title.
* Email address; and
* Specific information about their job role.
You can see in the example below how much more convincing spear phishing emails
are compared to standard scams.
The fraudster has the wherewithal to address the individual by name and
(presumably) knows that their job role involves making bank transfers on behalf
of the company.
The informality of the email also suggests that the sender is a native English
speaker and creates the sense that this is a real message rather than a
template.
--------------------------------------------------------------------------------
3. WHALING
Whaling attacks are even more targeted, taking aim at senior executives.
Although the end goal of whaling is the same as any other kind of phishing
attack, the technique tends to be a lot subtler.
Tricks such as fake links and malicious URLs aren’t helpful in this instance, as
criminals are attempting to imitate senior staff.
Whaling emails also commonly use the pretext of a busy CEO who wants an employee
to do them a favour.
Emails such as the above might not be as sophisticated as spear phishing emails,
but they play on employees’ willingness to follow instructions from their boss.
Recipients might suspect that something is amiss but are too afraid to confront
the sender to suggest that they are being unprofessional.
4. SMISHING AND VISHING
With both smishing and vishing, telephones replace emails as the method of
communication.
Smishing involves criminals sending text messages (the content of which is much
the same as with email phishing), and vishing involves a telephone conversation.
One of the most common smishing pretexts are messages supposedly from your bank
alerting you to suspicious activity.
In this example, the message suggests that you have been the victim of fraud and
tells you to follow a link to prevent further damage. However, the link directs
the recipient to a website controlled by the fraudster and designed to capture
your banking details.
5. ANGLER PHISHING
A relatively new attack vector, social media offers several ways for criminals
to trick people. Fake URLs; cloned websites, posts, and tweets; and instant
messaging (which is essentially the same as smishing) can all be used to
persuade people to divulge sensitive information or download malware.
Alternatively, criminals can use the data that people willingly post on social
media to create highly targeted attacks.
As this example demonstrates, angler phishing is often made possible due to the
number of people containing organisations directly on social media with
complaints.
Organisations often use these as an opportunity to mitigate the damage – usually
by giving the individual a refund.
However, scammers are adept at hijacking responses and asking the customer to
provide their personal details. They are seemingly doing this to facilitate some
form of compensation, but it is instead done to compromise their accounts.
YOUR EMPLOYEES ARE YOUR LAST LINE OF DEFENCE
Organisations can mitigate the risk of phishing with technological means, such
as spam filters, but these have consistently proven to be unreliable.
Malicious emails will still get through regularly, and when that happens, the
only thing preventing your organisation from a breach is your employees’ ability
to detect their fraudulent nature and respond appropriately.
Our Phishing Staff Awareness Course helps employees do just that, as well as
explaining what happens when people fall victim and how they can mitigate the
threat of an attack.
This online course uses real-world examples like the ones we’ve discussed here
to explain how phishing attacks work, the tactics that cyber criminals use and
how you can detect malicious emails.
You and your team will receive the expert guidance you need to detect phishing
attacks and respond appropriately, protecting your organisation from a costly
data breach.
The course content is updated quarterly to include recent examples of successful
attacks and the latest trends that criminals use.
Get started
--------------------------------------------------------------------------------
A version of this blog was originally published on 9 July 2019.
RELATED POSTS
THE MOST SECURE WEB BROWSER FOR YOUR ORGANISATION
GET INVOLVED IN #CYBERSECMONTH 2019
AN GARDA SÍOCHÁNA LAUNCHES SAFE ONLINE SHOPPING CAMPAIGN
ABOUT THE AUTHOR
LUKE IRWIN
Luke Irwin is a former writer for IT Governance. He has a master’s degree in
Critical Theory and Cultural Studies, specialising in aesthetics and technology.
17 COMMENTS
1. Alishia 9th July 2020
There is one more type of phishing attack: Pharming which is similar to
phishing, but in this type of attack, the attacker sends users to a
fraudulent website that appears to be legitimate.
Reply
* prahath 13th October 2020
how is that possible? I mean how do they executed?
Reply
* DOZ 5th September 2023
Malware from the link modifies DNS setting.
Reply
* e11i0t 17th February 2022
I think pharming doesn’t involve users clicking on the link it relies on
background processes to capture and redirect users to a malicious site.
Here user doesn’t even need to click on the link
Reply
2. Stanley Chauke 31st August 2020
A very good article Luke, I enjoyed reading. Keep writing more about topics
like.
Reply
3. George Piggy 4th September 2020
Thanks for making this atticle! Now I know how most phishing attackes are
like! :DD
Reply
* George Piggy 4th September 2020
Article*
Reply
4. Triple I Consulting 15th January 2021
Here in the Philippines there are all kinds of scams and phishing attacks,
the most common being SMS message to random phone numbers saying they won
some money, or they have an investment opportunity. All of which are used
to get personal information and try to con them out of money. I do believe
they also try fake website clones to phish user information.
Reply
* Amanda 31st July 2023
Yes, this such example is what has lead me to this article, in need of
educating myself to be one step ahead of how these scammers have been
trying to get me to bite every day relentlessly! How can I stop them
from their messaging me?
Reply
5. Ariya Rathi 28th July 2021
Now I know how most phishing attack Thanks for making this article it is
useful blog.
Reply
6. Pintu Bhatt 29th July 2021
This is such an important contribution. Keep up this important work. I also
want to add some more phishing attacks as per my knowledge which are
following:
HTTPS phishing
Pharming
Watering hole phishing
Evil twin
Clone phishing
Pop-up phishing
Reply
7. Briskinfosec Technology and Consulting Pvt Ltd 6th August 2021
Your article is highly relevant and informative in the current age where
cyber-attacks are on the rise and the security of our sensitive information
is unpredictable. The tips are very useful and informative. I agree with
the fact that, through proper education, awareness programmers and adopting
cyber security services, these cyber attacks can be reduced to a large
extent. Keep on updating similar reliant articles.
Reply
8. Steve @ CyberconIQ 17th March 2023
Great summary of phishing jargon! Focused and directed spear phishing is
one of the greatest threats to an organization. The hackers know who has
the keys to the kingdom, and how to approach them.
Reply
9. Victor Malca 30th March 2023
Interesting article! Many people nowadays get scammed because of those
nonconscience people. Thank you for giving us the knowledge to have more
ideas so we may avoid being scammed.
Reply
10. ranit roy 4th April 2023
I enjoyed reading your post and look forward to more content on similar
topics in the future!
Reply
11. Organization13 18th July 2023
I really enjoyed reading your post! Learned a lot of new info.
Reply
12. Victor Malca 11th October 2023
It is nice to read this again. This is worth sharing with others. Thank you
so much!
Reply
LEAVE A REPLY CANCEL REPLY
Your email address will not be published. Required fields are marked *
Name*
Email*
Website
Δ
This site uses Akismet to reduce spam. Learn how your comment data is processed.
SOCIAL MEDIA
*
*
*
RECENT POSTS
* Expert Insight: Andrew Pattison
* Cyber Attacks and Data Breaches in Review: October 2023
* Europrivacy™/®: What Do I Need and What About Non-EU Jurisdictions?
* EU GDPR News Update: Three Legal Cases and AI Guidance
* Full Fact Warns of Deepfake Phishing Video Threat
CATEGORIES
* Business Continuity
* Cyber Resilience
* Cyber Security
* ISO 27001
* Risk Management
* Data Protection
* GDPR
* Expert Insights
* French Blogs
* Irish Blogs
* IT Best Practice
* ITIL/ITSM/ISO 20000
* Project Management
* IT Governance
* COBIT
* Italian Blogs
* Microsoft Security
* News
* Other Blogs
* Book Reviews
* Breaches and Hacks
* Product Blog
* Technical Experts
* PCI DSS
* Penetration Testing
* Phishing
* Ransomware
* SOC 2
* Spanish Blogs
* SWIFT
* Uncategorised
IT Governance Blog En Copyright © 2023.
* Menu
* Blog Home
* Irish Blogs
* Business Continuity
* Cyber Security
* ISO 27001
* Risk Management
* Data Protection / GDPR
* IT Best Practice
* PCI DSS
* Other Blogs