Protecting Your Business From Different Types of Phishing Attacks
A phishing attack is a general term for a type of cyberattack in which bad actors contact a large pool of people with malicious links or software hoping to trick some into clicking. The end goal, of course, is a payday. But not all phishing is the same: IT Governance has a list of the five most common types of
April 18, 2023
A phishing attack is a general term for a type of cyberattack in which bad actors contact a large pool of people with malicious links or software hoping to trick some into clicking. The end goal, of course, is a payday. But not all phishing is the same: IT Governance has a list of the five most common types of phishing attacks. Here’s what they are, and how you can avoid them in your business:
Email phishing is the most common form of phishing out there. It might even be what you think of when you see the word phishing. That’s because it’s relatively easy to do: Hackers can access the vast library of leaked email addresses on the web to send their fake messages to, which contain either links to malicious websites, or malicious attachments, such as Word documents or OneNote files.
Hackers get creative with how they craft their malicious emails, but you can spot the signs if you look closely enough. First, check the email address the message was sent from. While the name itself might appear legitimate, click it to reveal the actual address: Often, it’s an obvious fake, but sometimes, hackers put the effort in to register a fake domain that mimics a company’s actual domain address. Just keep an eye out for any tricky details, like the use of “rn” rather than “m.”
Almost always, phishing emails look unprofessional and sloppy when compared to the real thing. If possible, find a real email from the company to compare it to. When you can, avoid clicking on links in the email, and visit webpages directly. Be wary of any attachments, since they can be carrying malware to infect your system.
Spear phishing isn’t as common as email phishing, because it requires gathering enough info on target before attacking. But they’re dangerous, because they can be convincing: If you receive an email from someone who knows specific details about you, such as your full name, your employer, job title, etc., your first instinct might be to think it’s a legitimate message. Often, these messages are framed around money. Perhaps the contact says a shared client never received a payment, and you need to send it over right now.
If the message claims to be from someone who knows you, or someone who knows someone you know (say, someone you work with), contact the person directly instead of responding to the message. In more cases than not, the real person will have no idea what you’re talking about, so you’ll know
Whaling is like spear phishing, only concerning high-level personnel. Often, whaling attacks impersonate someone superior to you, such as a boss, in order to try to coerce a payment out of you. Again, as a general rule of thumb, any message like this, especially one asking for money, you should ignore. Instead, contact the “person” directly, if the message claims to be from someone you know. For example, your boss will likely be surprised to hear you ask about this message of “theirs,” debunking the spear attack and allowing you to delete it without risk.
Smishing and Vishing
You can think of smishing and vishing like phishing but for text messages and phone calls, respectively. Again, the idea here is to send out a lot of the same spammy message, and hope someone bites. With smishing, you’ll get a text from something purporting to represent a business you use or have a stake in, such as a bank alert with a convenient URL to click. Of course, if it’s a bad actor sending the message, the link leads somewhere malicious. The best thing to do, if you aren’t sure whether or not it’s actually your bank, is to contact the organization directly. If it was a real message from your bank, they’ll be able to confirm the alert and help. If it wasn’t, they can confirm that as well.
Angler phishing uses the world of social media to craft attacks to either steal data or install malware on your system. These attacks can be highly targeted, since many social media users offer up more personal details than they realize on their platforms of choice. For example, you might contact a business on Facebook or Twitter to issue a complaint. A bad actor could impersonate the business, claiming to be able to offer a refund or other type of help, if the customer provides their personal details, credit card number, etc.