Phishing is an old tactic of hackers (the first recorded phishing email was around 1995), but it continues to be one of their favorites. In fact, it was the most common type of cybercrime in 2020 with over 241,324 reported incidents — almost double the 114,702 incidents in 2019.
Not only that, but 75% of organizations worldwide also encountered a phishing scam in 2020. In the United States, 74% of organizations fell victim to a successful phishing attack — 30% higher than the global average.
To help protect your company, we’ve compiled four common types of phishing attacks:
1. Deceptive phishing
The most common type of phishing involves a mass-mailed message wherein the sender impersonates a legitimate person or organization in an attempt to trick the recipient into clicking on a link or downloading a malicious file, among many others.
This attack typically relies on spoofed email addresses that closely resembles that of the person or organization being imitated. For example, a recipient may receive a warning email from email@example.com that their password is expiring, so they should update it by clicking on the given link. However, if they do click on the link and try to log in via the spoofed login page, they unwittingly hand over their access credentials to the phisher.
Other common characteristics of this attack include:
- Generic salutations
- Spelling and grammar mistakes
- Modified brand logos
- Shortened URLs
- Use of threats and a sense of urgency
2. Spear phishing
In contrast to the generic phishing email, a spear phishing email is tailored to its target — commonly including their name, position, company, work phone number, and other details — to make it seem as natural and believable as possible. Research is key to learning information such as who the intended victim communicates with and the kinds of discussions they have. This is why spear phishing is common in social media sites like LinkedIn where there are multiple data sources.
An example of spear phishing happened in 2017 when cybersecurity professionals received an email about the Cyber Conflict US conference. This is an event organized by the United States Military Academy’s Army Cyber Institute, the NATO Cooperative Cyber Military Academy, and the NATO Cooperative Cyber Defence Centre of Excellence. While the conference is real, the email attachment actually contains a malicious macro that would download and execute the Seduploader malware.
Whaling operates the same way as spear phishing, but just as its name suggests, it targets “whales” or those in senior management positions such as the CEO, CFO, and other top executives. They are specifically targeted by cybercriminals because they have access to more financial accounts and more valuable information than lower-level employees.
Related reading: How to avoid falling for phishing scams
BEC or CEO fraud usually takes place after a whaling attack on a high-level executive had been successful in stealing that executive’s login credentials. Using the compromised account, the attacker usually lurks and monitors email activity first before sending a message to a regular recipient. This way, the recipient will more likely follow the instructions in the email such as transferring money into an external bank account — the attacker’s account.
Some of the most expensive phishing scams in history involved CEO fraud. For example, in 2016, fraudsters got hold of the email account of Crelan Bank’s CEO and used it to trick an employee into executing wire transfers amounting to $75.8 million. The very same tactic was used when Chinese-owned plane parts maker FACC’s CEO’s email account was hacked, causing the company to lose $61 million.
Safeguard your business using SpectrumWise’s state-of-the-art filtering programs that block phishing attempts and other email-based attacks. Contact us today to learn more.