Types of Phishing Attacks:
1). CEO Fraud/Business Email Compromise
A business email compromise (BEC) is an exploit in which the attacker gains access to a corporate email account and spoofs the owner’s identity to defraud the company or its employees, customers, or partners of money. In some cases, an attacker simply creates an account with an email address that is very similar to one on the corporate network. BEC is also referred to as man-in-the email attacks.
2). Clone phishing
The idea behind a clone phishing attack is to take advantage of legitimate messages that the victim may have already received and created a malicious version of it. The attack creates a virtual replica of a legitimate message hence, the attack’s clever name and sends the message from an email address that looks legitimate. Any links or attachments in the original email are swapped out for malicious ones.
3). Domain spoofing
The next type of phishing we want to mention is known as domain spoofing. This method of attack uses either email or fraudulent websites. Domain spoofing occurs when a cybercriminal “spoofs” an organization or company’s domain to: make their emails look like they are coming from the official domain or make a fake website look like the real deal by adopting the real site’s design and using either a similar URL or Unicode characters that look like ASCII characters.
4). Evil Twin
An evil twin attack is a form of phishing that capitalizes on Wi-Fi. Evil twin as “a rogue wireless access point that masquerades as a legitimate Wi-Fi access point so the attacker can gather personal or corporate information without the end-user’s knowledge.” This type of attack has also been referred to as the Starbucks scam because it often takes place in coffee shops. Evil twin phishing involves a cybercriminal creating a Wi-Fi hotspot that looks like the real one. They will even use the set service identifier (SSID) that is the same as the real network. When end-users connect the attacker can then eavesdrop on their network traffic and steal their account names, passwords, and view any attachments that the user accesses while connected to the compromised hotspot.
5). HTTPS Phishing
We recently wrote about how URL based attacks are on the rise. The approach cybercriminals use in these attacks is to send an email with only a legitimate-looking link in the email body. There is often no other content except for the link itself. This includes sending the messages from an email address that appears legitimate such as from the recipient’s boss, co-worker, or the CEO.
SMS phishing or “smishing” is a form of phishing that capitalizes on the world’s addiction to text messaging and instant communications. Smishing is a way for cybercriminals to lure users into downloading malicious payloads by sending text messages that appear to come from legitimate sources and contain malicious URLs for them to click on.
7). Spear phishing
A spear-phishing attack is a targeted form of phishing. Unlike general phishing emails that use spam-like tactics to blast thousands of people in massive email campaigns spear-phishing emails target specific individuals within an organization. They use social engineering tactics to help tailor and personalize the emails to their intended victims. They may use email subject lines that would be topics of interest to the email recipients to trick them into opening the message and clicking on links or attachments.
You already read about smishing and understand that it is phishing for SMS messaging. So, if you have guessed that “vishing” is “voice phishing” (phishing over the phone) then you are correct. A vishing attack occurs when a criminal calls your phone to try to get you to provide personal or financial information. They often use automated calls that re-route individuals who fall for their tactics and end up speaking with the criminals themselves. They also use mobile apps and other techniques to spoof their phone number or to hide their phone numbers entirely. These attackers frequently use a variety of social engineering tactics to trick you into providing this information.
9). Watering hole phishing
This lesser-known type of phishing attack is reminiscent of a scene from the animal kingdom. Picture a group of zebras, antelope, and other creatures on the Serengeti at a watering hole. To cool themselves they edge nearer to the water and lean in to take a drink. One zebra decides to get a little cooler and wanders a little too far from the herd into the water.
Watering hole phishing attacks target businesses by:
Identifying specific websites that your company or employees visit most often and infecting one of the sites with malware. The sites that are selected for infection might be a vendor whose services your company uses. The goal is to infect the websites so that when you or your employees visit your computers will automatically be loaded with malware. This will provide the attackers with access to your network, servers, and sensitive information such as personal and financial data.