USA +1 855 726 4878  |  BR +55 11 3069 3925 

Top 7 Types of Phishing Attacks and How to Prevent Them

by | Nov 17, 2022 | BLOG | 0 comments

Social engineering, in the context of information security, consists of practices performed by hackers to manipulate users to take actions that go against their interests, exploiting their vulnerability and lack of knowledge for their benefit.

One of the main types of social engineering is a phishing attack, which has been growing every day. According to the Verizon Data Breach Investigation 2022 report, 20% of data leaks in the surveyed period involved phishing.

These numbers warn us about the need of knowing the different types of phishing and how to avoid this threat – topics covered in this article. To facilitate your understanding, we divided our text into topics. They are as follows: 

  • What Is Phishing?
  • How Phishing Works
  • Top 7 Types of Phishing Attacks
  • Common Phishing Signs
  • Best Practices for Preventing Phishing Attacks
  • senhasegura GO Endpoint Manager: The Solution to Protect Against Phishing Attacks
  • About senhasegura
  • Conclusion

Enjoy the reading!

 

What Is Phishing?

Phishing is a very common type of social engineering in which hackers impersonate legitimate entities or trusted people to manipulate their victims and ask them to perform certain actions, such as providing sensitive information or clicking on malicious links.

Social engineering attacks such as phishing are present in almost all cybersecurity incidents and often involve other threats, such as network attacks, code injection, and malware. 

How Phishing Works

Typically, cybercriminals use means such as social media to gather data from their victims, such as names, roles, interests, and email addresses. 

Then, this information is used to create a false message on behalf of a trusted entity, such as banks, the victim’s workplace, or the victim’s university.

In the messages, the user is asked to download malicious attachments or click on links to malicious websites in order to collect confidential information, which may include usernames, passwords, and bank details.

Some attackers use inappropriate fonts, logos, and layouts in phishing emails, making it easier to identify them as such, but cybercriminals are increasingly getting better at this, making their messages look authentic.

Top 7 Types of Phishing Attacks

Here are the top 7 types of phishing used by cybercriminals to manipulate their victims:

Deceptive Phishing

Deceptive Phishing is the most common among types of phishing. In it, attackers impersonate a legitimate entity to access their victims’ personal data or login credentials, using messages with threats and a sense of urgency to manipulate them.

Here are some common techniques used in Deceptive Phishing:

  • Use of legitimate links in emails, including contact information of the organization they are impersonating;
  • Combination of malicious and non-malicious codes to cheat Exchange Online Protection (EOP). It is possible, for example, to replicate the CSS and JavaScript of a tech company’s login page to steal users’ account credentials;
  • Use of abbreviated URLs to deceive Secure Email Gateways (SEGs) and “time bombing” to redirect users to a phishing landing page;
  • Change of an HTML attribute in brand logos to prevent email filters from detecting the theft of the company’s symbols;
  • Emails with minimal content, often in image form, to avoid detection.

Spear Phishing

Spear Phishing is also among the types of phishing that use email, but this model is more targeted. In practice, hackers use open-source intelligence (OSINT) to gather publicly available company data. 

Then, they focus on specific users, using this information to make the victims believe the message is from someone within the organization, thus facilitating the accomplishment of their requests.

To identify Spear Phishing, one needs to be aware of unusual insider requests, shared drive links, and documents that require a user login ID and password.

Whaling

Whaling is also among the types of phishing that use OSINT. Known as Whale Phishing, Whale Fraud, or CEO Fraud, this type of attack consists of identifying the name of the organization’s CEO through social media or corporate website and sending a message posing as them and making requests to victims.

To identify this type of attack, one must pay attention to abnormal requests made by leaders who have never sent this type of message before, for example. Moreover, it is important to verify the message has not been sent to or via a personal email. 

Vishing

Vishing is voice phishing, which happens when a cybercriminal contacts their victims by phone to awaken their sense of urgency and make them respond to their requests.

To identify Vishing, it is valid to check if the phone number used is from an unusual or blocked location, if the time of the call coincides with a stressful event, such as a tax filing season, and if the personal data requested is unusual.

Smishing

Smishing is an evolution of Vishing, which is characterized by sending texts asking the user to take a certain action to change a delivery, such as clicking on a link that installs malware on their device.

One can spot it by going to the service website and checking the status of the delivery or by comparing the area code with their contact list.

Pharming

Pharming is among the most difficult types of phishing to identify. It consists of hijacking a Domain Name Server (DNS) and directing the user who enters the website address to a malicious domain.

To protect yourself against this type of attack, you need to look for websites that are HTTPS, not HTTP, and be aware of indications that the website is false, such as strange fonts, spelling errors, or incompatible colors.

Angler Phishing

Angler Phishing is a type of attack in which malicious users send notifications or messages in a social media app to convince their victims to perform certain actions.

In such cases, it is advisable to be careful about notifications that may have been added to a post with malicious links, direct messages from people who hardly use the app, and links to websites shared in direct messages.

Top 7 Types of Phishing Attacks

Here are the top 7 types of phishing used by cybercriminals to manipulate their victims:

Deceptive Phishing

Deceptive Phishing is the most common among types of phishing. In it, attackers impersonate a legitimate entity to access their victims’ personal data or login credentials, using messages with threats and a sense of urgency to manipulate them.

Here are some common techniques used in Deceptive Phishing:

  • Use of legitimate links in emails, including contact information of the organization they are impersonating;
  • Combination of malicious and non-malicious codes to cheat Exchange Online Protection (EOP). It is possible, for example, to replicate the CSS and JavaScript of a tech company’s login page to steal users’ account credentials;
  • Use of abbreviated URLs to deceive Secure Email Gateways (SEGs) and “time bombing” to redirect users to a phishing landing page;
  • Change of an HTML attribute in brand logos to prevent email filters from detecting the theft of the company’s symbols;
  • Emails with minimal content, often in image form, to avoid detection.

Spear Phishing

Spear Phishing is also among the types of phishing that use email, but this model is more targeted. In practice, hackers use open-source intelligence (OSINT) to gather publicly available company data. 

Then, they focus on specific users, using this information to make the victims believe the message is from someone within the organization, thus facilitating the accomplishment of their requests.

To identify Spear Phishing, one needs to be aware of unusual insider requests, shared drive links, and documents that require a user login ID and password.

Whaling

Whaling is also among the types of phishing that use OSINT. Known as Whale Phishing, Whale Fraud, or CEO Fraud, this type of attack consists of identifying the name of the organization’s CEO through social media or corporate website and sending a message posing as them and making requests to victims.

To identify this type of attack, one must pay attention to abnormal requests made by leaders who have never sent this type of message before, for example. Moreover, it is important to verify the message has not been sent to or via a personal email. 

Vishing

Vishing is voice phishing, which happens when a cybercriminal contacts their victims by phone to awaken their sense of urgency and make them respond to their requests.

To identify Vishing, it is valid to check if the phone number used is from an unusual or blocked location, if the time of the call coincides with a stressful event, such as a tax filing season, and if the personal data requested is unusual.

Smishing

Smishing is an evolution of Vishing, which is characterized by sending texts asking the user to take a certain action to change a delivery, such as clicking on a link that installs malware on their device.

One can spot it by going to the service website and checking the status of the delivery or by comparing the area code with their contact list.

Pharming

Pharming is among the most difficult types of phishing to identify. It consists of hijacking a Domain Name Server (DNS) and directing the user who enters the website address to a malicious domain.

To protect yourself against this type of attack, you need to look for websites that are HTTPS, not HTTP, and be aware of indications that the website is false, such as strange fonts, spelling errors, or incompatible colors.

Angler Phishing

Angler Phishing is a type of attack in which malicious users send notifications or messages in a social media app to convince their victims to perform certain actions.

In such cases, it is advisable to be careful about notifications that may have been added to a post with malicious links, direct messages from people who hardly use the app, and links to websites shared in direct messages.

Common Phishing Signs

Keeping an eye for signs is a way to protect yourself from the action of malicious attackers who use different types of phishing to manipulate their victims. The following are the main indications of this threat:

Emails Exploring a Sense of Urgency

Messages that stimulate immediate action through threats or another way of awakening a sense of urgency should be faced with suspicion. After all, in this context, the goal of hackers is to ensure their victims respond to their requests in a hurry, before they can even notice inconsistencies in the email received.

Inadequate Tone

An important feature of phishing is that messages can use inadequate language and tone. Therefore, if you receive a message from a friend with an overly formal tone, suspect.

Unusual Requests

Emails with unusual requests often consist of phishing attacks. In practice, the victim may receive a message asking them to perform an action normally performed by the IT department, for example.

Spelling and Grammar Mistakes

In general, organizations often set up spellchecking of their emails. Thus, it is important to pay attention to spelling and grammatical mistakes that may indicate a phishing attack.

Incompatible Web Addresses

Another way to detect phishing attacks is by comparing the sender’s address with previous communication, which may point to incompatibility.

To do this, simply hover over the link in an email before clicking on it to see its true destination.

Unexpected Requests

Often, cybercriminals use fake login pages associated with emails that appear to be legitimate. On these pages, they can request financial information, which should in no way be provided by users without them checking the website that allegedly sent the email.

Are you enjoying this post? Join our Newsletter!

Newsletter Blog EN

6 + 1 =

We will send newsletters and promotional emails. By entering my data, I agree to the Privacy Policy and the Terms of Use.

 

Best Practices for Preventing Phishing Attacks

Here are some best practices to prevent different types of phishing:

Train Your Employees

Educating your employees is the first step you should take to prevent phishing attacks, after all, unprepared people are an easy target for malicious agents. Nevertheless, the training offered must go beyond the traditional approach and include recent and sophisticated threats.

Use Email Filters

Usually associated with spam, email filters go beyond this capability and indicate threats related to phishing attacks. In practice, using an email filter can prevent the user from receiving a large number of phishing emails.

Ensure Protection Against Malicious Websites

Knowing that organizations are filtering emails to prevent phishing, cybercriminals have been attacking website codes. 

So, you must install website alerts in browsers so that they point out possible risks to end users.

Limit Internet Access

Another way to reduce the risks associated with malicious websites is to create access control lists, which deny the connection to certain websites and applications to everyone who tries.

Require the Use of Multi-factor Authentication

One of the main goals of cybercriminals is to steal users’ credentials, a risk that can be reduced by using multi-factor authentication (MFA). 

In practice, this mechanism requires the user to use two or more items to authenticate themselves by combining something they know (such as a password), something they have (such as a token), and something associated with who they are (such as fingerprint or facial recognition).

Remove Fake Websites

You can count on solutions that monitor and eliminate counterfeit versions of your website. This way, you can prevent your employees and customers from clicking on malicious links.

Back Up Regularly

It is very common for phishing attacks to be associated with malware, including ransomware, which can impact the productivity of your business if you do not have a data backup program.

senhasegura GO Endpoint Manager: The Solution to Protect Against Phishing Attacks

One of the most effective solutions to prevent different types of phishing is senhasegura GO Endpoint Manager, which allows you to protect computers remotely connected to Windows and Linux endpoints. 

This tool:

  • Allows you to control lists of authorized, notified, and blocked actions for each user, reducing threats related to the installation of malicious software and privilege abuse;
  • Ensures compliance with regulations such as PCI, ISO, SOX, GDPR, and NIST;
  • Enables provisioning and revocation of access for privileged local users, without having to install any agent on the target device;
  • Records all requests for the use of administrative credentials in session logs; and
  • Allows the segregation of access to confidential information, isolating critical environments and correlating environments.

About senhasegura

senhasegura guarantees the digital sovereignty of organizations. This is because it acts by avoiding the traceability of actions and loss of information on devices, networks, servers, and databases.

Our services are also useful to bring our customers into compliance with audit criteria and strict standards such as PCI DSS, Sarbanes-Oxley, ISO 27001, and HIPAA.

Conclusion

In this article, you saw what phishing is, how this cyberattack works, what the different types of phishing are, and how to identify them. We have also shown the features of senhasegura GO Endpoint Manager and how it contributes to avoiding this threat.  

Do you need this solution in your company? Contact us.

ALSO READ IN SENHASEGURA’S BLOG

ISO 27001: 4 Reasons to Implement It in Your Company

What to Do to Prevent Social Engineering Attacks?

Top 5 Cyber Threats to Healthcare Organizations

$13 million growth investment drives senhasegura’s expansion in North America and the Middle East

Written by Priscilla Silva São Paulo, March 10, 2023 - senhasegura, an award-winning Privileged Access Management (PAM) solution provider that protects corporate IT environments and critical resources from cyber threats, announces a $13 million funding round from...

senhasegura wins CyberSecured 2022 award as best PAM solution in the USA

Written by Priscilla Silva SÃO PAULO, February 28 of 2023 - The 2022 edition of the CyberSecured awards, promoted by Security Today magazine, a brand of 1105 Media's Infrastructure Solutions Group, elected senhasegura as the winner in the Privileged Access Management...

How User and Entity Behavior Analytics Helps Cybersecurity

Cyberattacks are increasingly sophisticated, making traditional digital security tools insufficient to protect organizations from malicious actors. In 2015, Gartner defined a category of solutions called User and Entity Behavior Analytics (UEBA).Its big advantage is...

Best Practices for Consolidating Active Directory

This article was developed especially for you, who have questions about the best practices for consolidating Active Directory. First of all, you need to understand that directory services have the role of organizing important information for companies in a centralized...

senhasegura introduces the “Jiu-JitCISO” concept to show the power of Brazilian cybersecurity

Written by Priscilla Silva São Paulo, January 13, 2023 - "Like Jiu-Jitsu senhasegura is about self-defense. Every company must know how to protect itself and its clients". This is the aim based on the philosophy of the Japanese martial art, but made popular and...