Skip to main content

Phishing

By Ben Warriner

This is Part 2 of a 4-part series on cybersecurity. We previously focused on what phishing was and how to identify it. Now we’re going to dive into the various types of phishing emails that you need to be aware of. Stay tuned for more!

Types of Phishing Emails

Email phishing is the most common form of phishing. This type of attack uses tactics like phony hyperlinks to lure email recipients into sharing their personal information. Attackers often masquerade as a large account provider like Microsoft or Google, or even a coworker.

Malware phishing is another prevalent phishing approach. This type of attack involves planting malware* disguised as a trustworthy attachment (such as a resume or bank statement) in an email. In some cases, opening a malware attachment can paralyze entire IT systems.

*Malware describes malicious applications or code that damage or disrupt the normal use of endpoint devices. 

Here's a short video showing what can happen if you're not careful with phishing emails.

Spear phishing targets specific individuals by exploiting information gathered through research into their jobs and social lives. These attacks are highly customized, making them particularly effective at bypassing basic cybersecurity**.

**Cybersecurity is a set of processes, best practices, and technology solutions that help protect your critical systems and network from digital attacks. 

Here's a brief explainer for spear phishing:

What Spear Phishing Looks Like

Whaling occurs when bad actors target a “big fish” like a business executive or celebrity. These scammers often conduct considerable research into their targets to find an opportune moment to steal login credentials or other sensitive information. If you have a lot to lose, whaling attackers have a lot to gain.

Here's a brief explainer on Whaling: 

Smishing is a combination of the words “SMS” and “phishing,” smishing involves sending text messages disguised as trustworthy communications from businesses like Amazon or FedEx. People are particularly vulnerable to SMS scams, as text messages are delivered in plain text and come across as more personal.

Here's a brief explainer about smishing: 

Vishing is when attackers in fraudulent call centers try to trick people into providing sensitive information over the phone. In many cases, these scams use social engineering to dupe victims into installing malware onto their devices in the form of an app.

Here's a brief explainer on vishing: 

Angler phishing is like vishing, but instead of a phone call, attackers reach out by direct messaging on social media platforms. Victims are targeted by fake customer service agents. These attacks have even tricked professional anti-scammers, so don't underestimate the efficacy of this method.

Here's a brief explainer on Angler Phishing: 

Clone phishing is when a scammer tries to replicate a legitimate branded email you may have already received while sneaking in a malicious link or attachment. In some cases, the cloned email may have something like “resending” or “sending this again” to make you think that it is from the original sender. An example of clone phishing is receiving an email twice, but with one of them coming from a slightly different email address. For example, you receive two identical emails, one from “[email protected]” and the other from “[email protected].”        

What Clone Phishing Looks Like

As phishing has evolved, it has taken on a variety of names—including spear phishing, smishing—and phishing attacks come through a variety of channels, including compromised websites, social media, fake ads, QR codes, attachments and text messages.

Quishing is when scammers often send phishing emails that have QR codes. These emails will pose as a credible company and ask you to scan the QR code in their email. For example, they may say that your payment from an online purchase didn’t go through, and you need to re-enter your credit card information by scanning the QR code. Unsuspecting victims will scan the QR code, enter a legitimate-looking website, and enter their payment information. Now, the cybercriminal has access to their credit card information. 
Follow these tips to avoid becoming a victim of QR code scams:

  • Preview the QR code link. 
    A preview of the URL should appear on your phone when you scan a QR code. 
    Make sure the URL seems legitimate and that it isn’t a misspelling of a real URL (for example, “Microsaft.com” instead of “Microsoft.com”).
  • Check for tampering. 
    If you’re scanning a QR code that’s in a public place, like a restaurant, make sure the QR code doesn’t have a sticker above it that a scammer could have placed.
  • Check the website. 
    If you follow the QR code link, ask yourself if the website seems professional. 
    Low-quality images and typos are signs of fraudulent websites. 
    Look for a lock symbol next to the URL or https:// in the URL. 
    These URLs are secure URLs.
  • If in doubt, contact the company. 
    If you receive an unusual email or letter in the mail from a business with a QR code, contact the business to figure out if the message is legitimate.
  • Don’t scan or open QR codes from strangers. 
    Whether you’re approached online or in the street, don’t scan QR codes from people that you don’t know. 
    Be on the lookout for “too good to be true” messages, like a stranger offering you money or free products if you scan their QR code.

Here’s a news report about QR codes being used in real life to scam people: 

In Part 3 we’re going to cover Business Email Compromise and Account Takeover Attacks.

 

Check out Part 1, Part 3, and Part 4 of this series.

 

Region 7 ESC Blog, Benjamin Warriner Ben Warriner is a Network Security Specialist for Region 7 ESC and has been a Certified Information Security Manager® (CISM®) since 2019. He has worked at the ESC since 2009 and has been working on the cybersecurity of the ESC since 2014.
 
Published