Phishing Security Awareness Training: 15 Types of Phishing Attacks You Should Know in 2020Orhan Sari
2020 was an important year regarding cyberattacks that brought losses resulting in hundreds of millions of dollars globally. It has been important for companies to assess and detect cyber risks regarding phishing.
According to our phishing statistics, a phishing attack does not just focus on obtaining information; it can also be used to spread malicious programs, like ransomware. Also, email attachments are still the primary method of delivery for malicious software. Also, 97% of users cannot identify a sophisticated phishing email.
In this blog, we will illustrate 15 types of phishing attacks you should know in 2020.
1. Email Phishing
Email phishing is the common phishing emails that are intended to impersonate a genuine organization but won’t target a particular person or organization. Usually, criminals send out generic emails to millions of emails and expect some naive users to click on fake the link, download the malicious.
They usually aren’t prepared for particular persons, so criminals use general salutations like “Dear” or “Hi”. Sometimes, they use panic or fear using words like ‘URGENT’ to urge users to click on the fake link or download the malicious attachment.
2. Spear Phishing
Spear phishing occurs when criminals send phishing emails to specific and well-known targets while implying to be a legitimate sender. Using spear-phishing attacks, criminals can infect devices with malware or persuade targets to hand over sensitive data or money.
Spear phishing is different from standard email phishing since criminals create advanced and more sophisticated phishing campaigns to penetrate to target organization or system.
Whaling is another malicious, mischievous member of the phishing family using a more targeted version of spear-phishing focusing more on a special person, usually a high-ranking C-suite managers like a CFO or CEO. The aim of whaling can change from high-value money transfers to trade secrets. Since the target is a high profile representative, the term whaling indicates the target’s high value.
Baiting is Phishing’s deceptive cousin that includes luring an unsuspecting victim using a highly attractive offer playing on anxiety, fear, greed, and temptation to make them part with their sensitive personal data like account details.
Through fraudulent and fake ways to capture confidential, personal details such as a password or banking information such as a PIN, they can access your business networks and systems to install malware that executes ransomware.
5. Watering Hole Attacks
A Watering Hole attack is a phishing technique where cybercriminals find and follow a particular organization or company’s favored websites and then they attempt to contaminate these websites using malicious code. Then an unsuspecting user will fall victim through one of these infected links like downloads, etc.. Cybercriminals may also choose to attack specific IP addresses to reveal particular data they are looking for, making attacks harder to identify and take preemptive action against it.
Tailgating, also piggybacking, is a popular social engineering attack method, a physical rather than virtual cyber-attack where an unauthorized person accesses a restricted area of an organization or a building to execute a cybercrime like stealing confidential information.
7. SMS phishing
Smishing, or SMS phishing, occurs when a hacker sends text message fraud instead of the phishing email to a target to entice them to hand over their sensitive data or install malware. Generally, the text messages contain a fake link to a phony website that looks really like the legitimate site, asks the recipient to submit their credentials.
Vishing, or Voice phishing, occurs when a hacker calls the target victims instead of sending the phishing email or SMS, attempts to lure victims into giving up sensitive data over the phone. Generally, criminals manipulate human emotions, like fear, compassion, and desire, and entice them to hand over their sensitive data or money.
9 . Ad Phishing
Ad Phishing or ad fraud occurs when criminals attempt to cheat digital advertising networks for financial gain, generally using bots to carry out ad fraud.
Some types of ad phishing are as follows:
- Hidden ads
- Click hijacking
- Fake app installation
- Botnet ad fraud
11. Business Email Compromise (BEC)
Business Email Compromise (BEC) is an important threat to email security that occurs when criminals target companies that conduct wire transfers and have suppliers abroad. Email accounts belonging to executives or high-level employees related to finance or who are involved with online payments are either spoofed or compromised through malware like keyloggers or phishing attacks, and fraudulent transfers are carried out to steal that money.
12. CEO Fraud
CEO Fraud occurs when criminals target companies impersonating the CEO. Itis a type of spear-phishing attack where criminals aim to lure the victims into sending money to their bank account or handing over sensitive information.
13. Clone Phishing
A clone phishing attack occurs when criminals target companies using copies a real email or cloning a genuine email message that is sent from a legitimate organization. The criminals reconstruct the email by replacing the real link with a fake one or adding extra fake links that redirect to their malicious websites.
14. Search Engine Phishing
Search engine phishing occurs when cyber criminals use and manipulate online website search engines. While making a search on online search engines, the victims may see messages that manipulate them to visit the malicious website. The search process is totally legitimate, but the website appeared is actually fake and designed to steal the victims’ data or money.
15. Website Spoofing
Website spoofing is a phishing technique that criminals generate a fake website to trick victims that the website is real and legitimate. Usually, the spoofed website has the same design as the target website and possesses a similar URL to deceive victims.
How to Prevent Phishing Attacks?
Encrypt all sensitive company data.
Train your employees and conduct security training sessions using false phishing scenarios.
Use a SPAM filter that detects viruses, Malware, blank senders, etc.
Use an email security testing tool to evaluate your email security vulnerability.
Keep all systems updated with the latest security patches.
Install an antivirus solution, program signature updates, and watch the antivirus status on all equipment.
Develop a phishing security policy that involves but isn’t limited to password expiration and complexity.
Use a web filter to obstruct malicious websites.
Change HTML email into text-only email communications or disable HTML email messages for email security.
Obligate encryption for representatives that are telecommuting.
Use cyber threat intelligence services to be one step away from hackers.
Lastly, have an incident response plan in case a real attack occurs.