9 types of phishing attacks and how to identify them

Every data breach and online attack seems to involve some kind of phishing attempt to steal password credentials, launch fraudulent transactions, or trick someone into downloading malware. Indeed, Verizon’s 2024 Data Breach Investigations Report finds phishing to remain among the top threat actions associated with breaches.

Enterprises regularly remind users to beware of phishing attacks, but many users don’t really know how to recognize them. And humans tend to be bad at recognizing scams.

According to Proofpoint’s 2024 State of the Phish report, more than 70% of employees admit to risky behavior that leaves them vulnerable. This speaks to both the sophistication of attackers and the need for equally sophisticated security awareness training, which many companies fail to adequately provide. Add in the fact that not all phishing scams work the same way — some are generic email blasts while others are carefully crafted to target a very specific type of person — and it gets harder to train users to know when a message is suspect.

Let’s look at the different types of phishing attacks and how to recognize them.

Phishing: Mass-market emails

The most common form of phishing is the general, mass-mailed type, where someone sends an email pretending to be someone else and tries to trick the recipient into doing something, usually logging in to a website or downloading malware. Attacks frequently rely on email spoofing, where the email header — the from field — is forged to make the message appear as if it were sent by a trusted sender.

But phishing attacks don’t always look like a UPS delivery notification email, a warning message from PayPal about passwords expiring, or an Office 365 email about storage quotas. Some attacks are crafted to specifically target organizations and individuals, and others rely on methods other than email. And with generative AI on the rise, phishing attempts are getting more “highly convincing” and can be created more quickly, suggesting the old ways of scamming are receiving new life.

Spear phishing: Going after specific targets

Phishing attacks get their name from the notion that fraudsters are fishing for random victims by using spoofed or fraudulent email as bait. Spear phishing attacks extend the fishing analogy as attackers are specifically targeting high-value victims and organizations. Instead of trying to get banking credentials for 1,000 consumers, the attacker may find it more lucrative to target a handful of businesses. A nation-state attacker may target an employee working for another government agency, or a government official, to steal state secrets. For example, Iranian cyberespionage group APT42 is known for using sophisticated spear-phishing techniques that involve impersonating multiple organizations and individuals that are known or of interest to their victims.

Spear phishing attacks are extremely successful because the attackers spend a lot of time crafting information specific to the recipient, such as referencing a conference the recipient may have just attended or sending a malicious attachment where the filename references a topic the recipient is interested in.

In a 2017 phishing campaign, Group 74 (aka Sofact, APT28, Fancy Bear) targeted cybersecurity professionals with an email pretending to be related to the Cyber Conflict US conference, an event organized by the United States Military Academy’s Army Cyber Institute, the NATO Cooperative Cyber Military Academy, and the NATO Cooperative Cyber Defence Centre of Excellence. While CyCon is a real conference, the attachment was actually a document containing a malicious Visual Basic for Applications (VBA) macro that would download and execute reconnaissance malware called Seduploader.

Whaling: Going after the big one

Different victims, different paydays. A phishing attack specifically targeting an enterprise’s top executives is called whaling, as the victim is considered to be high-value, and the stolen information will be more valuable than what a regular employee may offer. The account credentials belonging to a CEO will open more doors than an entry-level employee. The goal is to steal data, employee information, and cash.

Whaling also requires additional research because the attacker needs to know who the intended victim communicates with and the kind of discussions they have. Examples include references to customer complaints, legal subpoenas, or even a problem in the executive suite. Attackers typically start with social engineering to gather information about the victim and the company before crafting the phishing message that will be used in the whaling attack.

Business email compromise (BEC): Pretending to be the CEO

Aside from mass-distributed general phishing campaigns, criminals target key individuals in finance and accounting departments via business email compromise (BEC) scams and CEO email fraud. By impersonating financial officers and CEOs, these criminals attempt to trick victims into initiating money transfers into unauthorized accounts.

Typically, attackers compromise the email account of a senior executive or financial officer by exploiting an existing infection or via a spear phishing attack. The attacker lurks and monitors the executive’s email activity for a period of time to learn about processes and procedures within the company. The actual attack takes the form of a false email that looks like it has come from the compromised executive’s account being sent to someone who is a regular recipient. The email appears to be important and urgent, and it requests that the recipient send a wire transfer to an external or unfamiliar bank account. The money ultimately lands in the attacker’s bank account.

FBI data from 2022 stated that, despite the rise of ransomware, enterprises in aggregate lose 51 times more money through BEC attacks. BEC scams have also of late taken on new dimensions with multi-stage attacks. As such, companies must ensure they have comprehensive BEC policy documentation to help guide employees and make them feel safer by following pre-defined rules.

Clone phishing: When copies are just as effective

Clone phishing requires the attacker to create a nearly identical replica of a legitimate message to trick the victim into thinking it is real. The email is sent from an address resembling the legitimate sender, and the body of the message looks the same as a previous message. The only difference is that the attachment or the link in the message has been swapped out with a malicious one. The attacker may say something along the lines of having to resend the original, or an updated version, to explain why the victim was receiving the “same” message again.

This attack is based on a previously seen, legitimate message, making it more likely that users will fall for the attack. An attacker who has already infected one user may use this technique against another person who also received the message that is being cloned. In another variation, the attacker may create a cloned website with a spoofed domain to trick the victim.

Vishing: Phishing over the phone

Vishing stands for “voice phishing” and it entails the use of the phone. Typically, the victim receives a call with a voice message disguised as a communication from a financial institution. For instance, the message might ask the recipient to call a number and enter their account information or PIN for security or other official purposes. However, the phone number rings straight to the attacker via a voice-over-IP service.

In a sophisticated vishing scam in 2019, criminals called victims pretending to be Apple tech support and providing users with a number to call to resolve the “security problem.” Like the old Windows tech support scam, this scam took advantage of user fears of their devices getting hacked.

AI advances are poised to make vishing a more insidious attack vector given the ability AI’s increasingly accurate ability to replicate known voices via audio deepfakes (see below).

Smishing: Phishing via text message

Smishing, a portmanteau of “phishing” and “SMS,” the latter being the protocol used by most phone text messaging services, is a cyberattack that uses misleading text messages to deceive victims. The goal is to trick you into believing that a message has arrived from a trusted person or organization, and then convincing you to take action that gives the attacker exploitable information (like bank account login credentials, for example) or access to your mobile device.

Smishing is on the rise because people are more likely to read and respond to text messages than email: 98% of text messages are read and 45% are responded to, while the equivalent numbers for email are 20% and 6%, respectively. And users are often less watchful for suspicious messages on their phones than on their computers, and their personal devices generally lack the type of security available on corporate PCs.

2022’s smishing attack on Deakin University in Australia shows the impact these sorts of attacks can have.

Snowshoeing: Spreading poisonous messages

Snowshoeing, or “hit-and-run” spam, requires attackers to push out messages via multiple domains and IP addresses. Each IP address sends out a low volume of messages, so reputation- or volume-based spam filtering technologies can’t recognize and block malicious messages right away. Some of the messages make it to the email inboxes before the filters learn to block them.

Hailstorm campaigns work the same as snowshoe, except the messages are sent out over an extremely short time span. Some hailstorm attacks end just as the anti-spam tools catch on and update the filters to block future messages, but the attackers have already moved on to the next campaign.

Deepfakes: AI-based impersonation

Criminals have begun turning to deepfakes to construct more convincing phishing attacks. To do so, scammers use artificial intelligence to swap faces in videos or to impersonate voices to trick prospective marks into making corporate fraud transfers as part of businesses email compromise-style frauds.

In one of the highest-profile deepfake attacks to date, a worker at design and engineering firm Arup fell victim to a sophisticated deepfake-based scam that resulted in the loss of HK$200 million ($25.6 m). The worker was initially suspicious when he received a request to carry out a secret transaction. However, the worker dismissed his doubts after attending a video call where the deepfaked “CFO” and “other employees” of the company were present, according to news reports.

Malicious actors can use an array of otherwise legitimate generative AI tools to create deepfakes from recorded speech extracts or photographs of their intended targets, according to security vendor WithSecure. For example, FaceSwap can be used to superimpose a target’s face on an attacker-created video. Similarly Microsoft’s VASA-1 framework can be abused to create deepfake video from a single portrait photo and speech audio sample, according to Tom Taylor-MacLean, a security consultant at WithSecure.

Learn to recognize different types of phishing

Users aren’t good at understanding the impact of falling for a phishing attack. A reasonably savvy user may be able to assess the risk of clicking on a link in an email, as that could result in a malware download or follow-up scam messages asking for money. However, a naive user may think nothing would happen, or wind up with spam advertisements and pop-ups. Only the most-savvy users can estimate the potential damage from credential theft and account compromise. This risk assessment gap makes it harder for users to grasp the seriousness of recognizing malicious messages.

Organizations need to consider existing internal awareness campaigns and make sure employees are given the tools to recognize different types of attacks. Organizations also need to beef up security defenses, because some of the traditional email security tools — such as spam filters — are not enough defense against some phishing types.

Editor’s note: This article, originally published on January 14, 2019, has been updated to reflect recent trends.

More on phishing:

• What is phishing? Examples, types, and techniques
• 10 top anti-phishing tools and services
• 9 tips to prevent phishing
• 6 reasons why your anti-phishing strategy isn’t working
• 5 best practices for conducting ethical and effective phishing tests