5 Types of Phishing Attacks and How to Protect Against Them

Phishing is one of the most common and dangerous types of cybercrime. It can target anyone and can get past some of the most sophisticated cyber protections if the right person falls for it. The best way to stay safe is to learn how to spot it, and there are many types of phishing attacks to learn about.

All phishing attacks try to take advantage of human error. Simple mistakes are the most threatening vulnerabilities many businesses face, which is why phishing has remained so effective for so long. While all phishing may center around this idea, different types approach it differently. Here are five of the most common you should look out for.

1. Email Phishing

Email phishing is one of the oldest types of phishing attacks but remains the most common. Even though email isn’t as prominent a form of communication as it used to be, 96% of social engineering attempts still arrive via email.

These attacks involve posing as a trusted source or authority in an email asking users to take action like clicking a link or replying with information. To do that, the message is often urgent. It may say the user needs to update their password or review their payment information to avoid extra charges. When users click the link, it installs malicious software, and if they reply, they accidentally give away sensitive information.

This type of attack is so popular because it’s relatively easy to do and can be highly convincing. Email is still the standard for business communications, so an urgent email from someone claiming to be a company you work with may not immediately raise alarms.

2. Smishing

Smishing is a similar type of attack, but it relies on text messages instead of email. Like email phishing, these messages are often urgent, so people follow through on what they ask before thinking about it.

A common smishing technique is to pose as a real-time security alert. Texts will alert users of a change to their account, a password reset or other security issue and offer a link to follow to resolve it. Because real examples of these security alerts can come from numbers users don’t have saved, these attacks can be convincing.

Other smishing attacks pretend to be a loved one reaching out from a new number or friend’s phone after supposedly losing theirs. Smishing can also happen on instant messaging apps like WhatsApp and Facebook Messenger.

3. Angler Phishing

As social media has grown, new types of phishing attacks focusing on these platforms have risen, too. Angler phishing targets people complaining about a company online by pretending to be the company’s customer service team.

Over 80% of consumers today use social media to reach out to brands, and 84% who’ve contacted customer support via social media have gotten a reply. As a result, it doesn’t immediately stand out as suspicious when an apparent company account replies to a post or messages you.

Some angler phishing attacks give users a malicious link they say will take them to a customer service page. Others ask for personal details to provide better help, then turn around and use this sensitive data to breach users’ other accounts. 

4. Spear Phishing

While many phishing attempts try to gain users’ personal information, some wait until they have it before initiating the attack. That’s the case with spear phishing, an attack where cybercriminals target specific people instead of using vague messaging.

Spear phishing attempts may call users by name, reference their position at their company or mention mutual contacts. Whatever the specifics, they make it sound like the sender is legitimate because they know things theoretically only trusted contacts should know.

It takes a long time to gather enough accurate data to craft a convincing spear phishing attack. Consequently, they’re much less common than general phishing attacks. At the same time, they account for a much bigger percentage of actual breaches because they’re more deceptive.

5. Whaling

Some spear phishers go further and specifically target people with higher-level access to cause more damage. Whaling refers to these attacks targeting executives, like the CEO, CFO or CIO at a company.

High-ranking executives may be harder to trick, but the payoff for successful attacks is much higher. Whalers could gain access to leaders’ email accounts, letting them trick employees into sending them more sensitive information. Alternatively, they could impersonate executives to authorize large fraudulent transactions.

While not everyone needs to worry about being a direct target of whaling, these attacks can affect lots of people if they’re successful. They caused $12.5 billion in losses in 2021 alone after a sharp uptick in frequency.

How to Protect Against All Types of Phishing Attacks

The sheer number of different types of phishing attacks can be frightening, but many of these attacks work the same way. As a rule of thumb, never give sensitive information away over email or instant messaging. Similarly, you should never click unsolicited links, even if they’re from a seemingly legitimate source.

Remember that most phishing attacks try to trick users through a false sense of urgency. Any message demanding immediate attention or action should raise red flags. Check the source to ensure it’s what it’s claiming to be. Reach out to the supposed sender by another form of communication, if possible, to verify it.

If a social media account claiming to represent a company you’ve dealt with reaches out to you, ensure it’s a verified account before responding. You may also want to look up the company on that platform to see if it’s the same account as the one that contacted you.

Just because a message is from a real account doesn’t mean it’s not phishing, either. In light of the threat of whaling and other email compromise attacks, always reach out via another means to verify a source before responding to an unusual message. If you’re suspicious about a work email, contact your IT department so they can investigate it further.

Finally, practice good credential management to stop cybercriminals from accessing your account to use for phishing. Multi-factor authentication (MFA) is one of the best authentication tools to use, but you should also continue to use strong, unique passwords. Users should also think twice before posting personal details online, as criminals can use these to form spear phishing attacks.

Phishing Attacks Are Dangerous But Preventable

As long as people make mistakes, phishing will continue to be a threat. New types of phishing attacks will emerge as technology changes, but the basics of anti-phishing protection remain the same.

When you know how phishing works, you can spot attempts more accurately. Staying on top of phishing trends and methods is the first step to keeping your data secure.