While computer crime, security breaches, and all kinds of online scams have been around since the beginning days of the computer, today, all too many people have some first-hand experience, often having fallen afoul of phishing scams. Cybercrime is serious, with estimates that by 2021, the yearly cost of cyberattacks will reach $6 trillion – double the figure cited just four years ago. And of all the various cyber scams, according to the Verizon Data Breach Investigations Report 2019, phishing is the top security threat and is involved in 32% of all confirmed breaches. Like computer fraud itself, rather than being a specific type of cyberattack, phishing is a broad term that encompasses different types of scams. Some attacks are highly sophisticated and targeted, whereas others may be wide-ranging and a bit clumsy (but still, sadly, effective).
Here is a look at some of the main types of phishing scams:
When speaking about the sphere of information security, social engineering is the umbrella term for all types of phishing, or any scam that uses deception to encourage people to give up their financial details or sensitive data. So, it could be something like a fake email pretending to be from your bank in an attempt to steal your account details, or a text message claiming to be from a friend asking for money. Typically, you will be asked to ‘verify’ something (your address or credit card number) by clicking on a link that leads you to a fraudulent page. In essence, any digital scam that involves trickery can be termed phishing or social engineering. Many of us believe we can easily pick out a phishing scam, but there is often a danger of overconfidence. As Inc.com recently pointed out, phishing scams are becoming more elaborate, even going as far as studying how employees of particular firms speak to each other so they can mimic that style in their deceptive emails.
Whereas we sometimes think of phishing being quite clumsy – the kind of badly written, error-filled emails that frequently end up in our spam folders, spear phishing, as the name suggests, is targeted at a particular individual or organization. It is often specific and sophisticated. From 2013-2015, Facebook and Google lost $100 million in a complex spear-phishing email campaign. The cybercriminals pretended to work for Quanta, a Taiwanese company that does a lot of business with the two tech giants and managed to defraud the companies out of a pile of cash. Smart, targeted, and adaptable, this attack was spear phishing at its most devastating.
Known as both whale phishing and whaling, this scam has a particular type of target in mind – the wealthy. Scammers choose to target one big fish in the knowledge that they will net a huge amount of cash should they pull it off. In 2015, California-based tech firm Ubiquiti Networks Inc was harpooned and ultimately fell afoul of a whaling attack that cost it around $47 million. The cybercriminals posed as company executives and managed to get employees to wire the money to fraudulent international bank accounts. Though some people make an argument that whale and spear phishing are one and the same as they are both highly targeted attacks, this type of cyberheist always has wealthy people (or businesses) in mind. Indeed, whale phishing is sometimes referred to as CEO fraud.
This type of phishing uses a legitimate, previously received emails to create a clone that scams the victim. The scammers intercept this first real message and create a copy with a similar email address and body message that seems to be the same as a previous email. The difference here is the cloned email contains a link or attachment that is malicious. Often cybercriminals will explain they are sending the email ‘again’ as needing to update information or add another recipient, and since the email contains contacts from their own inbox, recipients often are more likely to click. This technique is often used in collaboration with spoofing or other methods.
When properly executed, pharming can be the most effective form of cybercrime. It is the practice of directing people to a fake website that mimics a real one. Pharming can be difficult for cybercriminals to pull off as it requires a lot of effort and know-how to change a host's file or exploit a DNS Server, known as poisoning. However, this dedication and hard work suggest that those behind pharming scams aren’t the average dumb-witted criminal. In 2017, cybercriminals pulled off a massive pharming attack that was targeting big businesses such as PayPal, Barclays Bank and eBay. At its height, this attack was infecting over 1,000 PCs per day.
Phishing is an attempt to gain a person’s sensitive data by whatever means, spoofing is a kind of digital identity theft where the cybercriminals impersonate a legitimate user or device to get the goodies they are after. At its heart, spoofing is the disguising of communications, making them seem like they come from a legitimate source. There are a lot of spoofing techniques, including email spoofing, IP spoofing, and GPS spoofing, and they can be used alone or combined with other phishing techniques on this list.
Vishing, aka voice phishing, is the practice of social engineering that uses phone calls as the entry point to gain financial information. Of course, we can argue that vishing has been around since the telephone and that it is just another name for scam callers. However, modern-day cybercriminals use a variety of techniques, including artificial intelligence, to make vishing campaigns more effective. For instance, in 2019, a group of fraudsters used ‘deep fake’ voice mimicry software to impersonate a CEO of a company. They contacted the manager of one of the organization’s subsidiaries and got him to transfer $243,000 to a fraudulent supplier. That incident has been described as the first-ever instance of AI-based voice fraud, and it points to some scary possibilities of future deep-fake fraud in the future.
Smishing – SMS phishing – is a particular type of digital fraud that uses text messaging as the main entry point. One advantage smishing has over other types of phishing is the brevity of the message, meaning the criminals don’t need to provide too many details to scam victims. With smishing, you might receive a text or WhatsApp message from ‘your bank’, asking you to “click this link to update your details” or “call this number,” and those actions, since they are fraudulent, can open a world of trouble. For example, in 2016, fraudsters ‘hijacked’ Santander Bank’s text message thread to a UK customer, prompting him to call a fake number and give over a one-time password. The result? The criminals quickly drained £22,700 ($28,000) from his account.
As we have seen above, there are many different types of phishing. And, like other types of security fraud, scammers aren’t only rewarded when preying on the careless or unsavvy – cybercriminals have used a variety of phishing techniques successfully against some of the most sophisticated tech companies on the planet. Being vigilant is key to combating phishing, for sure, and you should question the authenticity of everything that arrives in your inbox and your phone, whether email, text message, or phone call. Above all, though, you should secure your devices with robust anti-phishing software and take care to protect yourself against common online threats. One useful tool is ZoneAlarm’s Web Secure Free Chrome Extension that protects you as you browse the internet (on Chrome), cutting off communication from cyber criminals before they enter your airspace. Another, ZoneAlarm’s Extreme Security, offers advanced anti-phishing capabilities in real-time. The software scans every form you receive for authenticity, ensuring you aren’t tricked into sharing your personal data with cybercriminals. Of course, you need to be vigilant, but anti-phishing software will provide an extra layer of security and peace of mind you can rely on.