Since the term phishing was coined in 1987, the tactics used for phishing attacks have evolved into quite a few specific types of phishing. Here are some common types of phishing:
A virus is malware that is attached to some other type of software. Whenever the user runs the virus, usually accidentally by running the software it is attached to, the virus will replicate itself by adding itself to other programs on the user's system.
Standard Email Phishing
Standard email phishing uses the shotgun method of sending as many emails as possible to as many people as possible. Attackers hope to steal sensitive information by getting a small percentage of the email recipients to fall for the tactics by clicking on a malicious link and entering their login credentials in a fake form.
When attackers design an email message to appeal to a specific individual, it is called spear phishing, bringing up the image of a spearfisherman targeting a specific fish.
The attackers in these cases find their target online, sometimes using social networks like LinkedIn that have detailed work history to gather information on the person. They will then send an email to the target's work email address using a spoof email address from the same domain. This is easy to do because the phisher can guess the target's work email based on their first and last name and the domain name of the company they work for.
In the email, the attacker will masquerade as an employee and attempt to get the target to divulge sensitive information or transfer funds.
Whaling or whale phishing is the same as spearfishing, except the targets of the attack are higher profile individuals, like CEOs or board members of the corporation. Whaling attacks usually involve a lot of research on the person being attacked and take a lot of preparation time, because the payoff for the attacker is usually large.
Malware phishing uses the same methods as standard email phishing. A malware phishing attack is usually untargeted to infect as many devices as possible with malicious software. Phishers attempt to get targets to click on email links that download and install malware. This malware can be of any type: ransomware, which locks out the user and demands a ransom; adware, which inundates the user with advertisements; spyware, which will steal data from the device or log the users’ keystrokes; and more.
Smishing is an attack where malicious links are sent to SMS-enabled phones. The links may masquerade as account warnings and prize notifications to trick the phone user into clicking the link.
Search Engine Phishing
Search engine phishing uses search engine optimization or paid search engine ads to get fraudulent sites designed to steal credentials ranked high in search engine results. Unsuspecting users will assume they are on a well-known site, enter their credentials, and be greeted with a fake error. By then the attacker will have already stolen their data.
These types of attacks usually occur in areas with public Wi-Fi networks. The attacker will create a fake free public Wi-Fi network to which unsuspecting people will connect to. Once a user is connected, the attacker can phish for information.
Vishing stands for voice phishing. This attack involves fake phone calls. The caller will say they are from a government agency like the IRS or a large organization and try to get the target to disclose banking details or credit card information.
This is also known as DNS poisoning. By corrupting DNS, an attacker can route legitimate traffic going to a banking site or other organization to a fake site that will steal user information.
In this type of phishing attack, the attacker hacks a legitimate users’ email or social account and then sends malicious emails or messages to the users’ contacts, who may click on links because the email comes from a trusted source.
This type of phishing involves fake advertisements that masquerade as ads from legitimate companies. Instead of taking users to a legitimate site, the ads will direct them to a phishing site.