11 October 2022 • Cyber risks
Phishing is a form of digital fraud where cybercriminals impersonate someone else. Think of an important authority or a well-known person. Via an urgent-sounding e-mail, WhatsApp or SMS, you are requested to provide information, such as personal or bank details. As an entrepreneur, you naturally do not want your company to become a victim of phishing. That is why we explain 10 types of phishing attacks below, together with some tips on how to prevent these attacks.
10 types of phishing attacks
1. Spray phishing
With spray phishing, cyber criminals send messages to a large number of people within a spray phishing campaign by default. This is sometimes ten thousand e-mails or text messages at the same time. They throw a wide net, as it were, in the hope that some people will fall for the e-mail. Usually, it is an e-mail from an existing company that asks to update a password or to renew credit card information.
2. Email phishing
Sending e-mails is one of the most common forms of phishing. These e-mails are designed to appear to come from a trustworthy source. Usually, in these e-mails, you are asked to fill in a form or to reply to the e-mail. This is how cybercriminals get personal information.
One form of e-mail phishing is clone phishing, where a legitimate e-mail is copied and the links and files are replaced with malicious substitutions. This can be, for example, an invoice file, a link that contains a virus, or a link that sends you to a website to enter your personal data.
3. Mobile phishing
Mobile phishing is also known as smishing or SMS phishing. You will receive a message from the perpetrator with an urgency to take action. Think of calling a telephone number or clicking on a link to a website. Often, you will be asked for personal information, such as passwords or credit card information.
The other form of mobile phishing is phone phishing or vishing. With this form of phishing, you will not receive a message, but you will be called. The attackers pose as your bank, the police, or other companies or agencies. They try to scare you into pushing you to take action, often transferring money.
4. Ambulance chasing
With these types of phishing attacks, cybercriminals capitalize on current events. Think of asking for donations for relief funds, natural disasters, or wars. The perpetrators can collect personal data and take money from the victims.
5. Account expired/change password
You will receive a message via e-mail or via your mobile with the request to reset your password. These messages often appear to come from a reliable source and are sometimes difficult to distinguish from real messages. For example, consider a message from your bank. If you changed the password via a link that e-mail, the perpetrator has the necessary information to log in to your bank account.
6. Whaling phishing
In this phishing attack, also known as business e-mail compromise, cybercriminals target the big whales, i.e. employees with a high position within an organization. Often they impersonate a senior employee within the organization to make it credible to access financial information or corporate platforms.
7. Wifi twin
A WiFi twin is a WiFi network that copies the address of another network. Anyone who connects to it will also be exposed to hackers. That way they gain access to passwords and other information. This type of phishing attack is often done in public areas such as shopping malls, cafes, and airports. So it’s not always a good idea to connect to a public Wi-Fi network.
8. Spear phishing
Spear phishing is a very personal phishing attack. This is because the attacker pretends that he or she is a person who knows the target well. The target is well-researched for this, so the attack feels very personal. The purpose of this is to gain access to sensitive information to exploit the target.
This type of phishing attack is a very effective one because it gives a sense of legitimacy. The victims will initially receive a message via a channel other than e-mail to let them know that they will receive an e-mail shortly. For example, they pretend to be a supplier and indicate that the victim will soon receive a quote by e-mail. This telephone contact is therefore referred to in the final e-mail, which makes it appear more reliable.
Finally, we discuss a fairly complicated way of phishing: man-in-the-middle. The cybercriminal intercepts the emails between two people. The criminal then sends these emails back to these two people, who then think the emails came from each other. Thus, this increases trust in the emails, allowing the criminal to ask for private details and other information.
Tips to prevent types of phishing attacks
1. Staff training
By training your staff to recognize the types of phishing and the psychological triggers that are used, you can prevent a lot of attacks. For example, they learn to check the senders of messages, never just click on a link or file, and how to check a message for phishing. Other things to watch out for by staff include:
- The salutation: phishing e-mails often do not have enough personal data to link a name to the address. The emails are therefore often impersonally oriented.
- Unexpected links and attachments: Phishing emails usually contain a link or attachment.
- Grammar and spelling: phishing emails often contain language errors.
- Urgency: certainly in combination with the other points, this gives a clear indication of a phishing message.
2. Do not click on everything
You and your employees must never click on all the forwarded links, even if it appears to come from a reliable source. Always check first if the e-mail actually came from that source. For example, you can manually navigate to the link by entering the legitimate web address in the browser. If the link is not visible because it is linked to part of the text in the message, you can hover over the link with your mouse. This way you can see if it is a legitimate web address.
3. Check for HTTPS
Especially when you are asked to share sensitive information, you must check whether the URL starts with HTTPS instead of HTTP. The extra S does not guarantee that it is a secure website, but it is better protected against hackers than an HTTP site.
4. Use Guardey
At Guardey, we do everything we can to ensure that your company is as well protected as possible against phishing attacks. We do this, among other things, by providing a business VPN connection via our app that is continuously monitored. In the event of an online threat, you will receive a direct message. So, you know if there is any behavior that doesn’t belong on your network. In addition, at Guardey, we believe it is crucial to go beyond that. That’s why our app also offers cybersecurity training for you and your team, through an interactive game.
Try Guardey now completely free for 14 days. This way you will be the first to know that there is malware on your computer and you can immediately take the right measures.