Schedule a Demo
Back to Resource Center

10 types of phishing attacks

What is phishing

Phishing is a form of digital fraud where cybercriminals impersonate someone else. Think of an important authority or a well-known person. Via an urgent-sounding e-mail, WhatsApp or SMS, you are requested to provide information, such as personal or bank details. As an entrepreneur, you naturally do not want your company to become a victim of phishing. That is why we explain 10 types of phishing attacks below, together with some tips on how to prevent these attacks.

10 types of phishing attacks

1. Spray phishing

With spray phishing, cyber criminals send messages to a large number of people within a spray phishing campaign by default. This is sometimes ten thousand e-mails or text messages at the same time. They throw a wide net, as it were, in the hope that some people will fall for the e-mail. Usually, it is an e-mail from an existing company that asks to update a password or to renew credit card information.

2. Email phishing

Sending e-mails is one of the most common forms of phishing. These e-mails are designed to appear to come from a trustworthy source. Usually, in these e-mails, you are asked to fill in a form or to reply to the e-mail. This is how cybercriminals get personal information.

One form of e-mail phishing is clone phishing, where a legitimate e-mail is copied and the links and files are replaced with malicious substitutions. This can be, for example, an invoice file, a link that contains a virus, or a link that sends you to a website to enter your personal data.

3. Mobile phishing

Mobile phishing is also known as smishing or SMS phishing. You will receive a message from the perpetrator with an urgency to take action. Think of calling a telephone number or clicking on a link to a website. Often, you will be asked for personal information, such as passwords or credit card information.

The other form of mobile phishing is phone phishing or vishing. With this form of phishing, you will not receive a message, but you will be called. The attackers pose as your bank, the police, or other companies or agencies. They try to scare you into pushing you to take action, often transferring money.

4. Ambulance chasing

With these types of phishing attacks, cybercriminals capitalize on current events. Think of asking for donations for relief funds, natural disasters, or wars. The perpetrators can collect personal data and take money from the victims.

5. Account expired/change password

You will receive a message via e-mail or via your mobile with the request to reset your password. These messages often appear to come from a reliable source and are sometimes difficult to distinguish from real messages. For example, consider a message from your bank. If you changed the password via a link that e-mail, the perpetrator has the necessary information to log in to your bank account.

6. Whaling phishing

In this phishing attack, also known as business e-mail compromise, cybercriminals target the big whales, i.e. employees with a high position within an organization. Often they impersonate a senior employee within the organization to make it credible to access financial information or corporate platforms.

7. Wifi twin

A WiFi twin is a WiFi network that copies the address of another network. Anyone who connects to it will also be exposed to hackers. That way they gain access to passwords and other information. This type of phishing attack is often done in public areas such as shopping malls, cafes, and airports. So it’s not always a good idea to connect to a public Wi-Fi network.

8. Spear phishing

Spear phishing is a very personal phishing attack. This is because the attacker pretends that he or she is a person who knows the target well. The target is well-researched for this, so the attack feels very personal. The purpose of this is to gain access to sensitive information to exploit the target.

9. Pretexting

This type of phishing attack is a very effective one because it gives a sense of legitimacy. The victims will initially receive a message via a channel other than e-mail to let them know that they will receive an e-mail shortly. For example, they pretend to be a supplier and indicate that the victim will soon receive a quote by e-mail. This telephone contact is therefore referred to in the final e-mail, which makes it appear more reliable.

10. Man-in-the-Middle

Finally, we discuss a fairly complicated way of phishing: man-in-the-middle. The cybercriminal intercepts the emails between two people. The criminal then sends these emails back to these two people, who then think the emails came from each other. Thus, this increases trust in the emails, allowing the criminal to ask for private details and other information.

Tips to prevent types of phishing attacks

1. Staff training

By training your staff to recognize the types of phishing and the psychological triggers that are used, you can prevent a lot of attacks. For example, they learn to check the senders of messages, never just click on a link or file, and how to check a message for phishing. Other things to watch out for by staff include:

  • The salutation: phishing e-mails often do not have enough personal data to link a name to the address. The emails are therefore often impersonally oriented.
  • Unexpected links and attachments: Phishing emails usually contain a link or attachment.
  • Grammar and spelling: phishing emails often contain language errors.
  • Urgency: certainly in combination with the other points, this gives a clear indication of a phishing message.

2. Do not click on everything

You and your employees must never click on all the forwarded links, even if it appears to come from a reliable source. Always check first if the e-mail actually came from that source. For example, you can manually navigate to the link by entering the legitimate web address in the browser. If the link is not visible because it is linked to part of the text in the message, you can hover over the link with your mouse. This way you can see if it is a legitimate web address.

3. Check for HTTPS

Especially when you are asked to share sensitive information, you must check whether the URL starts with HTTPS instead of HTTP. The extra S does not guarantee that it is a secure website, but it is better protected against hackers than an HTTP site.

4. Use Guardey

At Guardey, we do everything we can to ensure that your company is as well protected as possible against phishing attacks. We do this, among other things, by providing a business VPN connection via our app that is continuously monitored. In the event of an online threat, you will receive a direct message. So, you know if there is any behavior that doesn’t belong on your network. In addition, at Guardey, we believe it is crucial to go beyond that. That’s why our app also offers cybersecurity training for you and your team, through an interactive game.

Try Guardey now completely free for 14 days. This way you will be the first to know that there is malware on your computer and you can immediately take the right measures.

Frequently Asked Questions

What is gamification?

Gamification is adding game elements into non-game environments, such as security awareness training, to increase participation and foster active learning.

What are the benefits of gamification in security awareness training?

Traditional security awareness training can often be dry and boring. With gamification, the complex subject matter is transformed into an engaging and memorable experience.

By integrating game elements such as challenges, quizzes and rewards, it incentivizes users to actively learn. This makes the training more enjoyable and fosters a sense of competition and achievement. This combination drives better retention and application of cyber security knowledge.

Why is it important to train security awareness on a weekly basis?

Research shows that up to 90% of the learnings from yearly or even quarterly training are forgotten within a few weeks. Guardey was built to keep its users aware of cyber threats 365 days a year. The game comes with short, weekly challenges that slowly builds up the user’s knowledge and eventually drives lasting behavior change.

Which topics are covered in Guardey’s security awareness game?

Guardey covers a wide array of topics to train users about all currently relevant cyber threats, put together in collaboration with ethical hackers and educationalists. The topics covered include phishing, remote work, password security, CEO fraud, ransomware, smishing, and much more.

How much time do the weekly challenges take?

Every challenge takes up to three minutes to complete.

Can I use Guardey to comply with the ISO27001, NIS2, and GDPR security awareness policies?

Yes. ISO27001, NIS2, and GDPR all require that all employees receive appropriate security awareness training. Guardey is always up-to-date with the latest cyber threats, policies, and procedures.

Is security awareness training important for all employees, or just specific roles?

Cybersecurity awareness training is crucial for all employees, not just specific roles. Every staff member can potentially be a target or an unwitting entry point for cyber attacks. Training helps create a security-focused culture and minimizes risks for the entire organization.

While certain roles may require specialized training, a foundational level of training should be accessible to everyone.

In which languages is Guardey available?

Guardey is available in English, Dutch, Italian, French, Spanish, German, Polish, Swedish and Danish.

Want to ask more questions?
Get a personal demo

Get the latest resources & news, delivered directly to your inbox.

Anouk CTA Guardey website
FREE 14-DAY TRIAL

Let's protect your business!

  • Try completely risk free
  • 24/7 support
Start 14-day free trial