Arrow back

What are the different types of phishing attacks?

15 June, 2023

Phishing is, by some distance, the biggest security risk to businesses. For a little context, over 3.4 billion phishing emails are sent daily, accounting for around 1% of all emails sent worldwide.

But whilst you think you might have a handle on what a phishing email looks like, cybercriminals are constantly developing more sophisticated tactics to penetrate security systems and trick employees.

So, how do you prevent phishing emails from cracking your organisation’s data and systems open? Education.

Educating employees about what phishing attacks look like is one of the best deterrents and in this article, we explain the various types of phishing attacks to be wary of:

What are the most common types of phishing attack?

Email phishing

Email phishing attacks are the most common and well-known type of phishing.

Cybercriminals send deceptive emails impersonating legitimate individuals or organisations to trick recipients into divulging sensitive information or performing actions that compromise security.

These emails often appear genuine, containing logos, email signatures, and other elements to deceive unsuspecting victims.

Examples of email phishing

  • Deceptive URLs: Phishing emails may include links that appear legitimate but redirect users to malicious websites designed to steal personal information. For instance, an email claiming to be from a reputable bank could lead recipients to a fake login page where their credentials are harvested.
  • Malicious attachments: Another tactic used in email phishing is the inclusion of malicious attachments. These files, often disguised as harmless documents or invoices, contain malware that can infect the recipient's device once opened.
  • Spear Phishing: Spear phishing is a targeted form of email phishing that tailors attacks to specific individuals or organisations. Cybercriminals conduct extensive research to personalise their messages, making them more convincing and likely to succeed.

Whaling (CEO Fraud)

Whaling, also known as CEO fraud or business email compromise (BEC), is a sophisticated phishing attack targeting high-level executives or individuals with significant authority within an organisation.

Cybercriminals impersonate CEOs, CFOs, or other top-level executives to deceive employees into transferring funds, disclosing sensitive information, or performing other actions that result in financial loss or data breaches.

How whaling attacks work

Whaling attacks often involve careful research and social engineering to create convincing scenarios.

Cybercriminals exploit the hierarchical structure of organisations, leveraging their authority and credibility to manipulate unsuspecting employees.

They may request urgent wire transfers, confidential data, or even the installation of malware.

Protecting against whaling attacks

To safeguard against whaling attacks, organisations should consider implementing the following measures:

  • Employee education: Provide comprehensive training and awareness programs to help employees recognise the signs of whaling attacks and respond appropriately.
  • Multi-factor authentication: Implement multi-factor authentication for sensitive actions, such as financial transactions or access to critical information systems.
  • Strict authorisation procedures: Establish stringent approval processes for financial transactions, especially those involving large sums of money, to prevent unauthorised transfers.

Protect your organisation with truly effective training

Join the thousands who've discovered how Bob's Business' security and compliance awareness training reduces risk, demonstrates improvement and builds cultures.

Smishing (SMS Phishing)

Smishing, or SMS phishing, involves sending fraudulent text messages to trick users into revealing sensitive information or clicking on malicious links.

How smishing works

Smishing attacks typically involve messages that appear to be from a reputable source, such as a bank, service provider, or government agency.

These messages often contain urgent requests or warnings, creating a sense of urgency and prompting users to act quickly without careful consideration.

Protecting against smishing attacks

To protect against smishing attacks, it is essential to:

  • Be sceptical: Question the legitimacy of unsolicited messages or requests for personal information, especially if they seem urgent or too good to be true.
  • Verify the sender: Contact the alleged sender through a trusted channel, such as their official website or customer support, to confirm the message's authenticity.
  • Avoid clicking suspicious links: Hover over links in text messages to preview the URL before clicking. If it appears suspicious or redirects to unfamiliar websites, refrain from clicking.

Vishing (Voice Phishing)

Vishing, or voice phishing, leverages voice communication channels, such as phone calls or voice messages, to deceive individuals into revealing sensitive information.

These attacks often involve impersonating trusted entities, such as banks or government agencies, to instil a false sense of trust in the victim.

How vishing works

During a vishing attack, cybercriminals employ social engineering techniques to manipulate victims into disclosing personal information or performing actions compromising security.

They may create a sense of urgency, threaten dire consequences, or offer enticing rewards to coerce victims into compliance.

Protecting against vishing attacks

To protect against vishing attacks, it is crucial to:

  • Be cautious: Exercise caution when receiving unexpected calls or messages requesting personal information. Remember that legitimate organisations rarely ask for sensitive details over the phone.
  • Verify the caller: If you receive a suspicious call, ask for identification or contact the organisation directly through their official phone number to verify the legitimacy of the request.
  • Avoid sharing personal information: Refrain from providing personal or financial details to unsolicited callers, even if they claim to represent a trusted entity. Remember, it is better to be safe than sorry.

Search engine phishing

Search engine phishing is a relatively new phishing technique that involves the fraudster creating a legitimate-looking website that features in search engine rankings - often in the 'shopping' section of a search query.

The website will typically offer amazing deals, but when the website user pays for their order, the products never arrive and the payment details might also be used for further fraudulent purposes.

What can you do to protect your organisation?

With a huge variety of phishing attacks out there, it’s easy to see why it is the number one cause of data breaches.

Installing automatic anti-phishing filters can help to prevent around a quarter of phishing emails from reaching employees, but adequate cybersecurity training is essential to protect your business.

Bob’s Business’ award-winning phishing simulations help educate employees on the psychological principles utilised by phishing emails and communications in a safe environment.

Phishing awareness training empowers your team to take the best course of action to stop your company from falling victim to phishing fraudsters.

Learn more about how Bob's phishing simulation training can protect your business.

Back to resources

Ready to build your cybersecurity culture?

Whether you’re looking for complete culture change, phishing simulations or compliance training, we have solutions that are tailor-made to fit for your organisation.

Girl with laptop
Boy with laptop
man and woman with laptops
Global Cyber Alliance