Phishing is a type of cybercrime in which cybercriminals are targeting victims through online means of communication and try to lure them so that they can steal their identity and other sensitive information. A phishing attack can take various forms and the most common forms of such attacks are presented below.
1. Email Phishing/Smishing
Email “Phishing” is the most common type of phishing. This is an identity theft scam designed to target unsuspecting victims through email and text messages and trick them into giving up personal or business information that attackers can use to gain access to bank accounts. This involves social engineering, namely psychological manipulation of the target. This kind of manipulation includes pretending to be a trusted entity (e.g public authorities) and creating a treacherous sense of urgency and fear. The perpetrators also play upon the fact that victims are busy and tend to act hastily.
An alternative method is to send text messages rather than email to perform a phishing attack. This is called SMS phishing or smishing and it involves sending text messages from what it appears to be a legitimate source (like trusted companies or governmental authorities) which contain malicious links that take victims to malicious websites designed to steal the identity information or credentials of victims.
More specific scenarios can be mentioned as follows:
Scenario 1: In some cases, falsified but authentic-looking emails are sent using personal information of high-ranking executives. The attackers inform the victim that he/she has committed some kind of crime and is going to be prosecuted. They convince victims into supplying personal information or opening attachments that contain malware.
Scenario 2: In other cases, Emails or SMS messages appear to be coming from a other trusted entities, e.g. a Bank, or IRS etc. The victims are informed that their personal information have been breached and prompted to visit a fake website, where they are asked to provide their e-banking passwords etc.
Scenario 3: The attackers trick their victims into downloading malware — malicious software on their mobiles. This SMS malware can be disguised as a legitimate app, that tricks victims into disclosing in passwords and other personal data.
Scenario 4: Fraudulent SMS contain links that lead to a fake site that bluffs the victim into providing personal information (link manipulation). Malicious sites mimic reputable ones to confuse their victims; this scamming technique is called Pharming. A subcategory of this type of attack is when attackers exploit authentication methods on certain legitimate websites by using pop-up windows that steal the victims’ usernames and passwords.
2. Spear phishing
Spear phishing involves the sending of malicious emails to specific individuals within an organization. Rather than sending out mass emails to thousands of recipients, this method targets certain employees at specifically chosen companies. These types of emails are often more personalized to make the victim believe they have a relationship with the sender.
In particular, the following are more specific examples of spare phishing attacks:
CEO fraud are attacks where high-profile employees and managers are impersonated by the attackers to trick employees to divulge financial or other sensitive data.
On the other end of the spectrum, Whaling is a specific type of spear-phishing that targets high-ranking executives at organizations or public entities that have access to large volume of data.
In both types of attacks these fraud messages create a treacherous sense of urgency to the recipient to trick them into uncovering a password or piece of critical information without asking the sender to provide any credentials, consequently jeopardizing the safety of data subjects.
3. Social Media Phishing
Social media phishing is an attack in which attackers use social networking sites, e.g., Facebook, Instagram, etc. to steal victims’ identity information and/or other personal data or entice them into clicking on malicious links. The prepetrators may create fake identities impersonating someone the victim, or they may even impersonate a well-known brand’s customer service account to prey on victims who reach out to the brand for support.
4. SIM Swapping
The SIM swap fraud is a phishing attack in which the perpetrator aims to take control of the victim’s phone number. The perpetrator contacts a telecom operator and presents forged documents (fake id and authorization) to convince the operator that they are authorized by the victim to replace the SIM card. Personal data of the victim may be bought through data brokers, data breaches sold on the dark web, or stolen using spyware. The perpetrators falsely claim that the SIM card was lost or destroyed. Once they get hold of the new SIM card, they insert it into their own phone. As soon as the new SIM card is activated the old one is automatically deactivated and calls, SMS, internet access, etc., are controlled and carried out by the perpetrator’s appliance that works with the same number. This is how they can receive 2FA or OTP SMS that allows them to log into bank accounts, e-wallets, or credit card numbers and pin numbers that may be stored in the browsing history of the mobile phone.
This type of attack involves using a QR Code and social engineering. The attackers can monitor that a person recently received a shipment tracking email notification. An email is send to the victim. The email informs the victim that their payment was denied and that they must download the QR that was send to them in order to conclude payment. The victim is then directed to a link that promts them to disclose their credit card number, pin etc. As people are not suspicious of qr codes they can be tricked into this kind of attack.
6. Man-in-the-middle attack
This type of attack involves the attacker intercepting communication between two parties to secretly eavesdrop, modify, or inject malicious code into the communication. For instance, the attacker may intercept communication between the victim and a trusted organization, such as a bank or an online retailer, and then uses this information to impersonate the organization and trick the victim into providing sensitive information such as login credentials or credit card numbers.
Typically, fraudsters use a manipulated email address resembling a real one, for example firstname.lastname@example.org and they trick the victim into requesting payments to be made to a fake account or to visit a fake site (pharming attack).