Malware Intelligence
6
mins read

Phishing Attacks 101: Types of Phishing Attacks and How to Prevent Them

Phishing Attacks 101: Types of Phishing Attacks and How to Prevent Them

Anmol Kumar
February 25, 2021
Green Alert
Last Update posted on
February 3, 2024
Don't let your brand be used to trap users through fake URLs and phishing pages

Identify and counter malicious links and phishing attempts effectively with CloudSEK XVigil Fake URLs and Phishing module, bolstering your defense against cyber threats

Schedule a Demo
Table of Contents
Author(s)
No items found.

Phishing

Phishing is a form of social engineering cyber attack that attempts to steal sensitive/ valuable information from the victim. Phishing attacks are quite effective as the attacker masquerades as a trusted entity via emails or SMSes, the content of which is designed to trick the victim. These text messages and mails will most definitely be embedded with malicious links that redirect the receiver to malicious sites, which then automatically installs malware, ransomware, or reveals their sensitive data. 

Essentially, the primary objective of phishing scams is to gain sensitive, confidential information like login credentials, financial information, etc.

Phishing attacks give attackers a foothold in corporate or government networks to help them advance large-scale attacks. For instance, when hackers target large corporations and organizations, their employees are deceived and compromised. This allows them to bypass the security measures of the organization and distribute malware inside the whole network. Such organizations experience a data breach, which may then lead to financial, reputation loss.

Here’s an instance of a phishing email:

phishing email

Types of Phishing Attacks

Email Phishing 

The most common form of phishing attacks are email scams. The attacker disguises themself as a trusted authority and goes the extra mile to even register a fake domain that resembles a genuine organization. They then send hundreds or even thousands of generic requests. 

Domain names are usually spoofed with the help of look alike characters or words/ alphabets. For example, the letters ‘r’ and ‘n’ are put together (‘rn’) resembles an ‘m’, and ‘0’ (zero) can be used instead of ‘o’. 

To avoid falling for such phishing attacks, one should be wary of the emails they receive. They should carefully analyse the sender’s email address before clicking on any suspicious link embedded in the email or opening an attachment. 

Spear Phishing 

Spear phishing attacks are similar to email phishing, in that the actor, disguised as a trusted entity, attempts to trick the user into clicking on a malicious link or an attachment to steal sensitive information. However, spear phishing emails are highly targeted at certain individuals or organizations. The actors pose as a senior employee, a colleague or a business partner to send personalized emails with malicious intent

The attacker who sends spear phishing mails will possess some or all of the following information about the target:

  • Name
  • Place of employment
  • Job title 
  • Personal/ Official email address
  • Specific information related to their job role

One of the most famous data breaches in recent history, the hacking of the Democratic National Committee was the result of a successful spear phishing attack. 

Whaling 

A whaling attack is very similar to spear phishing attacks, albeit the targets are high ranking officials or CXOs. As such attacks are well researched and highly targeted, detecting and preventing them becomes more difficult. These emails use subject lines that prompts immediate action from the receiver. Whaling attacks, thus, usually resort to email subject lines related to income tax return, tax form, etc.

Phishing Kits 

A phishing kit is a set of materials/ tools that allows the attacker, who may even lack the  technical know-how, to create and launch a seemingly genuine phishing campaign. A phishing kit bundles phishing website resources and tools, allowing the attacker to simply install it on the server and send emails to the targets, without any delay.

Anatomy of a phishing kit

The following image depicts how a phishing kit is made and how it works:

phishing kit

 

How to Prevent Phishing Attacks

Threat actors usually target corporations and organizations, rather than specific individuals. So, it is in the interest of both the organization and its employees to thwart any attempts to steal their confidential data. To achieve that, they have to consider the following steps: 

Employee Awareness

Awareness campaigns help resolve this issue to a great extent and minimize the risk arising from this attack vector. It enforces good cyber hygiene practices. Since phishing attacks may target any employee without exceptions, everyone including high ranking officials/ executives must be trained to identify the threat and tackle it. 

Multi-factor verification 

All requests for access or transfer of confidential or sensitive data should pass through several levels of verification before they are permitted. Two-factor Authentication (2FA) is the most effective way to prevent phishing attacks that target sensitive applications. 2FA relies on two factors to gain access to a file or a resource. This includes PINs/ passwords, OTPs, badges, biometrics, etc. Even if employees are compromised, multi-factor authentication measures reduce the chance of a successful cyber attack. 

Social media education 

This is an extension of employee awareness. It has often been found that the information posted by employees over social media were used by the attackers to craft phishing attacks. This necessitates awareness programs that educate them about social media best practices.

Anti-phishing tools 

Social engineering attacks such as phishing or whaling exploit human errors, unlike other forms of cyber attacks. Vendors who offer anti-phishing software and managed security services help prevent whaling and other forms of phishing attacks. 

The Anti-Phishing Working Group (APWG) is an organization dedicated to cybersecurity and phishing research and prevention. It provides resources for companies affected by phishing and conducts research to provide information on the latest threats. Companies may choose to report a suspected threat to APWG for analysis.

Most Expensive Phishing Attacks

1. Facebook and Google 

Facebook and Google, together, were scammed out of over $100 million, between 2013 and 2015. The actors carried out the campaign through an elaborate fake invoice scam. A Lithuanian hacker masqueraded as a large Asian-based manufacturer and sent each company a series of fake invoices.

2. Sony Pictures 

In another instance, Sony employees were targeted through a series of spear phishing emails. Linkedin was a part of the adversary’s tactics. They obtained names and titles of Sony employees from this professional networking website. The actors posed as their colleagues and sent malicious emails laced with malware, to unsuspecting targets. This led to a major data breach involving over 100TB of company data, which cost Sony more than $100 million.

3. Crelan Bank 

Crelan Bank in Belgium lost $75.8 million in a CEO fraud attack. The company was notified about this attack only during an internal audit. Although the attackers responsible have not been identified, the Crelan Bank implemented new security measures to prevent another similar attack.

For more details and insights about phishing email subjects refer to: https://blog.knowbe4.com/topic/top-clicked-phishing-email-subjects

Author

Anmol Kumar

Anmol is a Cyber Security Analyst at CloudSEK. He graduated from Quantum School of Technology, Roorkee with a bachelors degree in Computer Science. As an analyst he helps clients identify potential threats. He is also interested in traveling and photography.

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Blog Image
Adversary Intelligence

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
Malware
December 29, 2023

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Malware Intelligence

6

min read

Phishing Attacks 101: Types of Phishing Attacks and How to Prevent Them

Phishing Attacks 101: Types of Phishing Attacks and How to Prevent Them

Authors
Anmol Kumar
Anmol is a Cyber Security Analyst at CloudSEK. He graduated from Quantum School of Technology, Roorkee with a bachelors degree in Computer Science. As an analyst he helps clients identify potential threats. He is also interested in traveling and photography.
Co-Authors
No items found.

Phishing

Phishing is a form of social engineering cyber attack that attempts to steal sensitive/ valuable information from the victim. Phishing attacks are quite effective as the attacker masquerades as a trusted entity via emails or SMSes, the content of which is designed to trick the victim. These text messages and mails will most definitely be embedded with malicious links that redirect the receiver to malicious sites, which then automatically installs malware, ransomware, or reveals their sensitive data. 

Essentially, the primary objective of phishing scams is to gain sensitive, confidential information like login credentials, financial information, etc.

Phishing attacks give attackers a foothold in corporate or government networks to help them advance large-scale attacks. For instance, when hackers target large corporations and organizations, their employees are deceived and compromised. This allows them to bypass the security measures of the organization and distribute malware inside the whole network. Such organizations experience a data breach, which may then lead to financial, reputation loss.

Here’s an instance of a phishing email:

phishing email

Types of Phishing Attacks

Email Phishing 

The most common form of phishing attacks are email scams. The attacker disguises themself as a trusted authority and goes the extra mile to even register a fake domain that resembles a genuine organization. They then send hundreds or even thousands of generic requests. 

Domain names are usually spoofed with the help of look alike characters or words/ alphabets. For example, the letters ‘r’ and ‘n’ are put together (‘rn’) resembles an ‘m’, and ‘0’ (zero) can be used instead of ‘o’. 

To avoid falling for such phishing attacks, one should be wary of the emails they receive. They should carefully analyse the sender’s email address before clicking on any suspicious link embedded in the email or opening an attachment. 

Spear Phishing 

Spear phishing attacks are similar to email phishing, in that the actor, disguised as a trusted entity, attempts to trick the user into clicking on a malicious link or an attachment to steal sensitive information. However, spear phishing emails are highly targeted at certain individuals or organizations. The actors pose as a senior employee, a colleague or a business partner to send personalized emails with malicious intent

The attacker who sends spear phishing mails will possess some or all of the following information about the target:

  • Name
  • Place of employment
  • Job title 
  • Personal/ Official email address
  • Specific information related to their job role

One of the most famous data breaches in recent history, the hacking of the Democratic National Committee was the result of a successful spear phishing attack. 

Whaling 

A whaling attack is very similar to spear phishing attacks, albeit the targets are high ranking officials or CXOs. As such attacks are well researched and highly targeted, detecting and preventing them becomes more difficult. These emails use subject lines that prompts immediate action from the receiver. Whaling attacks, thus, usually resort to email subject lines related to income tax return, tax form, etc.

Phishing Kits 

A phishing kit is a set of materials/ tools that allows the attacker, who may even lack the  technical know-how, to create and launch a seemingly genuine phishing campaign. A phishing kit bundles phishing website resources and tools, allowing the attacker to simply install it on the server and send emails to the targets, without any delay.

Anatomy of a phishing kit

The following image depicts how a phishing kit is made and how it works:

phishing kit

 

How to Prevent Phishing Attacks

Threat actors usually target corporations and organizations, rather than specific individuals. So, it is in the interest of both the organization and its employees to thwart any attempts to steal their confidential data. To achieve that, they have to consider the following steps: 

Employee Awareness

Awareness campaigns help resolve this issue to a great extent and minimize the risk arising from this attack vector. It enforces good cyber hygiene practices. Since phishing attacks may target any employee without exceptions, everyone including high ranking officials/ executives must be trained to identify the threat and tackle it. 

Multi-factor verification 

All requests for access or transfer of confidential or sensitive data should pass through several levels of verification before they are permitted. Two-factor Authentication (2FA) is the most effective way to prevent phishing attacks that target sensitive applications. 2FA relies on two factors to gain access to a file or a resource. This includes PINs/ passwords, OTPs, badges, biometrics, etc. Even if employees are compromised, multi-factor authentication measures reduce the chance of a successful cyber attack. 

Social media education 

This is an extension of employee awareness. It has often been found that the information posted by employees over social media were used by the attackers to craft phishing attacks. This necessitates awareness programs that educate them about social media best practices.

Anti-phishing tools 

Social engineering attacks such as phishing or whaling exploit human errors, unlike other forms of cyber attacks. Vendors who offer anti-phishing software and managed security services help prevent whaling and other forms of phishing attacks. 

The Anti-Phishing Working Group (APWG) is an organization dedicated to cybersecurity and phishing research and prevention. It provides resources for companies affected by phishing and conducts research to provide information on the latest threats. Companies may choose to report a suspected threat to APWG for analysis.

Most Expensive Phishing Attacks

1. Facebook and Google 

Facebook and Google, together, were scammed out of over $100 million, between 2013 and 2015. The actors carried out the campaign through an elaborate fake invoice scam. A Lithuanian hacker masqueraded as a large Asian-based manufacturer and sent each company a series of fake invoices.

2. Sony Pictures 

In another instance, Sony employees were targeted through a series of spear phishing emails. Linkedin was a part of the adversary’s tactics. They obtained names and titles of Sony employees from this professional networking website. The actors posed as their colleagues and sent malicious emails laced with malware, to unsuspecting targets. This led to a major data breach involving over 100TB of company data, which cost Sony more than $100 million.

3. Crelan Bank 

Crelan Bank in Belgium lost $75.8 million in a CEO fraud attack. The company was notified about this attack only during an internal audit. Although the attackers responsible have not been identified, the Crelan Bank implemented new security measures to prevent another similar attack.

For more details and insights about phishing email subjects refer to: https://blog.knowbe4.com/topic/top-clicked-phishing-email-subjects