Are you familiar with the different types of phishing schemes? According to the 2021 Verizon Data Breach Report (DBIR), phishing is responsible for about one in three U.S. data breaches. It involves an attacker deceiving or tricking an unsuspecting victim into revealing valuable information, such as usernames, passwords or Social Security numbers. The attacker may then sell this information on the black market or use it to perform other nefarious activities. The attacker’s primary objective is to capture information from the victim through deception, but there are several types of phishing schemes.
1) Clone
Clone phishing involves the use of a legitimate email that’s copied and then modified for phishing purposes. The attacker will first copy a legitimate email. The attacker will then modify the email so that it captures information from the recipient or recipients to whom it’s sent.
Of all the different types of phishing schemes, clone phishing is one of the most common. You’ve probably received a clone phishing email before. According to Valimail, over 3 billion phishing emails are sent daily, many of which are part of a clone phishing scheme. The emails look like real, business-branded emails, but they contain malicious links, file attachments, phone numbers or other elements that are used to capture information.
Common signs of a clone phishing email include:
- Misspelled words or bad grammar
- Not personalized with the recipient’s name
- Contains shortened links or links to an unofficial website
- Instills a strong sense of urgency
- Flagged as spam
- Multiple addresses displayed in the CC field
- Unknown sender name
- File attachments
Before conducting a spear phishing attack, the attacker will typically research the victim. The attacker may try to find out what banks the victim uses, where the victim is located, what services the victim uses and more. With this information, the attacker will target the victim with spear phishing in an attempt to capture even more sensitive information.
3) Whale
Whale phishing is a type of phishing scheme that targets a high-level professional. It’s essentially a variant of spear phishing. Some whale phishing schemes target business owners. Others target Chief Executive Offers (CEOs), Chief Technical Officers (CTOs), Chief Marketing Officers (CMOs) or Chief Financial Officers (CFOs).
High-level professionals are colloquially known as whales. They typically have access to more sensitive information than the lower-level professionals at the businesses for which they work. Therefore, they are often targeted by whale phishing schemes. Attackers will create emails, social media messages or call scripts that are custom-tailored for a specific high-level professional.
Keep in mind that some phishing schemes may overlap with each other. An attack may be considered both a whale phishing and clone phishing attack, for instance. The attacker may copy a legitimate email and modify it to target a high-level professional.
4) Calendar
Calendar phishing is a type of phishing scheme in which the attacker sends malicious links through calendar invitations. Most calendar phishing attacks use Google Calendar. Released in 2009, Google Calendar is a cross-platform scheduling tool. It allows users to create events for specific dates and times. But some attackers may use calendar phishing to capture information from Google Calendar users.
With calendar phishing, the victim will receive an unsolicited Google Calendar invitation. The tool’s default settings will automatically include the invitation sender’s message on the recipient’s calendar. The recipient doesn’t need to accept the invitation. Instead, the recipient will see the sender’s message displayed on their calendar. This message may contain malicious links for phishing purposes. Victims who click the links may be prompted to enter information like their usernames, passwords or personal information.
The easiest way to protect against calendar phishing emails is to change the Google Calendar settings. If you use Google Calendar, you shouldn’t keep the default settings. Instead, change it so that only invitations to which you respond or accept are added to your calendar.
5) SMS
There’s also short messaging service (SMS) phishing. This phishing scheme is distinguished from all other types by its use of SMS as an attack vector. Attackers will harvest phone numbers — or they will purchase phone numbers in bulk — after which they will send phishing text messages to those numbers.
Like many other types of phishing schemes, SMS phishing often uses malicious links to capture information. Text messages can contain links. Attackers may create text messages that include links to spoofed web pages where victims can enter their information. Alternatively, attackers may ask the victims to call a number in the text messages. Upon calling the number, the victims may be prompted to confirm their password or other sensitive information.
6) Voice
Voice phishing is perhaps the oldest type of phishing scheme. Before the advent of email and text messaging, attackers would call their victims to capture information from them. They would impersonate other businesses that the victim trusts while soliciting sensitive information from them.
Voice phishing has evolved over the years to include different tactics. Attackers may now use robocalling software to automatically call their victims, and they may spoof the numbers from which they call their victims. Regardless, voice phishing is still around.
7) Watering Hole
Watering hole phishing is a type of phishing scheme that leverages a trap to capture information from a business’s employees. The attacker will set a trap. Employees who fall for the trap will unknowingly provide the attacker with information or access to their business’s network.
Most watering hole phishing attacks use an infected website as the trap. The attacker will identify a website that’s frequently visited and used by the business’s employees. The attacker will then infect the website with phishing-related malware.
It only takes a single phishing scheme to cause a data breach. Once you give up your information, it will fall into the attacker’s hands. Some of the most common types of phishing schemes include clone, spear, whale, calendar, SMS, voice and watering hole.
