“Phishing” is an umbrella term that refers to various different ways that scammers and hackers can attempt to gain access to private and/or sensitive data and information. In this guide, we will explain the different types of Phishing that scammers use, and how you can avoid falling for their bait.
Different threat actors have different motives—some may be competitors or individuals attempting to sell data to competitors or other third parties, some may be attempting blackmail, and others may be attempting to spread malware. Ultimately, the main motivation for Phishing is financial profit.
Phishing can occur on a range of scales, from targeting the bank account of an individual to attempting to access the internal systems of large organisations at the very highest levels.
You have most likely encountered phishing scams, usually on your personal or work email accounts. The most well-known example is when unknown email addresses claim to want to send you money and request your bank account details. These emails usually end up in the spam or junk folder, but can often slip through to the primary inbox.
Phishing scams can affect organisations from the smallest startup to the biggest global corporation.
Different types of Phishing and what to look out for
Different Phishing scams use different techniques, so unfortunately there isn’t a one-size-fits-all approach to identifying and avoiding Phishing. Here are some of the most common types of Phishing and a few “red flags” to look out for.
The standard type of Phishing is the use of malicious links sent via email. These links are often disguised as links to something more legitimate, or even as something else entirely. The main red flags to look out for in order to detect Phishing include:
- “Links” that display no text—or an unexpected or misspelled link, e.g., “www.amazz0n.co.uk”— when hovered over with your cursor.
- A sense of urgency in the written text, for example the mentioning of a strict deadline that causes you to panic and act before thinking.
- Poor spelling and grammar. Phishing attempts can come from multiple threat actors, including non-native English speakers. Spelling mistakes can even be in email addresses themselves!
- An email address that doesn’t match the text, either due to misspelling (e.g., “Amazzon.services”), a personal email address, or something else entirely unrelated.
- An email that addresses you by “Sir/Madam”, or your full email address, rather than your name.
Standard Phishing scams can affect literally anyone, as they typically target many people en masse. Bulk emails are sent to email addresses that are accessible online or obtained by other means. Even if most people aren’t fooled, these scams are all a numbers game—even only one or two people handing over data can make this worth the scammers’ time.
If you are unsure of the legitimacy of an email, ask yourself if you were expecting an email on this subject and from this sender. If not, and the email claims extreme urgency of response, this could mean that it is a Phishing attempt.
By hovering over (but not clicking!) any links in the email with your cursor, you may be able to check whether the link is legitimate before pressing click. Does the link text that pops up match that of a legitimate site, or something unexpected?
You can also cross-reference the email address with known addresses from that organisation—you can often find out if an email address is legitimate by putting it into a search engine and seeing if it is mentioned online by that organisation.
Additionally, if it is from someone you know (an organisation or individual), simply call them from a number you know is theirs and ask them if the email is legitimate, or even ask face-to-face!
Phishing scams are not just limited to email inboxes. “Smishing” is when a scammer uses one or more SMS text messages to attempt to gain sensitive information. Warning signs of Smishing include:
- A sense of urgency conveyed.
- An unfamiliar number displayed. However, this is not always the case, as caller ID can be changed.
- An unfamiliar link in the text.
- Poor spelling and grammar.
- A request to provide sensitive information (e.g., bank account details) via text message rather than logging into an online baking service.
The best way to defend yourself against Smishing scams is to check if the number is coming from a legitimate company. You can do this by searching the number online—there are many websites that log the numbers of scammers.
If the message claims to be from your bank or another organisation you are part of, you can contact that organisation (using a number or email address supplied to you by the bank via their website, your card, or documents they have supplied you with) to verify if they sent that message. Most banks will never ask you to provide account details via text message.
“Vishing” is also known as “Voice Phishing”, and is exactly what it sounds like. This is when scammers contact you by telephone (either home or mobile) in order to carry out scams. In some cases, they will send an automated voice message, and in others you may end up speaking to a real person live. Look out for:
- A sense of urgency. A common method of vishing scams is to claim that your computer has been hacked.
- An unfamiliar number with no caller ID. However, more advanced scams can fake caller IDs.
- Requests for sensitive information.
- Name dropping in order to falsify authority.
You should always ask who is calling if you suspect a phone call may be a scam. If sensitive information such as passwords is requested, the chances of scammers is high. If in doubt, tell the caller that you will get back to them shortly and check with your IT/Security team or bank. If the caller tries to dissuade you from this or rush you, you are almost certainly dealing with a scammer.
Angler Phishing is a type of Phishing that occurs on social media platforms. Scammers will create fake accounts (usually those of corporations, sometimes even the company that runs the platform itself) in order to prompt users to provide sensitive information such as platform login details or bank account information, or even download malware. In some cases, scammers will even target individuals specifically, using their public posts for information. In 2016, an advanced Angler Phishing scam that cloned and faked real personal accounts affected thousands of Facebook users! When using social media sites, be wary of:
- Accounts that appear to be from well-known companies but are unverified (e.g., on Twitter, verified accounts display a blue tick)
- Unprompted requests for sensitive data from these accounts.
- Messages from “friends” that seem out of the ordinary, such as messages offering to send you large amounts of money.
If you encounter a suspected Angler Phishing scam, the best thing to do is to avoid replying, and report it to the platform administrators.
“Whaling” is the name given to Phishing scams that specifically target senior management or even CEOs and directors of companies. Instead of casting a wide net with a simple scam, Whalers tend to plan and refine their techniques before attacking. In many cases, they will falsify the identity of another senior member of the organisation and request access to sensitive information such as tax forms and other financial details. Senior members of organisations should look out for:
- Email addresses mimicking those of a co-worker, superior, or general department (e.g., “HRpayroll@organisation.com”).
- Requests that seem out of the ordinary.
- Requests that convey urgency.
- Requests that use a personal tone and business jargon.
Although Whaling scams are usually more advanced than other Phishing scams, you can still avoid them by maintaining strong internal verification processes for your organisation which are regularly updated. If an email from a co-worker seems suspicious, you could even call that co-worker to confirm.
Spear Phishing is similar to Whaling in the sense that it targets specific individuals through the use of relevant personal information and the faking of a trusted source. However, unlike Whaling, Spear Phishing can be used to target anybody regardless of their occupation or ranking. In this sense, Spear Phishing is similar to standard Phishing, only more targeted and personalised.
The signs of Spear Phishing are similar to those of standard Phishing, yet typically contain information personal to you. Emails that convey urgency of clicking links or providing sensitive information, include your real name, or purport to be from trusted sources may be Spear Phishing attempts. The signs of Spear Phishing also match signs of Whaling, but not only senior-ranking individuals need to be wary of them.
To avoid falling for a scam, be vigilant of all of these “red flags”. Remember that you’re not only at risk in the office, but at home on your personal accounts too and working remotely.
What other tactics can scammers use?
There are many manipulation tactics that scammers often use in order to gain sensitive information, most of which come under the bracket of “social engineering”. Social engineering is the use of human interaction, rather than hacking technology (although this is often used as a component of these techniques), and it aims to exploit trust and human error. This includes using intimidation, pretending to have authority that they do not, or inventing scarcity to create a particular feeling of urgency.
For example, Baiting is a type of scam similar to Phishing, where something desirable is offered in exchange for sensitive data such as login information. “Bait” can be various digital or physical items, from a free media download to a brand-new smartphone, laptop, or even vehicle (although in most scams, these items won’t actually exist)! Signs that an offer may in fact be a Baiting attempt include:
- An offer from a company or individual you have never heard of.
- An offer that seems overly generous. Let’s be honest, a company you aren’t a customer of is unlikely to want to give you a free BMW.
Baiting can take place over email or on websites—pop-up ads are common sources of baiting attempts, so avoid clicking on these. Most of the standard Phishing red flags also apply to baiting scams.
Dumpster Diving is a form of no-tech hacking where intruders literally search through rubbish, desk drawers, or other places for physical copies of sensitive information. Sometimes this information is login details that can be used to access other data, and other times Dumpster Divers will use information to create identity profiles in order to carry out more effective scams at a later date. You can avoid this by:
- Avoiding printing or writing down sensitive information, such as passwords and client / project details.
- Correctly locking away hard copies of data.
- Correctly destroying hard copies when finished with them, such as putting files through a cross-cut shredder.
In some cases, organisations have even fallen foul of data protection laws by discarding unshredded paper copies of data in bins accessible to people outside of the organisation.
What to do if you think you have encountered a Phishing attempt
If you have any doubts over the legitimacy of an email, message, or phone call, you should avoid providing any of the information requested. If an email address is incorrect or links do not match their description, it is likely that you have encountered a Phishing scam.
If this happens in your workplace or educational institution, you should report it to your organisation’s IT or data security team—even if the scam doesn’t fool you, it might fool somebody else in the organisation! Most email providers also offer simple “Report” buttons to report senders for Phishing attempts.
If you have fallen victim to a Phishing attempt, it is also essential to immediately reset the affected account with a new password, and to do the same with any other accounts that use the same password.
Frequently Asked Questions
How likely is it that I will encounter phishing scams?
Unfortunately, most of us will encounter Phishing attempts often, especially if you engage with social media and the internet regularly.
How do I stay safe against phishing?
Knowing what to look out for, and avoiding clicking links or sending information to unverified accounts, can make sure that you aren’t the victim of a Phishing scam.
What can I do to contribute and improve spam filters?
Spam filters become more effective over time by learning to identify patterns that signify potential scams. You can help these spam filters improve by reporting Phishing attempts to your email provider—there is usually a simple “Report” or “Mark as Spam” button for this.
How can I protect colleagues from phishing?
To protect colleagues from Phishing, avoid sharing their information (e.g., email addresses) when not necessary, and keep your security team updated on any potential scams you encounter. Cyber security is the responsibility of all members of an organisation, and is strongest when applied across an entire organisation as a team effort. In addition to any virtual firewalls, make sure that you also have a strong “human firewall!”