Types of Phishing Attacks

In this lesson, we will explore the different types of phishing attacks.

Phishers don’t need to trick everyone they email in order to be successful. They generally cast a wide net and count on someone to have an off day and go along with the attack. Duo’s The Trouble With Phishing states that 17% of people who receive phishing emails enter their credentials into phishing sites. Put another way, on average, a phisher with just six email addresses can expect to trick one of the account owners into revealing their login credentials.

It’s just an email. What’s the worst that could happen? Let’s take a look at the most common types of phishing attacks.

Phished credentials

By far, the most common phishing attack is to steal login credentials. Generally, this is done by setting up a malicious website that looks the same as the login screen for Gmail, Outlook 365, Dropbox, or another popular website.

The phisher then sends a phishing email to the intended victim. The phishing email will contain a link to the malicious website as part of a message that claims that it’s important for the recipient to click on the link and log in. If the phisher is “lucky,” Pavlovian conditioning will kick in when the user sees what appears to be a familiar login screen and the user will submit their credentials to the malicious website.

Stolen credentials can be quite damaging. A phisher who has taken over an email account can probably trigger password resets for most of the other online services associated with that email address, like social media accounts and financial accounts. The phisher can exfiltrate old email.

If the phisher wants to take over the account, in general, they can reset the password for the email account to lock the victim out of the account. If the phisher wants to be stealthier, they can use the newly compromised email account to send further phishing emails to people in the compromised account’s address book and then delete them from the account to make it harder for the legitimate account owner to discover. These phishing emails will have added credibility because the new wave of victims will see the email as having been sent by someone they know. This credibility increases the likelihood that the recipient will click on the link and follow instructions to log in.

What do phishing emails look like? Many phishing emails are generic and are meant to be sent out widely. A common premise for these is the past-due invoice. These phishing emails create a sense of urgency by claiming that the victim is behind on payments and will get in trouble if they don’t pay right away. When these phishing emails are successful, the phisher will use the newly acquired credentials to resend the phishing email to people in the new victim’s contact list and continue the process. But a phisher who has a specific target in mind can tailor the phishing email.

After doing research about the company, an attacker can forge an email that, at first glance, appears to come from an important executive, customer, or vendor. The subject could pertain to recent company events. Phishing emails could be sent out in batches to see what gets the best responses in order to tweak later batches. Early waves of reconnaissance emails could be used to look for common email signatures or terminology that’s in use at the company.

Get hands-on with 1200+ tech skills courses.