11 Types of Phishing Attacks Every Employee Should Know About
March 02, 2023
Phishing attacks, a type of cybersecurity attack that first gained notoriety in the mid-1990s, remain a major threat to all kinds of businesses. The attacks use sophisticated social engineering ploys to deceive individual employees into clicking on malicious links or sharing privileged information.
Falling victim to a phishing attack can cost a business millions of dollars, but they’re not the easiest attack vector to defend against. Employees play an important role, as does cybersecurity technology including Secure Email Gateways (SEGs) and active phishing prevention software like IronVest InboxGuard.
One of the keys to successfully defending a business against phishing attacks is knowledge. That begins with understanding the different types of phishing attacks that face companies today.
What types of phishing attacks threaten companies?
With phishing attacks so prevalent, it’s important for organizations to ensure their employees retain a current knowledge of the latest phishing scams.
Phishing attacks can range from small-scale attacks to much larger offensives that threaten the security of entire businesses. This can result in severe damage. Considering that it only takes one employee to make an error and click on a link to expose the whole business, leaders must implement multilayered solutions.
Countless businesses have lost millions of dollars to phishing attacks, with losses driven by costs including ransom payments, lost productivity, legal costs, and more. Beyond this, phishing attacks can lead to major data breaches: something which can have lasting reputational damage.
Is your business vulnerable to phishing attacks? Get a Free Phishing Vulnerability Report from IronVest InboxGuard to determine your security profile.
11 types of phishing attacks and how to spot them
Attackers continue to develop new phishing attacks. These increasingly advanced ploys can be very effective, and it’s important that businesses, and their employees, know how to spot the major types of phishing attacks.
1. Spear phishing
What is It: These attacks target individual employees with personalized emails that aim to trick the recipient into downloading a file or opening a link containing malware.
How to Identify It: Encourage employees to check the email sender’s details and verify any demands (such as a request to pay an overdue invoice) independently before clicking on any links.
Example of a Spear Phishing Attack: A finance employee receives an email that seems to be from their CFO requesting that they urgently click on a link to verify an invoice payment.
Tips for Prevention: Invest in active phishing prevention software that provides employees with real-time coaching that highlights more sophisticated attacks that evade traditional SEGs.
2. Email Phishing
What is It: One of the most common forms of phishing attack is the mass email phishing attack, where attackers target large groups of employees with phishing emails simultaneously.
How to Identify It: These attacks tend not to be the most sophisticated and are often flagged by anti-phishing technologies. However, employees should exercise caution around opening links or attachments from unknown senders.
Example of an Email Phishing Attack: Employees receive an email from a sender impersonating the HR department asking them to click a link to log in to a payroll system.
Tips for Prevention: Invest in anti-phishing technologies and ensure all employees receive security awareness training.
3. Clone Phishing
What is It: A clone phishing attack occurs when an attacker obtains an existing email and then creates a malicious copy. These attacks attempt to use familiarity to gain the email recipient’s trust.
How to Identify It: Encourage employees to thoroughly inspect each email they receive before clicking on any links or downloading any attachments.
Example of a Clone Phishing Attack: An attacker makes a clone of an existing weekly sales report email and sends this to the sales team. This email may contain malicious links or a downloadable malware file disguised as the report.
Tips for Prevention: Invest in a range of phishing prevention tools, including active phishing prevention software that helps employees better understand potentially risky emails.
4. Whaling
What is It: These phishing attacks are extremely targeted attacks sent to senior executives with significant authority and unfettered access to key business systems.
How to Identify It: A whaling email typically has the same red flags as any other phishing email: a strange email address, unusual formatting, or a suspicious request.
Example of a Whaling Attack: Snap fell victim to a whaling attack in 2016 when a finance executive was duped into sending payroll information to an attacker masquerading as the business’s CEO.
Tips for Prevention: All employees, not just those in junior positions, should undertake anti-phishing training and have a selection of anti-phishing tools installed on their devices.
5. Credential Phishing
What is It: These attacks deceive employees into entering their login credentials to the business’s internal systems, giving attackers access to a business’s private systems and networks.
How to Identify It: Any unsolicited prompt to log in to a system should be treated with extreme caution.
Example of a Credential Phishing Attack: An employee receives a message encouraging them to log in to a system such as Microsoft Office. The link in the email routes employees to a duplicate landing page that harvests their user credentials.
Tips for Prevention: Make sure employees know to report any unsolicited messages encouraging them to log in to a proprietary business system. In the event credentials are leaked, two-factor authentication can safeguard access to key systems.
6. Smishing
What is It: A smishing attack is a phishing attack that occurs via text message. The tactics used by attackers are similar to phishing attacks, but the medium is different.
How to Identify It: Unsolicited text messages should be treated with the same level of caution as unsolicited emails. Employees should never share sensitive information or account credentials via text message.
Example of a Smishing Attack: Smishing attacks often focus on bank accounts or credit cards. An employee may receive a message prompting them to log in to the business bank account on a malicious web page.
Tips for Prevention: Employee training is key to avoiding smishing attacks since many of the cybersecurity tools in the anti-phishing space are primarily focused on email, not text.
7. Vishing
What is It: A vishing attack takes place over voice calls, rather than text or email. It features similar social engineering tactics to trick employees into sharing private information.
How to Identify It: Encourage employees to exercise common sense in any phone calls they receive, particularly unsolicited ones. Vishing attackers will often ask for sensitive information such as bank account details, which should never be shared over the phone.
Example of a Vishing Attack: An employee receives a phone call or voice message from a person who states they are the CEO. The CEO then asks this employee to transfer funds to a certain account before the end of the business day to ensure the company avoids being fined by regulators.
Tips for Prevention: Businesses should ensure that their employees' phone numbers are kept private wherever possible.
8. HTTPS Phishing
What is It: When a user sees that small padlock icon in the address bar of their web browser, they assume they’re safe from attackers. However, HTTPS Phishing Attacks use websites with these SSL certificates to trick employees into believing they are on a legitimate site when they are in fact being attacked.
How to Identify It: If a link in an email opens a suspicious page, employees should not trust the secure SSL certificate and should instead verify the request independently.
Example of an HTTPS Phishing Attack: In 2014, Sony suffered a major HTTPS phishing attack when attackers encouraged users to log in to their Apple ID account using an HTTPS link that appeared legitimate.
Tips for Prevention: Ensure your business has systems in place to prevent HTTPS phishing emails from reaching employee inboxes in the first place. Security leaders should also check that their anti-phishing awareness training has a section on the dangers of HTTPS attacks.
9. Image Phishing
What is It: Instead of including a malicious link in plain text in a phishing email, many attackers are now adding this link to an image instead. Employees are more likely to click on an image than a suspicious link. Image phishing attacks are also more likely to bypass security measures.
How to Identify It: An image phishing email may just be a blank message with a PNG or JPEG file in the main body. Employees should be suspicious of any emails with minimal text and large images.
Example of an Image Phishing Attack: An employee receives a message appearing to be from payroll, but instead of text, the message is just a screenshot of another email.
Tips for Prevention: Encourage employees to apply the same judgment to emails with images in them as they would plain text. Adopting a multi-layer approach to phishing prevention also helps flag these messages.
10. Evil Twin Phishing
What is It: Employees often connect to public WiFi networks, whether that’s at an airport, hotel, or cafe. Evil twin phishing attacks trick employees into connecting to fake WiFi networks that are named similarly to the legitimate WiFi network. Once the employee connects to this network, their data is at risk.
How to Identify It: These attacks are difficult to detect. Encourage employees to double-check they are logging on to the right network and to take preventative steps to limit their exposure.
Example of an Evil Twin Phishing Attack: An employee connects to the hotel WiFi on a business trip. They mistakenly connect to Hotel-WiFi-2, a fake WiFi network set up to harvest their data.
Tips for Prevention: Educate employees on steps they can take to remain secure, including using a VPN, avoiding unsecured networks, not logging in to private business systems, and more.
11. Pop-Up Phishing
What is It: An employee receives a pop-up notification on their device prompting them to take some action, such as updating their security software, which triggers the download of malware.
How to Identify It: Since most businesses have pop-up blockers deployed, employees should treat any pop-ups with caution.
Example of a Pop-Up Phishing Attack: An employee receives a pop-up message in their Outlook account prompting them to download and install the latest version of Outlook. Instead of updating their software, they unwittingly download malware to their device.
Tips for Prevention: Install pop-up blockers and other cybersecurity tools that ensure employees are not exposed to harmful pop-ups. Businesses should also include a module on pop-up phishing attacks in their security awareness training.
How to prevent phishing attacks on employees
Effectively protecting your employees, and your business, against phishing attacks requires leaders to make investments in two key areas:
Employee Security Awareness Training: This training, which should be repeated on a regular basis, educates employees on the most common types of phishing attacks and highlights the red flags employees must be aware of.
Anti-phishing Cybersecurity Technologies: Many businesses already use SEGs to block phishing attacks from reaching employees inboxes. In addition to this, businesses should also invest in tools like InboxGuard that provide active phishing prevention solutions.
Shield your company from email phishing attacks with InboxGuard
The more layers of security a business has between its employees and attackers, the more secure. For many years, the traditional approach to preventing phishing attacks has been centered around two pillars: SEGs and employee cybersecurity training.
However, with the growing sophistication and volume of attacks today, these methods do not offer sufficient protection.
InboxGuard, from the team at IronVest, adds an additional layer of anti-phishing security, providing employees with real-time, situational awareness of potentially risky emails. InboxGuard uses advanced AI technology to detect 99.9% of all phishing emails and provides employees with the additional information they need to respond effectively to a phishing threat.
Interested in trying it out for yourself? Start your free trial today.