Phishing Explained as A Comprehensive Guide to Different Types of Attacks from Email to Social Media Scams

By: Bakkireddygari Sai Sravanthi International Center for AI and Cyber Security Research and Innovations, Asia University, Taiwan sravanthisai1113@gmail.com

Abstract

Phishing is a common cyberattack where attackers pretend to be reputable companies to fool victims into disclosing personal information. The unique characteristics and tactics of phishing, such as spear phishing, email phishing, whaling, vishing, and smishing, are examined and discussed in this article. By being aware of the obvious indications of phishing and implementing the necessary preventative steps, individuals and organizations can significantly reduce their likelihood of becoming victims of these malicious schemes. It also highlights the need for quick action and education and provides specific steps if someone feels they have been phished.

1. Introduction

In the digital age, phishing has emerged as one of the most common and sophisticated cyberattacks. Social engineering assaults leverage human psychology to trick victims into revealing confidential information such as bank account details, login passwords, or personal information[1]. Phishing attacks can occur via email, text messages, phone calls, and social media, among other digital communication channels. Understanding the various phishing attack types and being able to recognize the warning signs of phishing attempts are essential for maintaining individual and corporate security. This article examines the mechanics of phishing, describes common attacking techniques, and offers defense strategies and responses.

2. What is Phishing?

Phishing is a type of cyberattack where attackers pretend to be reputable companies to fool victims into disclosing personal information. These attacks often take advantage of social media, email, and other digital communication channels. Since hackers “bait” victims into “catching” their private information, the word “phishing” is derived from the verb “fishing.”[2]

Phishing can manifest itself in several forms, such as malicious websites, fraudulent emails, or phone calls. Phishing attacks frequently employ social engineering as a method to fool the target into completing actions that compromise their security. Understanding the diverse types of phishing attempts is the first step in recognizing and avoiding them.

3. Various Types of Phishing Attacks

3.1. Email Phishing

Phishing attacks via email are the most prevalent kind. Attackers send fake emails that are from reliable sources, such as banks, internet companies, or coworkers. These emails frequently contain urgent messages that entice recipients to download attachments or click on fraudulent URLs[3].

  • Spoofed email addresses: Creating email addresses that are like legitimate ones, often with slight errors.
  • Urgent or fear-inducing messages: Proposing immediate action to avoid the consequences.
  • Links to fake login pages: Directing to websites that utilize legitimate websites to steal credentials.
  • Malicious attachments: Containing malware that infects the recipient’s device.

Example: An email from “Your Bank” asking you to verify your account information to prevent account suspension.

3.2. Spear Phishing

A particular kind of phishing attack is where the attacker uses emails to target a specific individual or company. Attackers gather detailed information on their target to make phishing attempts more effective[4].

  • Personalized messages: Referencing specific details like projects, colleagues, or recent activities.
  • Credible appearance: Using information from social media and other sources to appear credible.
  • Contextual relevance: crafting emails relevant to the target’s current activities.

Example: An email addressed personally to an employee, from their company’s IT department, requesting login credentials for system updates.

3.3. Whaling

Phishing aimed at whales, which are larger marine animals than fish, is significantly more focused and called “whaling.” These attacks usually go against a CEO, CFO, or any other CXX in a certain sector or company. A whaling email may claim that you must click on the link for additional information and that the company is subject to legal repercussions[5]. After clicking the link, you are prompted to enter important firm information such as your tax ID and bank account number.

  • Sophisticated social engineering: crafting emails that appear urgent and legitimate.
  • Urgent business matters: Emails crafted as urgent business issues.
  • Impersonation: Pretending to be other executives or high-level contacts.

Example: A fake invoice sent to a company’s CEO, appearing to be from a known vendor, requesting payment.

3.4. Vishing (Voice Phishing)

The goal of vishing is the same as that of other phishing attacks. Your confidential or sensitive corporate information is still being desired by the attackers. The means of this attack is a voice call. That is why the name has a “v” instead of a “ph.”

  • Caller ID spoofing: Making it appear as if the call is from a trusted source.
  • Social engineering: Creating a sense of urgency or fear.
  • Requesting personal information: Asking for sensitive information like Social Security numbers.

Example: A phone call from someone claiming to be from the IRS, threatening legal action if personal information is not provided.

3.5. Smishing (SMS Phishing)

Smishing is an assault that is conducted over text messaging or short message service (SMS). Sending an SMS message with a clickable link or a return phone number to a cell phone is a popular smishing tactic

  • Reputable source impersonation: Messages that appear to come from reputable sources.
  • Malicious links: Including links to phishing websites.
  • Urgency or fear tactics: Creating a sense of urgency to prompt immediate action.

Example: A text message from a “delivery service” with a link to track a package, which leads to a phishing site. Fig 1. Shows Types of Phishing Attacks with Their Tactics

A diagram of a network Description automatically generated with medium confidence
Fig 1. Types of Phishing Attacks with their Tactics

4. Basic Signs to Look Out for Phishing Sites:

Identifying phishing attacks requires attentiveness and diligence. Here are some common signs that can help you identify phishing attempts:

  • Suspicious Sender Addresses
  • Mismatched Domains: Phishing emails frequently originate from addresses that do not correspond to the official domain of the company they pretend to represent. For example, an email from “support@paypal-security.com” instead of “support@paypal.com” is suspicious.
  • Misspellings: Attackers would frequently use slightly altered versions of legitimate email addresses, such as “amzon.com” rather than “amazon.com”[6]. These minor errors are meant to give the impression that the email is genuine to the receiver.
  • Non-business Domains: Reputable businesses often use their corporate domains for official messaging. Emails from generic email providers such as Gmail, Yahoo, or Hotmail should be avoided, particularly if they claim to be from a reputable company.
  • Urgent or Threatening Language
  • Creating Panic: Phishing emails often employ urgent or scary wording to make the recipient feel afraid. Recipients are compelled to act immediately and instinctively by sentences such as “Your account has been suspended!” or “Immediate action required!”
  • Threats of Legal Action: Messages threatening legal action, account closures, or loss of services unless rapid action is taken are common tactics used to force a prompt response.
  • Time-sensitive Offers: Emails featuring urgent investment opportunities or time-sensitive offers have the power to persuade recipients to act without second thoughts.
  • Poor Grammar and Spelling
  • Unprofessional Appearance: Reputable companies usually have stringent policies for their emails, ensuring that there are no obvious grammatical or typographical errors. Phishing emails usually lack this professionalism.
  • Translation Errors: Many phishing attacks originate from non-native speakers, which leads to strange terminology, incorrect verb tenses, and misused language.
  • Inconsistencies: Look for any strange wording, tone, or style choices that do not seem fitting for the company claiming to be the sender of the email.
  • Unfamiliar Greetings and Lack of Personalization
  • Generic Salutations: Instead of addressing the recipient by name, phishing emails usually begin with a generic greeting such as “Dear Customer,” “Dear User,” or “Dear Sir/Madam”.
  • Lack of Personal Information: Reputable companies usually provide personal information about their customers in their correspondence, like name, account number, and other specifics. A lack of personalization could be an indication of phishing activity.
  • Robotic Tone: The language may sound robotic or impersonal and lack the organic tone of human communication.
  • Suspicious Links and Attachments
  • Hover Over Links: Before clicking on any hyperlink, move your cursor over it to see the entire URL. If the link does not match the displayed content or leads to an unreliable website, it is a phishing attempt.
  • Unexpected Attachments: Attachments should be managed with caution, particularly if you were not anticipating them. When you open an attachment, it may include malware that infects your device.
  • Disguised Links: Links may seem to take you to a trustworthy website, but they may instead take you to a phony one. In some cases, a link that is going to “www.bankofamerica.com” can instead be pointing to www.fakewebsite.com/bankofamerica.
  • How to Protect Yourself

To overcome phishing attempts, one must exercise caution, maintain strict security protocols, and maintain awareness. The following specific instructions can help you improve your defenses:

  • Keep an Eye on the News
  • Stay Informed: Read cybersecurity news frequently to learn about notable assaults and the most recent phishing tactics. Being aware of new threats facilitates detection and prevention.
  • Trusted Sources: Get updates from reliable cybersecurity publications, websites, and agencies including the Federal Trade Commission (FTC) and the Cybersecurity and Infrastructure Security Agency (CISA).
  • Update Your Operating System Regularly
  • Security Patches: Security patches that address vulnerabilities are frequently included in operating system updates[7]. Make sure you have enabled automatic updates or do a routine check for updates.
  • Software Updates: Update all your software, including online browsers and apps, to safeguard yourself against vulnerabilities that could be used by phishing frauds.
  • Do not Open Attachments or Links from Unknown Senders
  • Verify Senders: Make sure you have the sender’s phone number or email address verified before opening any attachments or clicking on links. If you are unsure, contact the sender directly.
  • Hover Over Links: To view the genuine URL of a link, move your mouse over it. Links that seem suspect or lead to strange places should be avoided.
  • Enable Firewalls
  • Device Firewalls: Make sure the security system that comes with your computer is turned on to prevent illegal access.
  • Network Firewalls: Utilize a network security system to monitor and filter incoming and outgoing data to provide an additional layer of security.
  • Avoid Answering Unknown Calls
  • Caller Verification: Be cautious of unwanted calls. If you receive a call from someone claiming to be from a reputable organization, verify their identity by contacting the organization directly using official contact information.
  • Personal Information: Never provide personal or financial information over the phone to unknown callers.
  • Regularly Backup Your Devices
  • Backup Methods: Make use of both physical (such as external hard drives) and cloud-based backups to make sure you have a safe copy of your critical data.
  • Restore Points: Regularly create restore points on your devices to revert to a known good state in case of compromise.
  • Contact the Real Sender
  • Verification: If you receive any suspicious emails, use the official contact information that can be found on the company’s website to contact the sender.
  • Report Suspicious Emails: Notify the company about the attempted phishing so they can take the necessary measures.
  • What to Do If You Fall for a Phish

If you suspect that you have fallen victim to a phishing attack, immediate action is crucial to mitigate the damage. Here are detailed steps to follow:

  • Alert Your Security Team
  • Immediate Reporting: As soon as you can, report the event to the IT or security team at your company. Give them all the necessary details, including the suspicious email or message.
  • Containment: The security team can contain the problem by separating affected systems and conducting a thorough analysis.
  • Change Your Credentials
  • Password Updates: Any accounts that you think might have been hacked should have new passwords. Give each account a strong, distinct password.
  • Two-Factor Authentication: To increase security, turn on two-factor authentication (2FA) for each of your accounts.
  • Monitor Your Accounts
  • Regular Checks: Make sure to regularly monitor your online accounts for any strange activity, including unauthorized purchases or account settings changes.
  • Fraud Alerts: Put fraud alerts in place on your bank accounts to get notified when something looks fishy.
  • Contact Financial Institutions
  • Immediate Notification: If you believe that your credit card or bank account has been hacked, let them know. They can keep an eye out for fraudulent activity in your accounts and take precautions to keep your money safe[8].
  • Credit Monitoring: To get notified when there are changes to your credit report, think about signing up for a credit monitoring program.
  • Educate Others
  • Share Your Experience: To increase awareness and stop others from becoming victims, tell your friends, family, and coworkers about the phishing attack.
  • Training: Encourage the staff at your company to receive regular cybersecurity training, with a focus on the significance of identifying and reporting phishing efforts.

Conclusion

These days, phishing attacks pose a significant risk due to their use of social engineering techniques and psychological manipulation of victims. If people and businesses are aware of the many phishing attack types and can recognize common symptoms, they may protect themselves against these dangers more successfully. It is essential to be aware of the hazards associated with phishing, implement robust security measures, and be prepared to respond appropriately in the event of an attack. Creating a culture of cybersecurity and resilience mostly entails teaching and increasing public awareness.

References

  1. A. Stewart, “Social Engineering Attacks: Cybercriminal Tactics & Psychology,” TechBrain. Accessed: Jul. 14, 2024. [Online]. Available: https://www.techbrain.com.au/social-engineering-attack-psychology/
  2. “What is phishing and how to stay safe from it?,” CactusVPN. Accessed: Jul. 14, 2024. [Online]. Available: https://www.cactusvpn.com/beginners-guide-online-security/what-is-phishing/
  3. “Phishing—A Cyber Fraud: The Types, Implications and Governance – Mazurina Mohd Ali, Nur Farhana Mohd Zaharon, 2024.” Accessed: Jun. 30, 2024. [Online]. Available: https://journals.sagepub.com/doi/abs/10.1177/10567879221082966
  4. “Phishing attacks: risks and challenges for law firms | International Cybersecurity Law Review.” Accessed: Jul. 14, 2024. [Online]. Available: https://link.springer.com/article/10.1365/s43439-024-00110-8
  5. “A review on recent phishing attacks in Internet | IEEE Conference Publication | IEEE Xplore.” Accessed: Jun. 02, 2024. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/7380669?casa_token=8ZmfHDuL0HwAAAAA:A6eCUJdcDcRvQwNliEaOx4t6FsHKi87LP3kQtjPgVVX2tl7CSGcj7k2NU8t5lsoxf2oENWU1M3Tf
  6. “Website spoofing: What is it and how to prevent it – Red Points.” Accessed: Jul. 14, 2024. [Online]. Available: https://www.redpoints.com/blog/website-spoofing/
  7. “Zero Trust Security | Akamai Guardicore Platform | Akamai.” Accessed: Jul. 14, 2024. [Online]. Available: https://www.akamai.com/solutions/security/zero-trust-security?gclid=CjwKCAjw7s20BhBFEiwABVIMrZjaYYXIlqI-SXAwC7CrqzH7WuLFeNYbb47x2prz-jvTJViIJcAlShoCp3EQAvD_BwE&utm_source=google&utm_medium=cpc&utm_campaign=F-MC-62471&utm_id=tw_zt&utm_content=zt&utm_term=zero_day_vulnerability&utm_placement=apj&ef_id=CjwKCAjw7s20BhBFEiwABVIMrZjaYYXIlqI-SXAwC7CrqzH7WuLFeNYbb47x2prz-jvTJViIJcAlShoCp3EQAvD_BwE:G:s&s_kwcid=AL!5241!3!701204213412!b!!g!!zero%20day%20vulnerability!20975882131!158156624357&gad_source=1
  8. “Identity Theft in the Banking System | IntechOpen.” Accessed: Jul. 14, 2024. [Online]. Available: https://www.intechopen.com/chapters/1166535
  9. Vajrobol, V., et al. (2024). Mutual information based logistic regression for phishing URL detection. Cyber Security and Applications, 2, 100044.
  10. Gaurav, A., et al. (2024, January). Enhancing Email Security in Consumer Electronics with a Hybrid Deep Learning Approach. In 2024 IEEE International Conference on Consumer Electronics (ICCE) (pp. 1-5). IEEE.
  11. Abd El-Latif, Ahmed A., Mohammed Adel Hammad, Yassine Maleh, Brij B. Gupta, and Wojciech Mazurczyk, eds. Artificial Intelligence for Biometrics and Cybersecurity: Technology and Applications. IET, 2023.

Cite As

Sravanthi B.S. (2024), Phishing Explained as A Comprehensive Guide to Different Types of Attacks from Email to Social Media Scams, Insights2Techinfo, pp.1

71410cookie-checkPhishing Explained as A Comprehensive Guide to Different Types of Attacks from Email to Social Media Scams
Share this:

Leave a Reply

Your email address will not be published.