A phishing attack is a social engineering attack that occurs when a bad actor impersonates a legitimate individual or business to trick their target into taking action. In most cases, that individual is tricked into clicking on a duplicitous link and sharing login credentials. From here, threat actors can gain unauthorized access to an organization’s network and critical data. Threat actors are increasingly using phishing strategies to target business networks. In fact, phishing attacks increased 61% in 2022, with more than 255 million attacks occurring within a six-month window. With the average phishing incident setting businesses back $163,000, cybercriminals are only becoming more sophisticated and savvy with their efforts.

Over the last several years, hackers have deployed a number of new phishing methods to launch attacks and gain access to private information and restricted systems. Some of the most common types of phishing attacks include:

1. Phishing

2. Smishing 

3. Vishing 

4. Angler phishing

5. Spear phishing 

1. Phishing

Phishing is now a fixture of everyday life. This endless onslaught of messages may be irritating for organizations, but it’s highly effective for hackers. In one famous example, a scammer used phishing emails to steal more than $100 million from Facebook and Google. Research also indicates that phishing was the most common attack vector to execute cyberattacks in 2022. Threat actors increasingly use this technique to target victims and gain access to sensitive information, often in service of other cybercrimes. According to Coalition’s Claims Report, phishing was the initial attack vector for 76% of reported claims in the second half of 2022 — more than six times greater than the next-most popular attack technique. This trend held true across the United States, as the FBI reported more than 300,000 incidents.

2. Smishing 

Text messaging or SMS phishing — also known as smishing — occurs when threat actors go beyond email and message targets on their mobile devices.  Smishing attacks are similar to phishing attacks in that bad actors typically pretend to be trustworthy individuals — like a coworker, supervisor, or vendor — and engage with unsuspecting individuals over text messages. Attackers also may impersonate service providers and send delivery notifications, financial inquiries, and fake contests or raffle announcements to victims’ devices. Smishing is highly effective because the average open rate for text messages is about 99%, with 97% being read within 15 minutes of delivery. Additionally, smishing attacks can be difficult for victims to identify with less than 35% of people knowing they’re the target of a smishing attack.

3. Vishing

Vishing involves exploiting voice messages to trick people into giving away money, account credentials, and other personal information.  In a vishing attack, a threat actor may ask employees to wire money or surrender sensitive information. In certain cases, they might issue threats or warnings to convince recipients to take urgent action — like mentioning a warrant that’s out for someone’s arrest or that they found suspicious activity in their bank account. Vishing is a popular strategy for cybercriminals because most companies still rely heavily on phones and mobile devices. According to Pew Research, 67% of Americans will check a voice message when someone leaves one. What’s more, a 2022 survey of working adults and IT professionals found that more than seven in 10 respondents have encountered vishing attacks — up from 54% in 2020.  

4. Angler phishing

Angler phishing is a type of social engineering attack that happens on social media platforms. In this type of attack, scammers monitor social channels like Facebook and Twitter looking for posts from unhappy customers.  Once they find an unhappy customer, scammers attempt to provide fraudulent customer service in hopes of securing private credentials like Social Security numbers, passwords, and contact information. Additionally, scammers might also send fraudulent links containing malware or ransomware.

5. Spear phishing 

The most common phishing strategy, spear phishing is a highly targeted attack against a certain individual. This attack starts with reconnaissance, as the threat actor gathers identifying information like names, birthdates, contact information, and personal contacts. The hacker then uses the data to lure the target into taking specific actions — like surrendering account credentials or wiring money. Threat actors often combine multiple phishing tactics during a campaign and deploy them strategically to achieve their goals. To illustrate, a cybercriminal may pose as an IT or HR employee and target high-ranking officials like C-level executives or employees who have access to sensitive accounts and databases. 

When it comes to phishing, the key to success lies in the attacker’s ability to catch an employee off guard and dupe them into taking action. In addition to being vigilant, employees must know how to recognize and avoid incoming attacks. With that in mind, there are some clues that may indicate you’re being targeted in a phishing attack.

Email phishing signs

Threat actors are becoming better at disguising fraudulent emails to make them look legitimate. To identify a spam email, look for messages that come from unfamiliar sources or include unusual or urgent requests. Additionally, scammers often use domain spoofing, a tactic that involves creating email addresses that trick employees into thinking they are real (e.g., “john@gooogle.com”).  Employees should also analyze the body of an email to see whether there are incomplete names, missing contact details, or typos (which some threat actors have now advanced beyond by using AI tools to write phishing messages). 

Smishing signs

To protect against smishing attacks, employees need to be wary of texts that come from numbers they don’t recognize. Further, employees should also watch out for suspicious-looking links, account-related inquiries, and unsolicited multi-factor authentication requests.

Vishing signs

Much like smishing, vishing attacks typically leverage fraudulent phone numbers. As such, employees should be skeptical about receiving voicemails from unknown contacts. Vishing attacks often leverage robocallers with impersonal greetings asking victims to call a different number back or provide sensitive account information — like PINs or answers to security questions.

Angler phishing signs 

Angler phishing attacks tend to happen when a company’s online customer service team is inactive, like on nights and weekends. For example, a customer service agent responding immediately to an inquiry at 3 a.m. should be treated with suspicion. Employees can also identify an angler phishing attack by researching the responding individual. Replies from unknown agents or accounts could be a sign of fraud. Customer service and security teams should also keep an eye out for non-verified accounts that closely resemble official company-sanctioned profiles.

Phishing-related claims have spiked over the course of the year — increasing 29% from the first half of 2022 to the second — as the rise of new technologies has made these attacks easier to execute. Threat actors are now leveraging AI tools to write credible phishing emails and translate the scams across multiple languages, giving them more time and cover to access a network. Phishing will become a bigger problem as generative AI tools become more accessible and more capable of crafting compelling messages. Why is this a problem? Phishing often leads to funds transfer fraud (FTF) and business email compromise (BEC) attacks. FTF events can cause organizations to unwittingly send large payments to cyber criminals. At the same time, BEC attacks can put an organization at risk of data breaches and leaks, data loss, account takeovers, and direct monetary loss. Additional risks include productivity loss, financial penalties, and reputational harm.

The number one way to help prevent phishing attacks is through comprehensive security awareness training. Employees are the first line of defense against cyberattacks, so they must be up to date with the latest threats and strategies.  Since cybercriminals are constantly adapting their approach and using emerging technologies and strategies to launch attacks, annual or even quarterly security training isn’t enough. For the best results, employees need ongoing security briefings and updates.

Hover over links to check URLs

One of the best safety strategies employees can adopt is to always hover over links and check URLs for suspicious domains. Always avoid clicking on links that appear suspicious.

Check the sender’s email address 

An easy way to spot a phishing attack is to analyze the sender’s email address for misspellings and inconsistencies. Instead of responding directly to a suspicious message, an employee can contact the sender over a separate authorized channel to resolve the issue.

Look for a sense of urgency

Cybercriminals usually try to create a sense of urgency. For example, a threat actor may demand same-day payments or ask the victim to bypass security clearances and provide information or data immediately.  

Enforce a two-step verification process 

It’s not always easy to identify a phishing attack, and employees occasionally make mistakes. Adding a two-step verification process with a phone and email component helps to automatically identify suspicious logins and prevent unauthorized users from completing illegitimate requests.

Avoid opening unexpected attachments

Employees should always use caution when opening email attachments from suspicious users because they can contain malware or ransomware. Always avoid opening unexpected attachments without checking in with the sender or running the message by IT.

Successful phishing attacks happen but organizations should avoid creating a culture of fear. It's critical to have a plan in place that documents how to respond when attacks occur. Employees should always report suspicious emails, text messages, and instant messages to a dedicated incident response team for analysis.  Additionally, team members should immediately update login credentials after identifying a phishing attempt. Better yet, employees should practice good account hygiene and routinely change their passwords to make it even harder for cybercriminals to steal user credentials.