There are four main types of phishing attacks, Spear Phishing, Whaling, Smishing and Vishing as explained later in this article.
"Phishing" is a term used to describe the act of stealing or gaining access to sensitive information by luring in and tricking victims. Most common forms of phishing occur via email although this isn't always the case as attackers can use text messages as well as other messaging mediums.
Attackers usually disguise themselves as a trustworthy and reputable source often using language that gives a sense of urgency, This tied with the attackers disguise is the reason phishing is so effective.
Spear Phishing
Spear phishing is a type of phishing attack that specifically targets one or a group of users, The attackers then push the user to urgently take action. Phishing emails/messages can contain malware disguised as attachments or links to false webpages designed to look exactly like legitimate sites.
Commonly phishing attacks will contain something for the user to click on and interact with. It can be something as simple as getting the user to open a file, click on a link or divulge sensitive information.
Whaling
Whaling is similar to spear phishing as it targets specific users. However whaling attacks are different because they are designed to target important people within an organization such as a CEO, Director or Head of Departments such as Finance.
Although spearfishing attacks can be harmful to a business, whaling can have a detrimental effect to everyone within an organization and its customers simply because of the information these people hold.
Smishing
Smishing is a social engineering attack similar to phishing but instead it uses text message / SMS rather than email.
Used for the same reasons as phishing, smishing attacks attempt to trick victims into clicking on links with malware hidden behind them, sharing sensitive information or trick victims into sending money.
In the most common form of Smishing attack, attackers pretend to be a friend or loved one who has changed their phone number and urges the reader to update the number in their phone. Doing this gains trust with the reader and makes the attacker less suspicious when making requests for money or information.
Vishing
Vishing is a form of social engineering that happens over a phone call. This is an older form of social engineering that has been around for a long time.
They act confidently and professionally when calling pretending to be someone from the government, police, the bank or tax authority. They may try and convince you that you owe an amount or that you have an outstanding fine.
Again in this form of attack the attackers always ensure there is a sense of urgency as this makes people panic and are less likely to think about their actions.
Steps you can take to stop attackers impersonating your business
See below information on the settings that can be applied to your email system to mitigate the impersonation of your business.
DMARC is a standard applied to emails that confirms the senders identity. When paired with SPF and DKIM, It stops attackers impersonating your domain by checking back with your email system to confirm that you have sent the email. The attackers email is then set as spam and it will not reach its destination.
We Provide 3rd party spam filtering, O365 security management, MFA (Multi Factor Authentication) setup, O365 secure score management and email backups. Contact us to enquire about protection for your business.
Also see the below resources from the NCSC and NCA for ways to defend your organisation against attackers.
Resources to educate yourself on Phishing and Social Engineering
Please see the below links to trusted government websites and videos to educate yourself and others on Phishing and Social Engineering.
National Cyber Security Centre - Phishing Attacks: Defending your organisation
National Crime Agency - Cyber Crime
DMARC - How it works
