Phishing Primer – Phishing Types (pt. 4)
Phishing is a mass effect attack
It was mentioned in the previous article that technology today, especially AI, can enhance a phishing scheme, creating perfectly crafted emails, with the correct style of language used (remember this is not just an “English” phenomenon) and errors such as layouts and idioms fixed. Salutations and job titles are correct and personalised because like any organisation threat actors clean their data to maximise their chances of success – these schemes generate so much income that it is worth their while.
Because phishing cyber crime is so successful it has spawned a raft of highly targeted attacks.
How many types of phishing attack can you think of?
I started this article intending to use a book I have on phishing attacks, but I thought I would see if the internet had a list. Let me clarify that statement – I needed a list from a reliable trusted source, not just someone seeking clicks.
Mark Mitchell was one of the speakers at the Cyber Security conference I attended last week at Napier University. He is a senior systems engineer at Fortinet – I found a list of nineteen different types of phishing attacks listed on the Fortinet website (Fortinet. 2024). I am not going to list all nineteen here, I am going to highlight the key ones that depend on email to work. (The reference is below for those of you who want to know what all nineteen are.)
Spear phishing
This type of phishing is a targeted attack at a specific individual in an organisation to steal their credentials. The malicious email will contain personal, information researched beforehand by the threat actor, often using the OSINT tactics we discussed in part 2, to reassure the victim that the email is genuine.
Whaling
This is spear phishing taken to the next level by targeting senior managers and board members, or anyone in an organisation that has top level access to the most sensitive (valuable) information. Not only is the CEO the target but systems admins fall into this target group.
HTTPS phishing
An HTTPS phishing attack is carried out by sending the victim an email with a link to a fake website. The site may then be used to fool the victim into entering their private information.
These emails will contain a link to a malicious website, where the victim will be tempted into revealing sensitive information or install malicious software on their computer, so continuing the attack.
Clone phishing
How many emails do you get now, with the latest marketing gimmick in the subject line; “re: Our last conversation.”, when then was no last conversation? The clone phishing email is a variant of this. The hacker makes an identical copy of an email previously received by the victim, with a subject line that says, “Resending this.”. However, this copy includes a disguised malicious link.
This attack is a little more difficult but does not necessarily require the threat actor to have access to your systems. How many emails do you send and resend with copies of multiple replies from multiple people, a rich source of OSINT to create this attack.
Your Takeaway from this.
Do you or any of your team or board fit into any of these target types?
Next…
Size matters.
Clive Catton MSc (Cyber Security) – by-line and other articles
References
Fortinet. (2024). 19 types of phishing attacks with examples. Fortinet. https://www.fortinet.com/uk/resources/cyberglossary/types-of-phishing-attacks
Further Reading
Phishing Primer – Social Engineering (pt. 1)
Phishing Primer – Social Engineering (Pt. 2)
The Phishing Email and AI (pt. 3)
Featured photo by Karolina Grabowska
In text photo by Saksham Choudhary
