The FBI estimates that Americans lost a whopping $12.5 billion to phishing schemes in 2023. You might think you can identify a fraudulent email and avoid becoming a statistic; however, malicious emails are just one of many phishing attacks used by cybercriminals.
Email Phishing
Originally, a phishing attack simply meant an attempt to steal sensitive information or money via email. That’s because email was one of the first attack vectors used by criminals to defraud people online. It’s still one of the most popular phishing schemes, with an estimated 3.4 billion emails sent daily, and it’s the FBI’s most reported crime.
Most phishing emails used to be easy to identify. Poor grammar and odd word choice were clear signs that the email was fake. That’s changed since the rise of generative AI like ChatGPT, which helps hackers with no knowledge of English quickly create emails that can dupe anyone.
If you’re wondering if an email is real, contact the alleged company directly, not by responding to the email. And whatever you do, if you’re not sure if an email is real, don’t click on any links or download any attachments.
Smishing
Most people check a text within five minutes of receiving it, because unlike emails, texts are usually sent by friends, family, and companies we trust.
Smishing is similar to email phishing, except that instead of receiving a fraudulent email, you receive an SMS. You may have received a text from Amazon telling you a package was arriving, even though you didn’t order one. Or maybe you received a text from a stranger who claims they have the wrong number but insists on starting a conversation with you anyway. Both cases are when a criminal attempts to trick you into clicking on malware or giving you money.
Pig butchering is an increasingly popular smishing attack in which the attacker gains your trust before convincing you to invest in something (usually a fake crypto exchange) and ultimately stealing your investment.
Angler phishing
We post a lot of information on social media for all to see. Scammers will use this information to create a highly personalized angler phishing attack.
An attacker scrapes your social media to find information about the products and services you use. They then pose as a customer service representative for a company they’ve discovered you use. They will ask for sensitive details, send malicious links, or send a link to a fake website to steal your password or other details they can use to access your account.
Vishing
Recently, a confident and friendly person claiming to be from Wells Fargo called me to tell me that a suspicious payment had been made to my card and that they needed to verify my identity. The first thing they asked for was my social security number.
This vishing attack had all the main elements a social engineering attack needs to succeed. They said they were short on time, intimidated me into giving out sensitive information, and pretended to have the authority to ask me for this information.
Thankfully, scam-preventing features and apps can reduce malicious calls, but you should still be cautious.
Spear phishing
As mentioned, billions of phishing emails are sent every day. Most of these are emails sent in bulk pretending to come from a legitimate business, but they are not personalized.
Spear phishing is a highly personalized attack. Imagine if the email you received used your name and contained sensitive information. Naturally, you would be more inclined to open it.
Spear phishing attacks are not used on the general public; rather, they are reserved for someone the hacker considers very valuable. A hacker may spend time and money gathering information about their target in order to create a highly personalized malicious email.
A variation of spear phishing attacks is “whaling,” which is used against even more valuable targets, such as C-suite executives and CEOs.
Watering hole
A watering hole attack works by compromising a legitimate website. Attackers may take over the entire website or find a vulnerability and insert HTML or JavaScript code that redirects users to a fake website. Because users trust this website, they are more likely to openly click on links and provide information such as credit card information, social security numbers, and login credentials.