Phishing Attack Types

Types of Phishing Attacks Introduction Phishing is a social engineering attack that tricks users into revealing sensitive information or compromising their security. Rather than using technical exploits, phishing relies on human psychology—attackers deceive victims by impersonating trusted sources. While all phishing attacks follow this basic principle, they vary significantly in their delivery methods, level of targeting, and the techniques used to overcome security measures. Understanding these different types is essential for recognizing and defending against them. Email Phishing Email phishing is the most common and widespread form of phishing attack. In a typical email phishing attack, the attacker sends fraudulent emails to a large number of people, hoping that at least some recipients will fall for the scheme. How it works: The email appears to come from a legitimate source—such as a bank, email provider, or popular service like Netflix or PayPal. It typically contains a sense of urgency, claiming suspicious activity on the victim's account or requesting an immediate action. The email includes a link that appears to lead to the legitimate company's website, but actually redirects to a fake login page created by the attacker. When the victim enters their credentials on this page, they unknowingly give the attacker their username and password. Key characteristics: Email phishing attacks are usually bulk campaigns sent to thousands or millions of people. They're not personalized—the attacker doesn't know anything specific about individual victims. Instead, they rely on the fact that some percentage of recipients will likely be customers of the targeted company. Common targets include financial institutions, email providers (Gmail, Outlook), cloud productivity services (Office 365, Google Workspace), and entertainment streaming services. Spear Phishing Spear phishing is a more sophisticated attack that targets specific individuals or organizations rather than casting a wide net. This is what makes it dangerous—the personalized approach makes it much more convincing. How it works: Before launching the attack, the attacker researches the target to gather personal information. This might include their job title, recent projects, colleagues' names, or details from their social media profiles. The attacker then crafts a highly personalized message that references these specific details, making the communication appear to come from someone who knows the victim personally or professionally. Why it's effective: Because spear phishing emails contain specific personal or professional details, they're far more convincing than generic bulk phishing emails. A victim is much more likely to trust a message that references accurate information about them or their work. Common targets: Spear phishing frequently targets executives, managers, and financial department staff because these individuals have access to valuable data, sensitive financial systems, or the ability to authorize large transactions. An attacker might impersonate a CEO to trick an accountant into wiring money, or pose as an IT department member to get an employee to reveal their credentials. Whaling Whaling is a specialized form of spear phishing that specifically targets high-level executives and senior managers—the "big fish" of the organization. Key distinction: While spear phishing targets individuals at various levels of an organization, whaling is exclusively focused on senior leadership. The attacks are often especially sophisticated because these executives have significant access to critical business information and can authorize major decisions or transactions. Vishing (Voice Phishing) Vishing attacks deliver phishing through voice communication rather than written messages. "Vishing" is short for "voice phishing." How it works: Attackers use Voice over Internet Protocol (VoIP) technology to make phone calls to victims. The caller claims to be from a legitimate organization like a bank, credit card company, or IT support team. They typically report fraudulent activity on the victim's account and request that the victim verify their identity by providing sensitive information like account numbers, Social Security numbers, or passwords. Caller ID spoofing: Modern telecommunications technology allows attackers to spoof (fake) the caller ID so the call appears to come from a legitimate phone number. A victim might see "Bank of America (555-1234)" on their caller ID, not realizing it's actually a scammer. Escalation to live interaction: Some vishing attacks use automated messages to collect initial information, then transfer the victim to a live social engineer who continues the deception. Smishing (SMS Phishing) Smishing extends phishing attacks into the mobile text message space, exploiting the trust and immediacy people associate with SMS and text messages. How it works: The attacker sends a deceptive text message containing either a malicious link, a phone number to call, or an email address to contact. The message typically creates urgency—claiming a package is waiting for delivery, an account needs verification, or a financial transaction needs confirmation. When the victim clicks the link or calls the number, they're led to a fake website or connected to a scammer who harvests their personal information. Why mobile makes it worse: Mobile devices display URLs in truncated form, hiding the full web address. This makes it much harder for victims to identify that a link is malicious. A URL that might clearly look suspicious on a desktop computer appears as "h8vs.info/..." on a phone, giving the victim no way to verify whether the destination is legitimate. Quishing (QR Code Phishing) Quishing is a newer attack vector that exploits the growing use of QR codes in everyday life. How it works: The attacker either replaces a legitimate QR code with a malicious one, or creates a fake QR code that appears in a phishing email or other message. When the victim scans the QR code with their phone camera, it directs them to a fraudulent website designed to steal credentials or personal information. Because QR codes are not human-readable, victims cannot visually verify where the code will actually take them before scanning. Real-world context: With QR codes increasingly used for contactless menus, payment systems, and information sharing, users have become accustomed to scanning them without hesitation. This habituation makes quishing particularly effective. Page Hijacking Page hijacking is a phishing technique that compromises legitimate websites to redirect users to malicious sites without their knowledge. How it works: An attacker gains unauthorized access to a legitimate website and injects malicious code into its pages. This is often done through cross-site scripting (XSS) vulnerabilities or other web application flaws. When users visit the compromised page, they're automatically redirected to a fake login page or malware-hosting site. Because the victim initially visited a legitimate domain, they have no reason to suspect the site has been compromised. Why it's deceptive: This attack exploits the victim's trust in well-known websites. The victim may not notice that they've been redirected, especially if the redirect happens quickly, or they may assume any subsequent requests are part of normal web browsing. Man-in-the-Middle Phishing Man-in-the-middle (MITM) phishing is an advanced attack that intercepts communication between a user and a legitimate service, often specifically designed to bypass two-factor authentication (2FA). How it works: The attacker positions themselves as an intermediary between the victim and the legitimate service. Tools like Evilginx facilitate this attack by acting as a proxy. Here's the process: The victim visits what appears to be the legitimate login page, but it's actually the attacker's fake page The victim enters their username and password The attacker's tool forwards these credentials to the actual legitimate service The legitimate service challenges the attacker with a 2FA request (like a code sent to an email or phone) The attacker forwards this 2FA prompt to the victim The victim completes the 2FA verification The legitimate service grants access and issues a session token/cookie The attacker captures this session token without ever needing the original password Why it bypasses 2FA: Traditional two-factor authentication protects against credential theft because knowing the password alone isn't enough. However, MITM phishing doesn't rely on using stolen passwords—it captures the session token that the legitimate service issues after authentication succeeds. The attacker can use this token to access the victim's account for the duration of the active session, even if the password is later changed. <extrainfo> This technique represents a significant escalation in sophistication, as it defeats one of the most important security defenses available to users. </extrainfo> Homograph Attacks Homograph attacks exploit the visual similarity of characters in domain names to impersonate legitimate websites. How it works: The attacker registers a domain name that looks almost identical to a legitimate domain name by substituting characters that appear nearly the same to the human eye. For example: The letter "l" (lowercase L) can look like the number "1" The letter "O" (capital O) can look like the number "0" The letter "rn" together can look like the letter "m" A victim might be tricked into visiting "amaz0n.com" thinking they're going to "amazon.com," or "1e11.com" thinking they're going to "1e11.com." The attacker's fake site captures credentials when the victim attempts to log in. International characters: A more sophisticated version uses Unicode characters from different languages that look identical or nearly identical to ASCII letters in the domain name. For example, a Cyrillic character might look indistinguishable from a Latin character to most readers. <extrainfo> Watering-Hole Attacks Watering-hole attacks take a different approach by targeting entire groups of people rather than individuals. How it works: The attacker identifies a website that is frequently visited by the target group. For example, if trying to attack employees of a tech company, the attacker might target a popular tech news site, industry forum, or internal company resource. The attacker then compromises that website and injects malicious code into its pages. When members of the target group visit the site, the malicious code infects their devices, often installing malware or redirecting them to credential-stealing pages. Why it's effective: Victims have no reason to distrust the site they're visiting—it's a legitimate, trusted resource. The attacker is gambling that their target group will visit the site, and when they do, the malicious code activates. This attack is particularly insidious because it doesn't require the attacker to target individuals; instead, they're "laying in wait" at a watering hole where the targets naturally congregate. </extrainfo> Key Takeaway: Phishing attacks vary widely in their delivery method, level of personalization, and technical sophistication. Email phishing relies on volume, while spear phishing and whaling rely on research and personalization. Newer variants like vishing, smishing, and quishing adapt phishing to different communication channels. Advanced techniques like MITM phishing and homograph attacks exploit sophisticated security concepts or visual deception. Recognizing these variations is the first step in defending against them.