Phishing Attack Examples

Phishing is the most common way that cybercriminals reach employees. These attacks use social engineering techniques to trick employees into taking actions that help the attackers achieve their aims. In this article, we provide some phishing attack examples to demonstrate the diversity of phishing and explain some of the threats that you should be covering in your security awareness training sessions. Making employees aware of these phishing attack examples will prepare them for when a real threat is encountered.

What is Phishing?

Phishing is the most common type of social engineering attack. Social engineering, in cybersecurity terms, is the use of deception to manipulate people into disclosing sensitive information or taking actions that benefit the social engineer. Phishing attacks trick people into disclosing sensitive information, such as usernames and passwords to allow their accounts to be remotely accessed. These attacks give attackers access to sensitive data and provides a foothold in business networks. A looser definition of phishing also includes malspam emails, which are emails that contain malicious code. Social engineering is used to trick people into running that code, which results in the delivery of malware.

Phishing Attack Statistics

Phishing attacks continue to increase, with the pandemic seeing a major rise as cybercriminals targeted remote workers. According to the Anti-Phishing Working Group (APWG), 2021 saw more phishing attacks occur than any year since APWG has been tracking attacks, with over 300,000 attacks reported in December 2021 alone. That is a three-fold from 2019. According to the HIMSS 2021 Healthcare Cybersecurity Survey, 45% of healthcare organizations said their most significant security incident in the past 12 months was a phishing attack. Zscaler reports a 29% increase in phishing attacks in 2022 compared to 2021, with the retail and wholesale industries seeing a 400% increase over the past 12 months.

These attacks are increasing because 1) they work; 3) They can be very profitable; 3) they are low cost; 4) they do not require much technical skill to conduct compared to other types of attack; and 5), there has been an increase in phishing-as-a-service, which has opened up phishing to a much broader range of individuals.

Phishing Attacks are Becoming More Sophisticated

Phishing typically involves a lure that tricks people into taking a certain action. A plausible reason is given as to why an action should be taken and trusted entities are impersonated to make the scams seem genuine. The attacks use familiar branding, logos, color schemes, and formats copied from the genuine communications companies send to their customers. Links are included to websites that contain phishing kits that impersonate the login prompts used by companies, with the websites that users are directed to being almost carbon copies of the genuine sites they impersonate.

Email security solutions can often detect these phishing attempts, but attacks are becoming more sophisticated and harder to identify. Phishing content is often loaded onto trusted platforms such as SharePoint, Google Drive, DigitalOpenSpaces, WeTransfer, Dropbox, and Amazon AWS. Email security solutions often fail to detect these malicious links because the sites where the phishing content is hosted pass reputation checks.

Phishing URLs also have a short lifespan, sometimes just a few hours to evade the blacklists of malicious URLs maintained by security solutions. By the time the URL is added to a blacklist it has been abandoned. It is a similar story with malware. Malware variants typically have a lifespan of just 2.3 days, according to Acronis., which reports that 81% of malware samples are only detected once before they disappear. By changing malware often, the signature-based antivirus engines used by email security solutions can be fooled.

Phishing Attack Examples

It is not possible to provide phishing attack examples of all the lures used in phishing since there is such diversity and new lures are constantly being devised. One of the reasons why phishing can be so effective is the speed at which phishers capitalize on current events that are attracting a lot of media attention, with the huge rise in COVID-19-related attacks a good case in point. When there was little information on the virus and disease, phishers conducted campaigns that claimed to offer the information people wanted. The phishing attack examples below detail the different categories of phishing attacks.

Email Phishing

Out of all the phishing attack examples provided here, email phishing is the most common. These attacks involve a lure sent via email. The emails often have a sense of urgency and elicit emotions such as fear and frequently include threats of bad repercussions if no action is taken. Trusted entities are spoofed to make it appear that the communications are genuine. Fake security alerts and tech support requests are common, notifications of fund transfers, impending account charges, information on big sporting events and news stories, social media requests, account deactivation, cut price deals on purchases, and more. Businesses are targeted using standard business email templates, such as shipping notifications, delivery failures, outstanding invoices, resumes/job applications, and requests for collaboration.

Spear Phishing

Phishing is often conducted in massive campaigns, whereas spear phishing is targeted at small numbers of individuals, such as specific individuals in a company or a company’s HR department. Targets are often researched, and the emails are personalized and addressed to the target by name. These emails may also include other information specific to the target.

Whaling / Big Game Phishing

Big game phishing and whaling attacks are a more targeted version of spear phishing. They target the big fish in a company – the CEO, CFO, and other board members. Those individuals have the most valuable accounts with the highest levels of privileges. When their accounts are compromised, they can be used for realistic internal phishing attacks on the workforce, in what is known as business email compromise attacks.

Business Email Compromise/Email Account Compromise

A business email compromise (BEC) attack – aka email account compromise, CEO fraud – is where a business email account is compromised, usually the account of the CEO or another senior board member. The account is used to send realistic requests to employees. People are likely to respond quickly when a senior board member sends them an email. These attacks are used to obtain sensitive data such as employee tax information (W-2 forms), to make changes to upcoming wire transfers, or make fraudulent wire transfers.

Website Phishing

Website phishing involves compromising a trusted website and using content injection to add popups to websites that either collect sensitive information or direct visitors to malicious websites. New web pages can be added to websites that host phishing kits that take advantage of the good reputation of sites. Websites may be created by an attacker and phishing forms added, with search engine optimization techniques used to get the websites to appear high up in the search engines for specific business-related search terms (SEO poisoning).

SMS Phishing – Smishing

Phishing attacks conducted using SMS messages. These attacks direct users to websites that steal information or download malware, taking advantage of the poor antivirus controls on many mobile devices. The small screen size is exploited. Mobile devices do not display the full URLs of sites which makes it easier to hide malicious content. URL shortening services are often used to mask the website to which users are directed.

Voice Phishing – Vishing

Voice phishing is becoming more common, where individuals are called and a trusted entity is impersonated. Personal information may have been collected on an individual to make the call seem realistic and caller IDs are spoofed to make it appear that the call is coming from a previously verified phone number. Tech support scams are common, where people are told there is a problem with their computer that needs to be addressed, such as a malware infection.

Social Media Phishing

Social media phishing involves tricking people into disclosing sensitive information via social media websites. Posts asking, “what was your first pets name”, and “William is the most common boy’s name, prove me wrong” aim to obtain information that gives hints about passwords or security questions and answers. Links may be shared to websites hosting phishing kits, and information is gathered to conduct highly realistic spear phishing attacks.

Callback phishing/hybrid phishing

There has been a sharp increase in hybrid phishing attacks in 2022. They increased by 625% between Q1 and Q2, 2022 according to Agari. These attacks use more than one communication channel, such as callback phishing where an email is sent with no malicious content other than a phone number and the user is told to call the number where a vishing attack occurs, often to trick the caller into downloading malware.

Defending Against Phishing Attacks

The increasing sophistication of phishing attacks and the diversity of this attack method means there is no single cybersecurity solution or measure that can be used to block all attacks, other than shutting down all communication and totally isolating a business from the outside world. What is required is several overlapping layers of protection – a defense-in-depth strategy. The two most important measures are an email security solution with advanced anti-phishing capabilities and regular security awareness training for the workforce to raise awareness of the threat from phishing and to teach employees how to recognize phishing attempts. Security awareness training should be accompanied by phishing simulations, as these are proven to increase the effectiveness of training. When a phishing simulation is failed, individuals are provided with immediate correctional training relevant to the mistake they have made.

Other technical solutions that should be considered are next-generation antivirus solutions that use behavioral detection in addition to signature-based detection, web filters for blocking access to known malicious and risky websites, controls limiting downloads of files from the Internet commonly associated with malware, email data loss prevention (DLP) solutions, robust email authentication such as the strictest DMARC controls (reject), warnings on emails from external sources, a mail client add-on for reporting suspicious emails, and multifactor authentication for accounts.