Types of Phishing Emails

As the sophistication of phishing evolves, there are many types of phishing emails that attempt to prompt recipients into an action that could have serious consequences for them or their employer. Online security companies do their best to combat new types of phishing emails as they appear, but the most effective defense against the threats they present is employee awareness training.

Employee awareness training can compensate for the time lapses between new types of phishing emails appearing and the development of tools to combat the threats they present. Training can protect a business from fraud, prevent the business´s network from being infected with malware and – more recently – avoid the scenario in which business email accounts are being controlled by cybercriminals.

Types of Phishing Emails

The types of phishing emails currently in circulation are similar to what they were more than a decade ago when cybercriminals first took advantage of individuals´ online vulnerabilities. What has changed significantly is that phishing emails are better constructed to look authentic and can often include a mixture of links to scam destinations and genuine destinations (i.e. PayPal´s Privacy Policy). A selection of the most commonly used types of phishing email includes:

  • An email purporting to be from a government agency (for example, the FBI or IRS) containing a simple message – i.e. “For Your Attention” – and an attachment which naturally raises recipients´ inquisitiveness.
  • A message from an email service provider informing the recipient their email account is soon to be deactivated and they should login to their account (via the enclosed link) to prevent this from happening.
  • An email claiming to be from a financial institution, informing the recipient that a transaction has not been finalized due to a problem that can be resolved by following a link and entering their login credentials.
  • A message from any online account (shopping, financial institution, etc.) advising the recipient their credit card may have been used fraudulently and to click on the link to confirm their credit card details and prevent closure of the account.

Other types of phishing emails requesting urgent action to prevent the termination of a service include the necessity to update a digital signature to continue being able to use an online banking account, the necessity to add or update personal details to an online shopping account, or the necessity to visit a third party´s website in order to maintain a Netflix subscription.

Phishing TechniqueAttack VectorDescription
PhishingEmail/InternetThe broad term used to describe attacks that attempt to fool victims into disclosing sensitive information or installing malware. The scammer typically impersonates a brand, organization, or contact.
Spear PhishingEmailA targeted phishing attack on an individual, small group, or specific organization. Targets are researched and attacks are personalized.
SMiShingSMS and Instant Messaging ServicesThe use of SMS messages – or other messaging apps – to fool users into visiting a malicious website, installing malware, or making a call back.
VishingTelephonePhishing attacks over the telephone, either speaking to a person or via automated voice response systems.
WhalingEmailA form of spear phishing targeting the CEO, CFO, or other high-ranking person in a company to gain access to their credentials.
PharmingA technique used to redirect Internet users to phishing websites, typically involving modification of DNS records.
Business Email Compromise (BEC) / CEO FraudEmailTypically, the second stage of a phishing attack, where phishing emails are sent internally via a compromised email account such as that of the CEO or CFO requesting data or wire transfers.

The Evolving Purposes of Phishing Emails

The purposes of phishing emails are well chronicled. These include using fear or reward tactics, urgency, and social engineering to encourage the desired response from the recipient of a phishing email – the desired response usually being to click on a link, to divulge login credentials or to open an attachment harboring malware.

More recently, the Business Email Compromise scam materialized in which employees are instructed (by a supposed senior executive) to transfer funds to a fraudulent bank account. However, a new purpose of phishing emails has emerged according to the July 2017 Intelligence Report from Symantec – to steal corporate email login credentials in order to send phishing emails without detection.

How “Corporate” Phishing Emails Avoid Detection

The reason the majority of phishing emails are caught before they arrive in users´ inboxes is because email filtering mechanisms such as Sender Policy Frameworks authenticate the origins of an email before delivering it. This prevents users receiving spoofed emails – such as those from @PayPaI.com, where the “l” of PayPal is replaced with a capital “i”.

However, when a phishing email is sent from a genuine – but compromised – corporate email account, the origin of the email is authenticated and the email is delivered. According to Symantec, cybercriminals have now developed malware that infiltrates businesses´ networks, steals email login credentials, and uses the corporate email accounts to send phishing emails without detection.

Preventing Successful Phishing Attacks

As mentioned above, employee awareness training is the most effective defense against the threat of phishing as it conditions employees to be more aware of the threat, regardless of the types of phishing emails used to deploy them. In order to maximize the effectiveness of employee awareness training, the training needs to be periodic. In this way, users will be alerted to the latest types of phishing emails and the threats they carry.