Can you spot the 5 kinds of phishing attack?

Phishing is one of the biggest threats that individuals and organizations face, but do you know what they are, what they look like, and where to look for them?

In the broadest sense, phishing is any attempt to pose as a trustworthy source in order to get people to hand over personal information. Phishing usually takes the form of mass emails sent to hundreds or thousands of people, but can use other forms of communication or more nuanced attacks.

We’ve listed the most common forms of phishing here, along with examples to help you spot these attacks.

Email phishing

Most people are at least vaguely aware of what email phishing attacks look like. They are the poorly written and unexpected messages that try to scare you into thinking something has gone wrong. Perhaps your account has been hacked, you need to confirm a card payment, or your bank account has been compromised.

Whatever form the messages take, they always contain a request for information, an attachment to open (often a .zip file), or a link to click on.

If an email isn’t addressed to you personally, contains suspicious attachments or links, and is sent from a bogus email address, it is probably a phishing scam.

Spear phishing

There are two other phishing techniques that use email, but they are more sophisticated and targeted in their approach. The first of these, spear phishing, describes malicious emails sent to a specific person. Criminals who do this will already have some or all of the following: the victim’s name, place of employment, job title, email address, and even specific information about their job to make the scam more believable.

One of the most famous data breaches in recent history, the hacking of the Democratic National Committee, was done so with the help of spear phishing. The first attack sent emails containing malicious attachments to more than 1,000 email addresses. Its success led to another campaign that tricked members of the committee into sharing their passwords.


Whaling attacks are even more targeted, taking aim at senior executives. Although the ultimate goal of whaling is the same as any other kind of phishing attack, the technique tends to be a lot subtler. Tricks such as fake links and malicious URLs aren’t useful in this instance, as criminals are attempting to imitate senior staff.

The Form W-2 phishing scam is an increasingly common variety of whaling. In one case, an employee of a Virginia school district responded to an email that appeared to be from a senior member of staff requesting employees’ Forms W-2. It was, in fact, from a scammer seeking tax records. These are highly valued by criminals as they contain almost all the data needed to file false tax refund claims: names, addresses, Social Security numbers, and bank account information.

Smishing and vishing

With both smishing and vishing, telephones replace emails as the method of communication. Smishing involves criminals sending text messages (the content of which is much the same as with email phishing), and vishing involves a telephone conversation.

A common vishing scam involves a criminal posing as a fraud investigator (either from the card company or the bank) telling the victim that their account has been breached. The criminal will then ask the victim to provide payment card details to verify their identity or to transfer money into a ‘secure’ account – by which they mean the criminal’s account.

Social media phishing

A relatively new attack vector, social media offers a number of ways for criminals to trick people. Fake URLs; cloned websites, posts, and tweets; and instant messaging (which is essentially the same as smishing) can all be used to persuade people to divulge sensitive information or download malware.

Alternatively, criminals can use the data that people willingly post on social media to create highly targeted attacks.

In 2016, thousands of Facebook users received messages telling them they’d been mentioned in a post. The message had been initiated by criminals and unleashed a two-stage attack. The first stage downloaded a Trojan containing a malicious Chrome browser extension on to the user’s computer.

When the user next logged in to Facebook using the compromised browser, the criminal was able to hijack the user’s account. They were able to change privacy settings, steal data, and spread the infection through the victim’s Facebook friends.

Prevent phishing attacks in your organization

With new forms of phishing popping up all the time, it’s important to train your staff to spot the signs of an attack and avoid falling victim.

Our Security Awareness Program helps you generate tangible and lasting improvements to your organization’s security awareness.

This program combines a learning needs assessment to identify the areas that your organization should focus on, with a series of tools and services to address the problems that arise. These tools and services include hands-on support from a specialist consultant, pocket guides, and e-learning courses.

Find out more about our Security Awareness Program >>