In this post, we provide you with some of the most common phishing attack examples to highlight some of the techniques that cybercriminals and nation-state threat actors use in their campaigns to steal sensitive information and distribute malware.
Phishing is a type of social engineering and involves deceiving people into taking actions that they would not normally take which benefit the attacker. Most commonly this is to provide access to a computer to then compromise the network, either by installing malware or disclosing credentials. Phishing attacks are effective and are far easier to conduct than trying to find and exploit vulnerabilities in software. Phishing campaigns require relatively little skill to conduct, and enough people respond to make the campaigns worthwhile.
Phishing is the most common method of conducting cyberattacks on businesses to gain initial access to networks. Phishing is used to steal sensitive data, gain access to email accounts for conducting Business Email Compromise (BEC) attacks, and for installing malware and ransomware. If you want to improve your security posture, understanding the threat of phishing and taking steps to reduce risk is essential.
Phishing Attack Examples
Listed below are some common phishing attack examples from real-world attacks on businesses. Phishing is most commonly conducted via email, but we also provide phishing attack examples that occur on websites, social media networks, text messages, and over the telephone.
Something common across the phishing attack examples below is urgency – The scammers want the victim to act quickly without thinking, as stopping and thinking about the request makes it more likely that the scam will be identified for what it is. Fear or fear of missing out is commonly used to get the victim to take the requested action quickly.
Email phishing is by far the most common type of phishing attack, and often involves impersonating a trusted company such as Microsoft, Apple, Amazon, PayPal, or Netflix. The emails include the correct logos, the format of the emails is the same as genuine email communications from those companies, and even the contact information may be correct. The display name in the sender field will often be realistic as will the lure to get the recipient to respond and click a link or open an attachment. Attachments contain malicious code that downloads malware, and links are provided to websites where sensitive information is stolen. The websites that users are directed to often contain login boxes that are exact matches of the companies spoofed, such as the login box for Microsoft 365.
There are many possible email phishing attack examples, but the themes below are the most common:
- Fake shipping notices
- Fake invoices
- Missed deliveries
- Missed payments
- Pending payments
- Account upgrades
- The threat of legal action
- The threat of charges to accounts
- The threat of account closure
- Too-good-to-be-true offers
- Competition wins
- Warnings from the HR department
- Fake job offers
Spear Phishing and Whaling
Phishing can be conducted in mass campaigns or more targeted attacks can be conducted on small numbers of individuals, termed spear phishing. Out of all the phishing attack examples, spear phishing emails are usually the hardest to identify as they are highly personalized. Targets are extensively researched, and a lure is used that is tailored to an individual. These attacks are often conducted by more advanced threat groups, such as nation-state hackers to gain access to devices of high-value targets.
Whaling attacks are a form of spear phishing that target the big fish in an organization – members of the C-Suite, especially the CEO and CFO. These individuals have access to highly sensitive and valuable information, and their email accounts can be used in convincing BEC attacks on individuals with the responsibility for managing payroll or making wire transfers. BEC emails often request large amounts to be transferred to an account to pay an urgent or missed invoice, and since the emails come from the CEO’s or CFO’s genuine account, they can be difficult to identify.
SMS Phishing (Smishing)
SMS phishing, termed smishing, is becoming increasingly common. These attacks typically use malicious links, often shortened using a URL shortening service to hide the true destination URL. They take advantage of the fact that many people do not have antivirus software on their mobile phones, and the small screen size, which hides much of the URL that the user is directed to. The part of the URL displayed often includes the name of the company being spoofed to trick the victim into thinking they are on the genuine website. These attacks are often conducted to gain access to individuals’ bank accounts and use spoofed versions of banking websites to harvest credentials and two-factor authentication codes.
Social Media Phishing
Social media phishing is often conducted to get clues to users’ passwords and security questions. Have you seen a post that asks what your favorite teacher’s name was, the name of your first pet, or the first car you bought? Like the other phishing attack examples, posts are often added that direct social media network users to malicious websites where credentials are harvested or personal information is collected, such as bank account information and Social Security numbers. Competitions are common, where the user has to provide a host of sensitive information to claim their fictitious prize.
Voice Phishing (Vishing)
Voice phishing is conducted over the telephone and seeks sensitive information. Vishing is often conducted to obtain sensitive information for use in later spear phishing attacks via email, tech support scams warning the victim they have a malware infection that needs addressing, and for obtaining multi-factor authentication codes. Victims are often told to navigate to a malicious website where fake software is downloaded, or credentials are harvested. Standard anti-phishing solutions such as email filters will not block these attacks.
How to Prevent Phishing Attacks
The key to preventing phishing attacks is to adopt a defense-in-depth strategy, with multiple overlapping layers of protection. This is important as no single security measure or cybersecurity solution will be able to block all of the above phishing attack examples. Your phishing defenses should include an email security solution for preventing phishing emails from reaching inboxes, a web security solution such as a DNS filter for blocking access to websites hosting phishing kits and malware, endpoint security solutions for detecting and mitigating malware downloads, and multi-factor authentication on accounts to prevent stolen credentials from being used to access accounts.
It is also important to provide comprehensive security awareness training to all members of the workforce to raise awareness of the risk of phishing attacks, provide details of phishing attack examples to help employees recognize phishing threats, and teach them the red flags they should be looking for in emails, text messages, and on the web. As part of the training program, you should conduct phishing simulations to test whether the training has been effective and to identify any individuals who require further training.