How to recognize and avoid 5 types of phishing attacks
Don’t get hooked by phishing. Learn everything you need to know about the common types of phishing hackers may use to steal your sensitive information.
10 min read
Phishing is a simple and effective tool hackers use to deceive people into handing over sensitive information or downloading harmful software. It’s one of the oldest types of cybercrime, but also one of the most innovative; hackers constantly develop new types of phishing attacks to catch internet users off guard.
If your sensitive information is valuable to you—and we’re going to guess that it is—you may be wondering how to prevent phishing attacks. To answer that question and help you protect your identity online, we’ll explain what phishing is, walk through five common types of phishing, and offer some tips on how to avoid biting the bait.
What is phishing?
Phishing stretches back to the days of dial-up internet in the mid-1990s. It’s pronounced the same way as fishing (the “ph” is hacker slang) due to its comparison with an angler who attempts to catch fish by leaving a baited hook. The bait, in this case, is fraudulent communication in the form of emails, mobile messages, or phone calls.
Phishing is deliberately misleading and disguised as communication sent from legitimate sources. The message is designed to pressure the person reading the email to take immediate action. For example, you may receive an email that looks as if it comes from your bank, telling you there’s a problem with your account. For the sake of your security, you’re asked to update your details by following a link.
If you “bite” and follow the link, you’ll be taken to a page which is a like-for-like copy of a genuine website (including official banners and branding) to trick you into entering your details. Hackers can then steal sensitive information, including passwords, account numbers, or passport details. With this information, criminals can make purchases online, steal money, or commit identity theft.
The good news is, if you don’t bite, the tactic isn’t successful.
What are the different types of phishing?
A phishing attack is any fraudulent attempt at finding victims. Some of the larger-scale attacks are known as phishing campaigns, as they usually target masses of people with a similar email template or tactic. Campaigns may be easy or difficult to spot, depending on their complexity.
As far as phishing methods go, there are five common types of phishing that you should be aware of. This isn’t to say these are the only five types, but they do encompass some of the more sophisticated forms of phishing that can be harder to detect. Each of these phishing definitions adheres to the same “fishing” theme, so they aren’t too difficult to remember.
1. Spear phishing
Just as spearfishing aims for one particular fish, spear phishing targets a specific individual. Unfortunately, that individual may be you.
In a spear-phishing attempt, a hacker thoroughly researches a particular target and sends correspondence that’s specifically crafted to fool that target. It’s common for spear-phishing attacks to target employees at organizations, with email messages that appear to be from co-workers.
A 2019 Europol report highlighted spear phishing as an emerging threat, and it remains one of the trickier forms of phishing for the average person to detect.
Examples of spear phishing:
- A work email that addresses you by your name and looks like it was written by a coworker.
- An email from someone at your organization you’ve never met, asking you to send them sensitive information.
- An email from someone claiming to be on your company’s HR team, asking you to open a link to sign a new employee handbook.
Whaling is a type of phishing that targets big targets, or “whales.” Some of these targets may include CEOs, politicians, or prominent members of organizations. Hackers tend to put more effort and sophistication into this kind of phishing attack, yet the rewards are potentially huge.
Examples of whaling:
- An email sent to a CEO of a company from a hacker pretending to be a client.
- An email sent to an HR or payroll team from a hacker pretending to be the company’s CEO.
- An email sent to a politician or a group of politicians by a hacker pretending to be a governmental agency.
3. Clone phishing
Clone phishing can be one of the more difficult types of phishing to detect. It’s a sophisticated attack in which the hacker intercepts genuine correspondence between two people who may know one another well.
In a clone-phishing attempt, the hacker clones a legitimate email from a trusted source. For the victim, the email may seem to be a continuation of a previous conversation. But this particular cloned email or message may contain a malicious link.
Examples of clone phishing:
- An email sent by a hacker pretending to be your mother, asking you to open a link to see a photo from her vacation.
- An email sent by a hacker pretending to be a close business partner, asking you to open an attached file to view a new proposal.
Vishing is phishing via telephone call. The name is a portmanteau of two words: “voice” and “phishing.” The approach is the same as with any other type of phishing; to appear legitimate in order to get sensitive information from the victim. Always remain cautious if receiving an unsolicited phone call requesting sensitive information.
Examples of vishing:
- Compromised bank account. In this type of vishing attack, a hacker may call and try to convince you that your bank account has been compromised and is at risk of a cyberattack.
- A dream offer. Some hackers might call offering you a loan or prize in an attempt to gather your personal information. These offers may sound highly enticing, but don’t be fooled—if something sounds too good to be true, it probably is.
- Tax scams. Some vishing hackers pose as tax collectors, threatening or frightening their targets with talk of outstanding tax debt and hefty fines.
Smishing may sound strange, but it’s all too real. The word “smishing” is a portmanteau of the words “SMS” and “phishing”—which means that, yes, this is a type of online scam that happens via text message.
In a typical smishing attack, you may receive a cryptic message from a friend or family member, asking you to transfer money for an unpaid bill. Hackers might also attempt to get other personal information such as your bank details, card numbers, email addresses, and more. In many cases of smishing, the hacker is simply attempting to steal funds, but they may also be attempting identity theft.
Smishing attempts can be far-reaching. In 2020, an SMS phishing campaign targeted mobile banking apps in North America. Messages were sent to a large number of people. When following the included link, victims were directed to a false login page for their online banking account. This particular campaign hooked 4,000 victims.
Examples of smishing:
- Bank smishing. This scam tries to get you to act by saying your bank account has been hacked, when in reality, this is the hacking attempt itself.
- Malware smishing. With this scam, you may receive a text message encouraging you to download something onto your phone, like an app. This app may look like it’s from a trusted source, but it could be used to access sensitive data from your smartphone through a backdoor.
- Money smishing. These attempts may look like a plea for money from someone you know. They are attempts to “socially engineer” you into making a bad decision, i.e. they want to make you feel panicked or guilty, so you’ll be tempted to send money quickly.
What are the most popular phishing disguises?
The more genuine a phishing email appears, the more likely the victim will take the bait. This is why hackers imitate well-known brands used by large volumes of people. A 2019 report by Vade Secure revealed the most popular brands for hackers include PayPal, Facebook, Microsoft, Netflix, and WhatsApp.
Interestingly, the report also identifies the most common approaches phishing emails use to “bait” victims. Often correspondence refers to “unusual activity” with the person’s account, with the need for immediate verification. But there are more creative approaches, including the offer of bogus deals, free pornographic content, or invoices that require payment (e.g. from Amazon).
Trending events can be used in campaigns, too. In 2020, the World Health Organization (WHO) was used in a phishing attack. Emails looked like helpful reminders from WHO, with instructions on how to prevent spreading the coronavirus. Exploiting global fears around the virus, users followed a link to access a document and landed on a fake Microsoft Outlook login page. Any details entered on this page were sent directly to hackers.
How to recognize a phishing email or website
Although security on many email accounts is effective at detecting phishing attacks, hackers are becoming more sophisticated in their approach.
Gone are the days of poorly written emails with over-the-top promises of wiring millions of dollars simply by handing over your bank details. Modern phishing emails may contain tailored information, company branding, or URLs that look close to the real thing.
So, how do you remain vigilant toward phishing attacks? Here are some tips to help you out:
Look for generic email elements
Sometimes you can spot a phishing email thanks to its generic introduction (“Dear Sir” or “Dear Madam”) rather than your name. More obviously, if the email is from a company you don’t have an account with, it’s likely from a mass campaign. Ignore it and report it if necessary.
Look out for irregularities in tone and format
Whenever you receive correspondence asking you to take action, ask yourself: does this person usually contact me for such requests via email? Be vigilant of the tone and language of the correspondence, including any subtle mistakes. Does anything seem unusual? Pay close attention to the “from” section and if suspicious, reply in a new email rather than directly.
Carefully check the address of any link before clicking on it
Most phishing emails include a link that directs you to a counterfeit website. Such phishing sites are the “portal” for you to enter your information, unknowingly, to hackers. Make sure to carefully check the address of the website in question, e.g. "wwwn26.com" vs. "www.n26.com". Keep an eye out for the lock symbol (in Chrome) indicating a secure connection.
Be skeptical of redirected websites
Always be sceptical of redirected websites (where the URL changes and you’re taken to another page). If any link appears questionable and you’d like to play it safe, open a new window and visit the website directly.
For example, if you receive an email from PayPal with a link to log into your account, there’s no harm in heading to PayPal directly in your browser and logging in from there. If the correspondence is genuine, you can access your account in this way for more information.
Other tips on how to prevent phishing
Be cautious anytime you are asked to submit sensitive information. For example, N26 Customer Service never asks you for your password or credit card number. And always keep the 10-digit token on your card a secret (don't take pictures of that side of the card).
Other tips on how to prevent phishing include:
- Ensure your computer has up-to-date security software.
- Install an anti-phishing extension on your web browser.
- Create a strong password for each of your accounts, and never use the same password with different accounts.
- Make sure your mobile phone has the latest updates installed.
- Activate multi-factor authentication (or 2-Factor Authentication “2FA”)—an additional step to log in, such as a code sent to your mobile phone.
- Don’t publish personal information publicly online, as this information can be used by hackers.
How to report a phishing attack
With the ever-increasing sophistication of phishing, you may still fall victim to an attack despite doing all that you can to avoid it. If this happens, there are a few ways to report the incident:
- Contact your email provider directly. For example, contact Google Support.
- Contact the company whose information has been imitated directly to make them aware of what’s happened.
- If your personal information has been stolen, contact the cybercrime department of your local police authority.
N26 customers can notify us through the app’s chat function or on the N26 website. However, armed with all you need to know about phishing and the security of an N26 account, we hope it won’t come to this.
Phishing is a popular technique but it does rely on you being as aware as possible. So, remain vigilant, be skeptical, and keep this article in mind to avoid being hooked.
The bank you'll love
The Mobile Bank
Related postsThese might also interest you
Social engineering is a particularly deceptive form of online fraud. Read on to learn how to keep yourself—and your data—safe.
At N26, the security of your data is our top priority. Read on to learn which security measures we employ to protect you against job scamming and other fraud attempts.
From deactivating bluetooth to locking your screen, we’ve got 5 essential tips for you to enjoy mobile banking with peace of mind.