Email Security

    5 Types of Phishing

    Phishing comes in many forms, as fraudsters work across email and other communications channels to steal from your company.

    by Mercedes Cardona

    Key Points

    • The types of phishing attacks have evolved and expanded from email to text, voice and social media.
    • Fraudsters use social engineering tactics for more sophisticated attacks that impersonate employees, supervisors and business partners.
    • Training is key to blocking all kinds of phishing, along with automation and technology tools that protect your systems and spot fraud in progress.


    The term “phishing” officially entered the language in 2005, when the Oxford American Dictionary added the word, defining it as “the activity of tricking people by getting them to give their identity, bank account numbers, etc. over the Internet or by e-mail, and then using these to steal money from them.” But phishing emails are as old as email itself. The first phishing email attacks came in the mid-1990s,[i] and phishing remains a major concern in 2021. As a result of the pivot to remote work during the COVID-19 pandemic, companies report a surge of all different types of phishing attacks.[ii]

    What Is a Phishing Attack?

    Listing the different types of phishing starts with the obvious spam emails — e.g., “click here and claim a prize” — that lure the recipient to click on the bait and let the bad guys into their computer — and beyond. Then there are more sophisticated types of phishing that leverage social engineering tactics to trick the target into sharing sensitive information or uploading malware. In fact, social engineering — using personal and company information to manipulate users into falling for different types of phishing emails — is a growing concern. Seven out of ten organizations believe employee behaviors are putting their companies at risk for different types of email phishing, according to Mimecast’s State of Email Security 2021 (SOES).

    How Does Phishing Work?

    The fraudsters often collect background information such as company email addresses and the names and job titles of targets from openly available databases and social networks to make their messages more credible. They also build fake websites to collect private information such as passwords and credit card numbers.

    The bottom line is that whichever type of phishing attack targets specific users will depend on the weaknesses the bad guys can find to exploit. Defending against them requires multiple defenses, as well.

    Types of Phishing Attacks

    Email cyber threats rose by about 64% in 2020, but email isn’t the only communications channel for phishing. There are as many different types of phishing attacks as there are communications media to carry them.

    Besides the many types of phishing emails being delivered globally, fraudsters have also leveraged channels such as text and voice-response systems to expand the types of phishing to target different individuals and organizations. The five types of phishing attacks your organization should watch for in 2021, described in detail below, are the following:

    1. Email phishing

    The original-recipe phishing scam, dating from the days of dial-up modems, is a spam email sent to hundreds or thousands of recipients, trying to get the user to send money, click on a link (usually dropping some malware in their computer) or access a website set up by the fraudsters to steal money, pilfer personal information or plant malware. Think of that old email claiming to be from a government minister of some turbulent republic, offering millions in exchange for a small upfront deposit. Surprisingly, people still fall for this sort of thing. And 40% of companies report that their email security falls short, while 13% have no email security system in place, according to the SOES survey.

    Some simple preventative steps can spare users from falling for phishing. The Center for Internet Security has some basic advice: Be careful with all emails and don’t click on links or attachments that look suspicious.[iii] A phishing filter installed on your email application and web browser will reduce phishing attempts; a pop-up blocker can also help stop another tool often used by fraudsters to get personal information.

    2. Spear phishing

    This is a more specialized type of phishing attack that targets a specific user, thanks to personal information gleaned from online sources. Besides the font of social media, fraudsters can now buy entire databases of information on the Dark Web, which makes it easier to craft a message that will get through.

    The spear phishing email is often devised to appear to come from a trusted colleague or a business that the target user works with (known as “impersonation attacks”), with a fake address or website that looks similar to the real one. It can be spotted by paying close attention to the spelling and punctuation used in the address. Some fraudsters will use a different domain (.net instead of .com) or add extra characters to a legitimate address, such an underscore or dash. Some will use similar-looking characters, such as using a zero instead of an “o” or an “l” instead of an “i” to confuse the phishing target.

    Technology and automation can be helpful in blocking these kinds of email attacks. Email authentication protocols such as Domain-based Message Authentication, Reporting & Conformance (DMARC) and Sender Policy Framework (SPF) can help sort out the fake addresses used for impersonation attacks. Artificial intelligence can automate the scanning of emails passing through the system to find anomalies such as fake websites. Additionally, thanks to machine learning, some security tools can spot communications patterns that don’t fit in with the company’s email flow and then flag phishers.

    3. Whaling

    Just as its name suggests, whaling is a type of phishing email targeting a big fish. This even more specialized variety of spear phishing targets a specific user high in an organization’s hierarchy. This is also known as CEO or CFO fraud, and it involves sending a fraudulent email to the executive, claiming to be a subordinate or colleague. It often has an urgent tone, asking for quick access to sensitive information, a password or a funds transfer in order to carry out some company function.

    Defenses against whaling are similar to those against spear phishing and other kinds of phishing emails, including security awareness training and filters to scan email attachments for malware or check the body of emails for those misspelled addresses that give away phishing emails.

    4. Smishing and vishing

    There are billions of cell phones worldwide, and they are being used for many more functions, both at home and at work. So it was only a matter of time before fraudsters found a way to create different types of phishing using smartphones. Smishing uses texts, or SMS, to do the work emails perform in traditional phishing, while vishing uses voice messages and robocalls to the same effect. For instance, a call or text, claiming to be from the Social Security Administration or the Internal Revenue Service, urgently demanding a response — or a fraud alert from “Cardmember Services” — is usually paired with a request for personal information or a link to click on.

    The Federal Communications Commission has a number of common sense guidelines to help individual users avoid these scams, such as installing anti-malware software and making sure the operating systems on all devices are updated to the latest version.[iv] Organizations can also secure their systems by establishing a bring-your-own-device (BYOD) policy for all employees that includes security features and limits the actions and access those devices can have, in case they fall prey to smishing or vishing.

    5. Angler phishing

    Social media has been a boon for customer service organizations, but it’s also given fraudsters another kind of phishing attack model. This kind of phishing attack uses a customer’s own social media activity as a social engineering vector to get access or personal information.

    For example, the angler notices a social media post complaining about a company’s service and intercepts the communication, responding to the disgruntled customer by email or on a social media direct message and offering to make things right. That involves the customer sharing personal information, clicking on a link or going to a website address supplied by the fraudster. As in the spear phishing attack, the lookalike site will siphon off personal information, plant malware and perform other kinds of malicious acts on the victim’s system.

    Defenses against this type of phishing attack involve being aware in social media interactions. Users need to pay close attention to telltale signs of a spoofed social media account, such as a missing blue check that shows up on verified Twitter accounts. The company being spoofed needs to safeguard its social media presence and alert customers on the same social media channels when it spots an angler phishing attack, giving customers alternatives to contact customer service.

    Training Prevents Different Forms of Phishing

    Training is the first line of defense against all kinds of phishing, to help staff stay on their guard. User testing, phishing drills and other unscheduled training that simulates an actual phishing attack can help keep users on their toes.

    Cybercriminals will continue to look for ways to break into your systems as long as the crime pays. And as new communications channels open, fraudsters won’t be far behind with different kinds of phishing attacks. The sooner your organization develops an awareness of its vulnerabilities, the better positioned it will be to counter them.

    Protect Yourself From Phishing Attacks With Mimecast

    The threat of phishing attacks is a fact of life for businesses. You may not avoid phishing attacks entirely, but you can stop most of them from being successful. With a combination of defensive tools to safeguard your systems and training to help your staff spot fraud, the likelihood that any kind of phishing can victimize your organization can be greatly reduced. 

    [i]The History of Phishing,” Verizon

    [ii] 2020 Data Breach Investigations Report, Verizon

    [iii] “Protect Yourself from Phishing Scams,” Center for Internet Security

    [iv] “Avoid the Temptation of Smishing Scams,” Federal Communications Commission


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top