7 Dangerous Phishing Attacks Everyone Needs to Know

The FBI estimates that Americans will lose $12.5 billion due to email scams in 2023. You may think you know how to spot and avoid scam emails, but it’s not that simple.

Malicious emails are just one part of a growing list of phishing attacks that cybercriminals are increasingly using to steal money, exploit personal information, steal identities and cause harm to both individuals and businesses.

Here are the 7 most common and dangerous types of phishing attacks that cybercriminals often use to attack users.

1. Email scams

Email fraud (or Email Phishing) is a form of cyberattack in which cybercriminals send fake emails to trick recipients into taking actions that benefit them, such as providing sensitive information, clicking on malicious links, or downloading malware. These emails are often designed to look like they come from a trusted organization or individual, such as a bank, large company, or government agency.

Initially, online scams were simply understood as attempts to steal sensitive information or money through email. This is not surprising, as email is one of the first attack channels that cybercriminals exploit to deceive users.

Despite its age, phishing emails remain one of the most common forms of fraud today. With an estimated 3.4 billion emails sent every day, they are not only costly, but also the most reported form of cybercrime.

Phishing emails used to be easy to spot because of their awkward grammar and odd wording, which quickly led to them being suspected of being fake. However, that has changed with the advent of AI technology like ChatGPT. This tool has become a "powerhouse" for hackers, allowing even non-English speakers to create fluent, professional-looking phishing emails that are sophisticated enough to fool almost anyone.

If you have any doubts about the authenticity of an email, take the initiative to contact the company in question directly, but never reply to the email in question. More importantly, in any case, if you are not completely sure about the credibility of the email, avoid clicking on any links or downloading any attachments. This action can be the key to protecting yourself from cyberattacks.

2. Text message scams

Text message (SMS) fraud (also known as SMS Phishing or Smishing) is a form of fraud that occurs via text messages or messaging applications such as WhatsApp, Messenger. Like email fraud, the goal of smishing is to trick users into providing personal or financial information, or taking actions that benefit the scammer, such as clicking on a malicious link or downloading malware.

Most people are used to checking their messages within 5 minutes of receiving them, as text messages are often seen as a more personal and trustworthy means of communication than email. We often receive messages from friends, family, or companies we trust, making them easy to pay attention to and respond to quickly.

Smishing is similar to email phishing, but instead of appearing in your inbox, it's done via SMS text messages. You may have received a fake text message from "Amazon" telling you that an order is on its way, even though you never ordered anything.

Or maybe you get a text message from a “stranger” who claims to have sent it to the wrong number but is deliberately prolonging the conversation with you. These situations are all cybercriminals’ attempts to get you to click on a link that contains malware or manipulate you into stealing your money and personal information.

Pig Butchering is an increasingly common, sophisticated form of smishing attack in which a scammer patiently “nurtures” a victim like a pig, gradually building trust and convincing them to invest money in something (often a fake cryptocurrency exchange), in order to eventually take all of their assets.

3. Social media fishing scams

Social media fishing scam (or Angler Phishing) is a form of cyber attack in which cybercriminals impersonate customer support accounts on social networks such as Facebook, Zalo, etc. to scam victims. Attackers create fake websites or accounts, impersonating famous brands or reputable customer services, in order to trick users into trusting and providing personal information, accounts or money.

We often share a lot of personal information on social networks with the desire to connect and share with everyone. However, this information becomes a tool for scammers, helping them create sophisticated and personalized phishing attacks, to scam users more effectively.

Attackers will scan your social media profiles to learn what products and services you use, and then impersonate customer service representatives from companies you trust.

They will then ask you to provide sensitive information, send malicious links, or take you to fake websites to steal passwords and other important data, which can then be used to hack into your accounts.

4. Phone scams

Voice Phishing (also known as Vishing or Voice Phishing) is a form of telephone fraud in which an attacker impersonates a trustworthy organization or individual in order to trick the recipient into providing personal or financial information or taking actions that benefit the scammer. Vishing is a combination of phishing and voice calling, using voice instead of email or text messages.

Recently, many people have received a call from someone claiming to be a bank employee, with a confident and friendly tone. This person informed that a suspicious transaction had just been made on their card and the bank needed to verify their identity. The first thing the scammer did was ask the user to provide their citizen identification number and other important information about the bank card.

This vishing attack has all the elements needed to be a successful social engineering attack. They emphasize that time is of the essence, making the victim feel anxious and almost willing to give up sensitive information. Furthermore, they pretend to be authoritative, creating the feeling that their request for information from me is completely reasonable and necessary.

5. Targeted online scams

Spear phishing is a highly sophisticated and personalized form of online fraud. Unlike traditional phishing, where an attacker sends thousands of random fake emails, spear phishing is specifically targeted at an individual or organization. The attacker will gather detailed information about the target, such as their interests, work relationships, or other personal data, to create a spoofed email that appears very plausible and trustworthy.

Spear phishing is a much more sophisticated and personal attack. Imagine if you received an email containing your name and sensitive information. Obviously, you would be more inclined to open that email with a higher degree of trust, because it looks so legitimate and trustworthy.

Phishing attacks are not targeted at ordinary people; instead, they are often directed at targets that the hackers deem to be of high value. A hacker may be willing to invest time and resources to gather detailed information about their target, in order to create carefully personalized and convincing malicious emails.

A sophisticated variation of the spear phishing attack is “whaling,” which typically targets higher-value targets, such as CEOs and general managers, with the aim of obtaining sensitive information from them.

6. Waterhole scam

The Watering Hole scam is borrowed from natural hunting behavior, where predators ambush at water sources frequented by their prey.

In cybersecurity, it describes a form of attack in which an attacker infiltrates a website or online service that the target frequently uses. The attacker takes advantage of the user's trust in this legitimate website to infect the user with malware or steal personal information when the user visits.

Watering hole scams occur when an attacker compromises a legitimate website and exploits vulnerabilities to install malicious code, such as HTML or JavaScript code. The attacker can take control of the entire website or modify just a part of it to redirect users to a fake page.

When users initially trust the website, they tend to click on links and provide sensitive information, such as credit card numbers, national ID numbers, or login credentials, thereby creating opportunities for attackers to hijack the data.

7. Fraud through fake websites

Website Spoofing is a form of cyberattack in which an attacker creates a fake website that looks and functions almost identical to a legitimate website. The goal of this behavior is to trick users into believing that they are visiting the real website, thereby stealing sensitive information such as passwords, credit card numbers, or other personal information.

Have you ever tried to access Amazon.com and accidentally typed Amazonn.com? Even if the website you see looks and feels exactly like Amazon, it could actually be a fake site owned and operated by a scammer.

This is a form of attack called URL hijacking, where cybercriminals buy domains that are very similar to popular websites. They design these websites to look like the real thing, but the real purpose is to collect your sensitive information, such as passwords, credit card information, or personal data.

Although phishing attacks are becoming more sophisticated and harder to detect, you can still protect yourself by staying vigilant. Never click on a link or provide sensitive information unless you have thoroughly verified that the person you are communicating with is actually a representative of a trusted company.

Phan Van Hoa