NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • Curated Threat Intelligence
      • Managed Detection and Response (MDR)
      • Sentinel Managed Extended Detection and Response (MXDR)
      • SOC as a Service
      • Splunk Managed Services
      • Tenable Managed Services
      • Vendor Security Assessments
      • Vulnerability Management
      • Zscaler Support Services
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Cybersecurity Technology
    • Security Operations
    • Industry Insights
    • Security Testing
    • Advisory and Planning
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • NuHarbor
    • Managed Services
    • Cyber Talent
October 12, 2021

Don’t Get Hooked! How to Identify Common Types of Phishing Attacks

Justin Fimlaid Justin Fimlaid

Phishing attacks can affect both individuals and organizations and are among the most common methods hackers use to attack accounts and networks. Over the years, they have become more sophisticated and challenging to detect. According to Verizon, in 2020, 22% of data breaches involved phishing. While attacks already occur regularly, there tends to be an increase during times of crisis. The COVID-19 pandemic brought a unique and unprecedented opportunity for attackers to mimic official sources such as expert organizations and government officials. To prevent falling victim to an attack, users can educate themselves on the different types of phishing attacks.

What Is Phishing?

Phishing attacks are a method of social engineering that often comes in the form of a spoofed email or website. The attacker mimics a trustworthy website such (e.g., a bank) and then sends an email appearing to be from a reputable source with links that redirect the unsuspecting user to their spoofed website. Although this generally defines phishing, there are multiple different types of phishing attacks, each possessing their own unique ways to spot and counteract them.

Email Phishing

Email phishing is one of the most well-known attacks that threat actors use. Attackers will create an email impersonating someone the user trusts or knows to be a reputable source. They'll include a link or download that is malicious with the intent of gaining user credentials or infecting their system. These emails usually include some message of urgency that prompts the victim into taking action.

Email Phishing Indicators

Given the frequency of email phishing attacks, the security industry has formulated easy ways to preventing getting hooked. Any email that prompts a user to click on a link or download a file should be mentally marked as suspicious. Following this rule of thumb, the user should confirm the identity of the sender before proceeding any further. If the sender is who they claim to be and they are, indeed, reputable, the user can continue with their download or link. But if they're not, the user should cease interaction with the email because a threat actor is attempting to possibly phish their credentials.

These steps are a great way to protect an individual with a personal account. However, most phishing attacks are aimed at organizations due to the increased volume of information and access they have compared to a single user. To protect and monitor an entire business against email phishing, NuHarbor partners with Proofpoint to provide high-quality email security and protection services. Their extensible email security platform blocks malware and non-malware email threats (i.e., types of phishing). Talk to one of our experts to learn more about how to protect your organization.

Spear Phishing

There are many similarities between email phishing and spear phishing, but the main difference is the target. Spear phishing is designed to target one specific person, meaning that an attacker needs to formulate an email to exploit a particular victim’s trust. This method of phishing relies heavily on open-source intelligence gathering (OSINT) because of how much information the threat actor may need to know. Another unique detail of spear phishing is that the email will appear to be from someone internally in the target’s organization.

Spear Phishing Indicators

Although identifying an email from a spear phishing attempt can be more difficult, knowing what to look for can increase the odds that a victim’s credentials won’t be compromised. When receiving emails from internal sources at work, watch out for any abnormal requests from co-workers. If a user isn’t sure if a request is legitimate or not, they should send a separate email to a known email address of the co-worker. To protect themselves, users should also be weary of password protected documents and shared drives, both of which can steal credentials or infect a user’s system.

Whaling

An even more specific version of spear phishing is whaling. It can potentially be more dangerous because it targets executives and people with power within an organization. However, whaling can be identified by the same indicators as spear phishing making education and training similar. To avoid whaling, CEOs and executives must be just as diligent as their employees when it comes to email security practices.

Vishing

Phishing doesn’t have to occur specifically in email; it can take place over the phone as well. Voice phishing, or vishing, is another type of phishing that a threat actor can use to compromise a victim’s credentials. A common vishing attack that takes place around tax season every year is widespread fake IRS calls. While these calls may seem legitimate, there are some telltale signs they are not.

Vishing Indicators

Indicators for vishing can vary, but the threat actor will always have an end goal. If information or action is requested from an unfamiliar number, even if the caller claims to be from a reputable source, it should not be provided. Users can expect these calls around an event or time of the year where people may be panicked or need more information, such as tax season or a presidential election. Finally, when the target of a vishing attack receives a call, the threat actor may induce a false sense of urgency, which is the primary instigator for successful credential theft.

Smishing

Vishing isn’t the only type of phishing that occurs on mobile devices. SMS phishing, or smishing, is the practice of phishing through text messages. Chances are, you’ve been on the receiving end of a smishing attack, as the messages are traditionally sent out in bulk to numbers located in a data breach. Smishing attacks utilize the same techniques as other phishing attacks, however, users on the receiving end shouldn’t respond in any way, or even open the message, if possible. This might deter the attacker by making them think the number isn’t active and would be a waste of resources to attempt another attack.

Angler Phishing

Another type of phishing that utilizes mobile devices is angler phishing. Focusing specifically on social media, angler phishing preys on unsuspecting users by driving them to open direct messages and attachments from friends. While people think that social media is safe, these phishing attempts can steal credentials and attacks can then post on a user's behalf, spreading the phish to even more people. Social media users should stay diligent when receiving messages and notifications to keep their social media profile secure.

Don’t Bite!

While phishing attacks can vary in their medium, targets, and techniques, they can all be stopped with similar practices. Users can improve their cyber hygiene and protect themselves  by being mindful of links they open and who they're from. However, the average consumer isn’t the only target for phishing attacks; businesses are just as susceptible. If your organization is looking for assistance in dealing with phishing attacks and tightening up cybersecurity, talk with one of our experts today.

Included Topics

  • Cybersecurity Technology,
  • Security Operations
Justin Fimlaid
Justin Fimlaid

Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.

Related Posts

2 min read
Get Informed: Learn About Phishing Attacks Read More
Industry Insights 3 min read
Social Engineering Attacks: How Human Error Can Shatter Security Shields Read More
2 min read
Web app vulnerability basics: Cross-site scripting Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.