With $12.7 billion in losses in 2024 due to fraud, it’s now more important than ever that you’re aware of the various types of cybercrime and how you could fall victim. One of the most common and devastating forms of fraud? Phishing—pronounced “fishing”—is the practice of using deceptive emails, messages, or websites to lure unsuspecting people into sharing personal information for financial gain.
It’s a quickly growing problem that can impact everyone, from everyday individuals to small businesses and large corporations. This article is your guide to all things phishing, including what to look out for and 10 types to be aware of. Here’s what you need to know to stay safe.
Phishing attacks are a type of cybercrime in which attackers impersonate a trustworthy entity—such as a bank, company, or even a coworker—to trick individuals into revealing sensitive information, including passwords, credit card numbers, or login credentials. These attacks are often complex and involve intense research on personnel and communication within an organization.
Here’s how it works:
Like a fisherman baiting a hook with a realistic and enticing offer, hackers will send you an authentic-looking message that you may not realize is fraudulent without a closer look.
Phishing is an umbrella term for this type of attack, but there are countless types of schemes that you need to watch out for. So, here are 10 phishing examples that you may come across:
This cybercrime is one of the ways hackers steal login credentials. In a report from Barracuda that analyzed 50 billion emails, researchers found that spear phishing accounted for less than 0.1% of the emails but led to 66% of successful breaches. This type of social engineering attack is strategic and targeted, aiming at specific individuals who have access to assets that the cybercriminals want.
Most phishing scams work by setting an objective, choosing a target, researching the target, and crafting and sending the phishing message. For example, if a hacker knew they wanted to steal customer data, they would set out to steal login credentials from your small business. The message they send could be a malicious link to a fraudulent “update your password” page, which sends any credentials that victims enter to the cybercriminals.
Vishing—or voice phishing—refers to fraudulent phone calls or voice messages designed to trick you into providing sensitive information for the hacker’s financial gain. However, it often doesn’t start with a phone call. Generally, victims will receive a suspicious email or text message telling them to dial a number urgently. Once this person calls the faulty number, scammers will convince the target to share personal details, like their login credentials.
Oftentimes, vishing schemes target elderly individuals, new employees, and workers who get external calls as part of their job. For example, a cybercriminal may call an older woman claiming to be her grandson in need of urgent financial assistance.
There has been a recent increase in invoice scams, such as text messages regarding tolls, payment authorizations for purchases, and fake invoices for non-existent computer services.
Like vishing, email phishing is a way that digital thieves get your personal information, but purely through email communication. Companies and individuals are often targeted by cybercriminals via emails designed to look like they came from a legitimate bank, government agency, or organization.
For example, you may receive an email from your favorite clothing store claiming that you’ve won a special discount on your next purchase—all you have to do is input your card information. This should cause you to pause and question whether it’s a real offer, as this isn’t the normal method for any legitimate type of store offer.
HTTPS phishing scam is a type of cyberattack where hackers impersonate a trusted website that uses the HTTPS protocol to trick you into providing sensitive information. Even though this site looks and acts as a normal website, the data entered there is directly sent to the malicious actors.
A dangerous example of this is when attackers replicate a bank website’s login page, deceiving people into entering their credentials, which are then captured and can be used for their financial gain.
This type of online fraud involves the use of malicious codes to direct victims to spoofed websites in an attempt to steal their credentials and data. Pharming is a two-step process that begins when an attacker installs fraudulent code on a victim’s computer or server. That code then sends that person to a fake website where they’ll be urged to input personal data.
For instance, you may unwittingly pick up malicious malware or a virus through an email or software download, which reroutes you to a spoofed website created by the hacker. This site gives the cybercriminal access to all personal information and login credentials you may enter.
While some pop-ups are helpful, others are rather harmful, appearing to be from legitimate organizations—warning you about security issues or account access. Oftentimes, this type of pop-up will tell you there’s a problem with your computer and provide a phone number for you to call and get help. Contacting this number generally leads to the hacker asking you to pay money for tech support or other services with a gift card, cash-reload card, or wire transfer.
An evil twin attack takes place when a cybercriminal sets up a false Wi-Fi access point with the intention of getting users to connect to it instead of a real one. When you select this fake Wi-Fi, an attacker can access any and all data that you share with the network. An attacker can create an evil twin with any device that connects to the internet and some readily available software, making it a common type of attack—especially when people try to use public Wi-Fi.
For example, you may be at your local grocery store and attempt to open the company’s Wi-Fi. However, you click on an unsecured public access point that an attacker created. This digital thief can now get their hands on any of the personal information you have on your phone.
Like a group of animals going to a single watering hole, this type of cybercrime takes place when an attacker targets a specific group by infecting a website they commonly visit. While this is one of the rarest forms of phishing, it continues to have high success rates, providing access to tons of data and personal details that companies have stored on their systems.
Whaling occurs when a cybercriminal pretends to be a senior executive at an organization and directly targets other senior or important individuals within a company, with the hope of stealing money or sensitive information. Also referred to as CEO fraud, these phishing tactics often use email and website spoofing to urge organization higher-ups to perform specific actions.
One way this could be done is by targeting a senior-level executive with emails that appear as if they’ve come from a CEO or finance manager. This fake CEO could ask for a large money transfer or employee payroll information.
Clone phishing is a type of email phishing in which an attacker clones a real email message with fake, malicious attachments, then resends it pretending to be the original sender. These attachments can contain rootkits, ransomware, or any other form of software used to steal data.
For example, an attacker could copy a welcome email that you send to every new newsletter subscriber that has attachments to helpful blogs or templates. However, when the recipient receives this fake email, they’ll be faced with malware that gives the hacker access to their personal information and login credentials.
In a time of such uncertainty when it comes to technology and fraud, it pays to have a trusted financial institution in your corner. Learn more about cybersecurity measures and how to open an account with us by connecting with a Cathay Bank team member today.
A phishing attack typically starts with a fraudulent email, text message, or website that appears to be from a trusted source. The attacker tries to trick the recipient into clicking a malicious link or providing sensitive information like passwords or credit card numbers.
An example of phishing is receiving an email that looks like it's from your bank, asking you to verify your account by clicking a link. The link leads to a fake website that captures your login credentials when you try to sign in.
While any type of scheme can happen to even the most unsuspecting person, the most common types of phishing tactics are:
You might notice unusual activity on your accounts, such as unexpected password changes, unauthorized transactions, or login alerts from unfamiliar locations. If you suspect phishing, change your passwords immediately and report the incident to your IT or security team.
This article does not constitute legal, accounting or other professional advice. Although the information contained herein is intended to be accurate, Cathay Bank does not assume liability for loss or damage due to reliance on such information.
