There are many types of phishing.
How many times will it have happened to us to receive an e-mail or text message of this type: “Congratulations, you have won the new iPhone, click here to find out how to collect it”, inviting us to click on a link. It also happens often to receive e-mails apparently from one’s bank that, reporting registration or other problems, invites to provide one’s access data or change the pin code of one’s card.
These are real scams known as phishing, implemented through particular methods, and having specific targets. Phishing takes the form of the activity of a malicious user (the phisher) who, through technological means and social engineering techniques, attempts to deceive a target user to steal data and information, obtain unjustified payments, and/or install viruses and malware.
Defending against this type of scam requires knowledge and recognition of the different types of phishing, as well as equipping oneself with appropriate prevention tools and being aware of the remedies that can be used.
How many times will it have happened to us to receive an e-mail or text message of this type: “Congratulations, you have won the new iPhone, click here to find out how to collect it”, inviting us to click on a link. It also happens often to receive e-mails apparently from one’s bank that, reporting registration or other problems, invites to provide one’s access data or change the pin code of one’s card.
These are real scams known as phishing, implemented through particular methods, and having specific targets. Phishing takes the form of the activity of a malicious user (the phisher) who, through technological means and social engineering techniques, attempts to deceive a target user to steal data and information, obtain unjustified payments, and/or install viruses and malware.
Defending against this type of scam requires knowledge and recognition of the different types of phishing, as well as equipping oneself with appropriate prevention tools and being aware of the remedies that can be used.
The different types of phishingÂ
The existing types of phishing are many:
Means | Description |
This is the most common phishing tool. Obtaining the recipient’s e-mail address is, in fact, quite easy (think of how often each of us uses it to register on websites and applications). It is accompanied by a link or malicious attachments. |
|
SMS | In this case, it is called SMishing. This is an increasingly frequent type of phishing, given everyone’s continued use and familiarity with their phone. It is accompanied by a link. |
Website | It is a tool often used in connection with others (reachable through a link in an email or text message), but it can happen that there are existing websites on specially registered domains to directly confuse web users. A space to enter credentials is usually present. It often happens that directions and tools for making payments are included. It may contain malware and self-executing code. |
Phone Calls | The call allows the malicious user to simulate the existence of a call center and steal personal or other confidential information. |
Codice QR | It is a tool that has spread rapidly in recent years and, for this reason, it’s increasingly used by malicious users. The nature of the QR code has several advantages for the phisher. There is no way, in fact, to know which virtual environment you end up in before you frame the QR code with your smartphone. Typically, fake QR codes are placed in parking areas, inviting the user to scan the code to pay for parking through a (fake) site, specially created. |
Moreover, one must consider the different techniques used by the phisher to deceive the recipient. Each technique involves different strategies and methods that increase or decrease the risk of being deceived.
Technique | Mode | Examples | Risk |
Spear Phishing
The phisher pretends to be an entity known to the recipient. The attack is direct and designed for a single recipient or a specific group of recipients. Spear phishing is also referred to as “whaling” when the recipients are high/very high-profile individuals with high degree access or resources. |
Usually, this technique is used in email phishing.
The malicious user:
|
The phisher usually pretends to be:
Typically, the phisher’s message is justified by a technical or registration problem such that, for example, the bank requires you to enter your credentials or provide your credit card pin. |
HIGH |
Clone phishing The malicious user creates a nearly identical copy of a legitimate message already received by the recipient and sends it again, including malicious elements. The attack is specific to a single recipient. |
The malicious user:
|
Typically, the phisher modifies links and attachments by claiming that they are an updated version, thus hiding malicious tools. Alternatively, it may insert himself into an established relationship (e.g., between a superior and an employee, regarding frequent payment orders) by entering different bank details. |
High / Very high |
Routine activity phishing
The malicious attacker asks the recipient to perform an activity (typically a payment) that the recipient is accustomed to doing. The phisher does not necessarily know the recipients. |
This technique can exploit different means and combines additional techniques. The phisher:
|
An example is the technique of paying for parking via QR code that leads back to a fictitious site. Alternatively, the user can pretend to be an institutional entity (e.g., the message from the (fake) Ministry of Health informing of the suspension of the recipient’s “green pass“) or an entity offering recurring services asking for confirmations and payments. |
Medium / High |
Prize & package phishing The malicious user informs the sender that the latter is entitled to obtain something. The attack is general and impersonal, typically the phisher does not know the recipients. |
The malicious user:
|
Very frequently, the phisher sends emails informing the recipient that he or she has won a prize that can collect, upon confirmation of identity, by clicking on a specific link. Often, messages are sent from (fake) shippers indicating that the recipient needs to pick up a package, confirming the willingness to proceed via a specific link. |
Medium / Low |
The last element of phishing is the target of the malicious user. In fact, the phisher may want to obtain certain information or require certain behaviors from the recipient. Depending on what the malicious user wants to obtain, he will act and set up the scam differently.