There are many types of phishing attacks: your dime-a-dozen Nigerian princes, more sophisticated con artists, highly targeted spearphishers, and everyone’s favorite: the romantic catfish. We’ll talk about all these and more as we profile the many types of phish in the sea.
But first: what really counts as phishing? By the strictest definition, phishing entails a scam artist who sends deceptive emails in an attempt to get money or personal information. More broadly, a phish can use any number of digital approaches, such as text messages or dating apps, to snare their targets. We’ll focus on phishing emails to begin with, before going into some of the other attack vectors phish may take.
Nigerian Princes and Their Associates
We’ve all heard the story: a deposed Nigerian prince need help to transfer his tremendous wealth into a new account. Specifically, you need to wire him some money. In exchange, you’ll get a huge payout.
These schemes are sometimes called Nigerian 419 scams, after Nigeria’s criminal code for these kinds of crimes. More broadly, they fit the definition of advance-fee fraud: for a small up-front payment, the scammer offers a much larger sum of money – good luck getting it.
At this point, the “Nigerian prince” angle is pretty played out. But watch out for similar stories: you might get an email from a Lebanese businessperson or an Estonian bureaucrat working to get a payout on a government contract. The song remains the same: for a relatively small down payment, you’ll get a huge chunk of change.
Why it Works
Before we pick this apart, let’s take a minute to think about how it works. All scammers appeal to our emotions, trying to override our better reasoning. A Nigerian Prince scammer promises a sum vast enough to make anyone’s eyes light up. This appeal to our admittedly very human greed might cause someone not to notice they’re being played.
Most people know better. But some people are just gullible. This basic phishing email might not work on 99% of the populace, but even at that rate, they would only have to email 100 people to land a hook. It’s a shotgun approach, not a sniper rifle, with a universal appeal, easy to copy-and-paste and send en masse.
How to Protect Yourself from Advance Fee Fraud Phishing Attacks
So how can you tell this is a scam? First, ask yourself why this person is sending you this message. You should be wary of any stranger sending you a cold email. But someone ready to trust you with millions of dollars? That should raise a big red flag.
These emails are unlikely to be personalized – they might not use your name, or show any indication they even know who you are. Any email that starts with “Hello friend” or something similar should raise an eyebrow: the person who wrote it doesn’t even know your name, and probably shouldn’t be trusted with cash or personal information.
These emails are frequently riddled with spelling errors and poor grammar. Okay, you might expect this from someone who learned English as a second language. But if you were potentially moving millions of dollars around, you would at least have someone proofread your email.
Crucially, take a look at who’s sending the email, and what domain they’re sending from. Would a wealthy businessperson or government bureaucrat be using a gmail.com email address? I don’t think so. Even if they have a custom domain, that doesn’t mean they’re legitimate, especially if you’ve never heard of the organization they claim to be a part of. Make sure you look closely, too, as it’s easy enough to secure a domain that looks trustworthy, even if it isn’t.
I would recommend you avoid visiting their website entirely. But if you really want to see it for yourself, make absolutely sure you don’t download anything or input any passwords or personal information. If a stranger emails you out of the blue, you should start by assuming they’re a scammer and proceed accordingly.
These con artists are a step up from the Nigerian princes and their ilk. Instead of sending poorly crafted emails riddled with typos and red flags, these scammers impersonate trustworthy companies and institutions. And they have some formidable tricks up their sleeve:
- Email spoofing: The phisher uses clever HTML and other tools to make their email look as official as possible. Done right, the scammer can make their email look just like the real deal.
- Clone websites: The phisher makes a fake version of a legitimate website. Like a spoofed email, a clone website can look exactly like the real thing. Peer closely at the URL to spot the difference – one letter means a completely different website.
You might think a different URL would be obvious, but you might be surprised. If you’re not looking, you might never notice. When I worked at Fit Small Business, a scammer cloned our website under the URL fltsmallbusiness.com instead of fitsmallbusiness.com. See the difference? If you’re not looking for it, it’s easy to miss a few out-of-place pixels. It took multiple team members huddled around the webpage for us to figure out that someone had cloned our website, rather than hacking us and creating a page on our real domain.
Typically, these scammers aren’t just looking to make a quick buck. Rather than ask you to wire them money up front, they’re after your passwords and personally identifiable information. If they con you into typing in your password on their fake website, they now know your login info. Hopefully you don’t use the same password across 30 different websites. With your personally identifiable information, they may pull an even more frightening identity theft.
Why It Works
So why do these impersonator phish work? Compared to the Nigerian princes, it’s easy to see how these clever tricksters can fool someone, playing on the trust we have for established institutions. They play off other emotions as well. Most of the time, they’ll leverage fear: you would hate to lose access to your bank account, or – god forbid – your Netflix.
This combination of fear and trust is a potent one, and by exploiting both, a clever scammer can break through your defenses before the thought crosses your head that you’re not looking at the real thing. Before you know it, you’ve crossed over to their clone website and put in your login and password.
Sometimes these phishers will attempt a longer con than a quick password grab. In the “fltsmallbusiness.com” example I mentioned above, the scammers were giving out fake job offers in an attempt to steal people’s personal info. Scary stuff.
How to Protect Yourself from Advanced Impersonators
Look closely at the email address of everyone who sends you an email. I can’t emphasize this enough: the best way to check if someone is who they say they are is to carefully check the domain they’re emailing you from.
And don’t click through to any links. If you get an email from your bank or any other organization about a problem with your account, type the URL directly into the search bar. By going there on your own, you cut down the chance that some fraudster will lead you to a fake website and steal your passwords or personal information.
If an organization contacts you that you’ve never heard of, make sure you do a little research on your own. There are plenty of great small businessis and local nonprofits out there. But a legit operation will have some kind of digital footprint: not just their own website, but places like Yelp, Google Maps, or press outlets talking about the work they do. If nothing comes up for the company, you should be very wary.
Sometimes, a phisher opts not to impersonate a financial institution, but instead pretends to be a family member or loved one at risk of danger. In a classic example, they’ll pretend to be a grandkid who’s been arrested and needs grandma’s help to get out of jail. It can also be a medical crisis, trouble abroad, or any other reason they would need money to bail them out of a tough spot.
This is one of the older schemes on this list: proving that there really is nothing new under the sun, the protagonist of Ernest Hemingway’s The Sun Also Rises pulls this scheme multiple times on his own grandparents when he runs short on money in Italy.
Why it Works
This type of phish exploits both fear and compassion – a powerful emotional play to override a family member’s reasoning. Many parents and grandparents wouldn’t think twice to help a loved one who’s in trouble. And that’s exactly the kind of emotional hook these scammers love to exploit.
How to Protect Yourself from “Desperate Grandkids” Phishing Attacks
The best way to guard against these fraudsters is to pay close attention to the email address. Take a minute to see if you’ve received an email from this particular address before. If you haven’t, that’s a big red flag.
You can follow up by calling another close relative of the person in question. In the case of a grandkid, for instance, you might try their mom or dad.
No matter what, do not forward the email – if you do so, you’re just passing the phish along to someone else. Even with a warning attached, many people will still fall for the phisher’s trap. The emotional appeal is a potent one, and a parent concerned about their child might read right past any warning you include.
Spearphishing: Personalized Attacks
A Spearphish is a sophisticated, targeted type of phish that relies on heavy personalization. Where the Nigerian Prince takes a shotgun approach, spamming his low-effort email to anyone in sight, the Spearphish takes a sniper approach, carefully picking high value targets and aiming with precision.
A Spearphish can go after anyone, but they tend to target organizations more often than individuals.
Because they lean on personalization, the spearphish relies heavily on research. They start by finding out as much as they can about the target: where they live, where they work, their interests and hobbies, what their family life is like – anything that could help them deceive their target.
Sometimes, a prospective spearphish might even find everything they need through research, and won’t even need to email their victim to steal their identity. This is bad news, by the way, as they’re stealing your identity regardless. And they might opt to blackmail you instead if they discover the wrong thing!
How It Works
It’s easy enough to dismiss a Nigerian prince – why the hell would they be emailing me? The spearphish is the opposite. By finding out as much as they can about you, they can send you exactly the kind of email you would expect to receive normally. The more personalized the email, the harder it is to spot.
How to Protect Yourself from Spearphishing Attacks
The best way to ward off spearphish is to carefully protect any personal information. Wherever possible, limit who can view your social media accounts to people you know. Don’t accept friend requests from people you don’t know. And don’t fill in all your personal info on Facebook or other websites. You don’t need to post your hometown, address, work, or other details to stay connected with people on Facebook. Don’t make scammers’ jobs easier for them.
And take a minute – better yet, an hour – to Google yourself thoroughly to see what information is out there. Where possible, try to get anything personally identifiable removed from the web. You don’t want to make these scammers’ work any easier for them.
Spearphishing Attacks Against Organizations
Organizations are particular vulnerable to spearphishing attacks. Once a spearphisher snags the right login credentials, they can send emails as that person – making them that much harder to spot. At that point, you can’t trust anyone.
You should be wary of any email that asks you to hand off a password or personal information, or that leads you to a login page. If a coworker asks you for a given login via email, you should tell them in person or over the phone.
Whale phishing is a subset of spearphishing, whereby the scammer specifically targets executives and other high value targets at an organization. This is the highest level of phishing, and it’s usually part of a concerted attack to infiltrate an organization.
Why it Works
Whale phishing attacks are concerted efforts. They’re after high value targets, and they’ll throw any trick they can muster. Alongside email spoofing and clone websites, they aren’t afraid to use pure brute force, going after everyone in an organization until they find an opening.
How to Protect Your Company from Whale Phishing Attacks
The best way to stave off whale phishing is through cybersecurity and training at all levels. If anyone slips, a phish has slipped inside the organization. Whatever you do, don’t exempt executives from your cybersecurity program: they’re the biggest targets the whale phishers are trying to snag.
One more thing that can dramatically reduce the power of phishing attacks: two factor authentication. By requiring people to login via a phone code, you effectively stop phish in their tracks. It’s annoying, sure, but it’s one of the best ways to stop phishing attacks.
Most cybersecurity attacks are aimed at individuals or corporations. But the most devious attacks are often aimed at political and government organizations.
The DNC hack of 2016 provides a case example of why organizations need a strong cybersecurity program. In this case, campaign chairman John Podesta forwarded a suspect email to an aide, who mistakenly replied that “This is a legitimate email.” Podesta promptly changed his password via the email, compromising his account and the DNC.
By now, DNC officials knew they were being targeted. The spyphishers exploited this and created a spoofed email that looked just like one claiming their account had been compromised. Very meta, and very clever.
Why It Works
Just like for whale phishing, spyphishers are very pernicious and will use every tactic at hand. One weak link in the organization can give them broad access and the ability to impersonate individuals within an organization.
How to Protect Yourself from Spyphishing Attacks
Assuming you’re a government or political organization, I sincerely hope you’re already being as diligent as possible when it comes to cybersecurity. One weak link can compromise an organization, so you’ll need to have a robust training regimen in place, as well as safeguards such as two-factor authentication.
The next set of attacks don’t fit the strictest definition of phishing, which would limit phishing to attacks deployed via email. But they deploy the same method – impersonation and deception – to achieve the same goals, whether they’re exploiting email, social media, or yes, dating apps.
Anglerphish: Social Media Scammers
The Anglerphish finds its prey on social media. These scammers usually pose as customer service accounts for big companies, and go after people complaining about a product or service. When someone takes to Twitter to complain, the anglerphish replies as though they represent the company, and then switch over to direct messages so they can gather your credit card number or other info and make a quick buck.
Why It Works
The anglerphish preys on frustration, and offers a solution to a customer’s issue. Their targets have probably tried other ways to get help before they took to social media. For the most part, these targets arenot out to raise hell for a company – although they’re more than willing to do so – but instead just want to solve their issue.
Along comes the anglerphish, ready to offer exactly what they’re looking for. Often enough, their targets are so eager to find a solution they won’t think twice before handing over their credit card number.
How to Protect Yourself from Anglerphishing Attacks
This kind of scenario is exactly why Twitter and Facebook implemented the blue check system: if someone proves they are who they say they are, they can get verified. With it comes the blue check next to their name, which affirms they are the real deal.
This system isn’t foolproof. A verified account can change their handle and impersonate somebody else, keeping the blue check until the social media service figures out what’s up. And real accounts can always get hacked – remember this one?
Honestly, you’re better off never to share information like your credit card or address over social media. If you are chatting with customer service, it’s okay to give out an order number, but I wouldn’t give out other info. Is it really worth putting your credit card number on social media to try to get a refund? Probably not.
Catfish: Romantic & Sexual Scammers
A catfisher exploits sexual or romantic interests, typically by pretending to be someone they’re not on a dating app or service. Catfish take two main approaches:
When going after a quick password grab, a catfish will make a fake account on a dating app, match with other users and ask them to sign up for another service. That second service will likely be a password grab or a paid service that’s unlikely to get you anywhere worthwhile.
Some catfish take the longer con, in which they build up trust over days or weeks before they ask for money for travel or assistance.
Why Catfishing Works
Love and lust are some of the most powerful emotions a scam artist can attempt to exploit. If you’re on a dating app, you’re looking to connect with people. And sometimes people will do foolish things for the sake of love, even if they’re just crushing on someone they’ve never met.
How to Protect Yourself from Catfishing
First of all, don’t sign up for any random website someone asks you to go on. It’s pretty common to move a dating app conversation over to text messaging or social media. If someone wants you to sign up for some random website you’ve never heard of? That’s a no from me, boss.
The longer con can be tough. Even if you don’t hand over your money, talking to someone for weeks only to discover they’re a scammer is going to hurt. All the more reason to meet someone in person sooner rather than later. I’m not saying you should ask for a date in the first message, but if you’ve been chatting with someone for a few days, don’t be shy! Ask them out.
Vishing: aka Voice Phishing or Phone Phishing
Phone scammers have been around far longer than email phishing has. But if phishing includes any scam artist who pretends to be someone they’re not, phone scams can be seen as a type of phishing. Hence voice phishing, or “vishing”.
The visher often uses voice over IP (voip) technology to call hundreds of people via automated messages. They might say your bank account is compromised, impersonate the IRS, or offer a bogus investment deal, akin to the Nigerian 419 scammers we outlined at the top of the article.
Vishers have their own tricks and tools. They’ll often fake a caller ID to appear more official. Some scammers vish in conjunction with email, sending a phish email and then following up with a phone call to seem more official.
Why Vishing Works
Many vish prey on fear. A compromised bank account or trouble with the IRS are both scary enough scenarios that you’ll want to act immediately. Other vish prey on greed, promising big returns on an investment. Phone calls can sometimes feel more urgent than emails. But if someone calls you out of the blue, you shouldn’t assume they are who they say they are.
How to Prevent Vishing
Never give out any kind of personal info to a cold caller, even if they say they’re your bank or the IRS. Hang up and check for yourself: go to your bank’s website, or call the bank or the IRS at their official phone numbers. If you place the phone call to the official number, you’ll know you’re talking to the real thing.
Smishing: SMS Phishing
Smishing entails phishing via text messages, aka SMS. They typically pretend to be an automated message from a legitimate company. They’ll pose a threat, like credit card fraud, or offer an opportunity, like a contest win. Rather than try to get your personal info over text, they’ll redirect you to a clone website and ask you to input your credentials.
Why Smishing Works
Just like an email phish, smishers prey on your emotions. Because text messages are just text, with no formatting or graphics to worry about, it’s easy enough to copy the exact message a legitimate organization would send.
How to Protect Yourself from Smishing
The best way to avoid getting smished is to just not open any links in text messages, especially if they come from a number you don’t know personally. If you do open a link, be careful not to input any passwords or personal information. And if you’re worried about your bank account, you can look up and call your bank directly to make sure there’s nothing wrong.
The Bottom Line
There’s no end to the dirty tricks scammers will try to snag money or personal information. Though many of these types of phishing attacks come from old playbooks, con artists continue to adapt them to new technologies.
Across the board, the best way to avoid getting phished is to stay on guard, especially when it comes to clicking on links or divulging any kind of passwords or personal information online. In particular, keep a careful eye on who the sender is – remember, not everyone online is who they say they are.
Stay aware and stay safe.