Phishing Attacks 101: Types of Phishing Attacks and How to Prevent Them

mins read time
Phishing Attacks 101: Types of Phishing Attacks and How to Prevent Them
Anmol Kumar
Published on
February 25, 2021
Blog Image


Phishing is a form of social engineering cyber attack that attempts to steal sensitive/ valuable information from the victim. Phishing attacks are quite effective as the attacker masquerades as a trusted entity via emails or SMSes, the content of which is designed to trick the victim. These text messages and mails will most definitely be embedded with malicious links that redirect the receiver to malicious sites, which then automatically installs malware, ransomware, or reveals their sensitive data. 

Essentially, the primary objective of phishing scams is to gain sensitive, confidential information like login credentials, financial information, etc.

Phishing attacks give attackers a foothold in corporate or government networks to help them advance large-scale attacks. For instance, when hackers target large corporations and organizations, their employees are deceived and compromised. This allows them to bypass the security measures of the organization and distribute malware inside the whole network. Such organizations experience a data breach, which may then lead to financial, reputation loss.

Here’s an instance of a phishing email:

phishing email

Types of Phishing Attacks

Email Phishing 

The most common form of phishing attacks are email scams. The attacker disguises themself as a trusted authority and goes the extra mile to even register a fake domain that resembles a genuine organization. They then send hundreds or even thousands of generic requests. 

Domain names are usually spoofed with the help of look alike characters or words/ alphabets. For example, the letters ‘r’ and ‘n’ are put together (‘rn’) resembles an ‘m’, and ‘0’ (zero) can be used instead of ‘o’. 

To avoid falling for such phishing attacks, one should be wary of the emails they receive. They should carefully analyse the sender’s email address before clicking on any suspicious link embedded in the email or opening an attachment. 

Spear Phishing 

Spear phishing attacks are similar to email phishing, in that the actor, disguised as a trusted entity, attempts to trick the user into clicking on a malicious link or an attachment to steal sensitive information. However, spear phishing emails are highly targeted at certain individuals or organizations. The actors pose as a senior employee, a colleague or a business partner to send personalized emails with malicious intent

The attacker who sends spear phishing mails will possess some or all of the following information about the target:

  • Name
  • Place of employment
  • Job title 
  • Personal/ Official email address
  • Specific information related to their job role

One of the most famous data breaches in recent history, the hacking of the Democratic National Committee was the result of a successful spear phishing attack. 


A whaling attack is very similar to spear phishing attacks, albeit the targets are high ranking officials or CXOs. As such attacks are well researched and highly targeted, detecting and preventing them becomes more difficult. These emails use subject lines that prompts immediate action from the receiver. Whaling attacks, thus, usually resort to email subject lines related to income tax return, tax form, etc.

Phishing Kits 

A phishing kit is a set of materials/ tools that allows the attacker, who may even lack the  technical know-how, to create and launch a seemingly genuine phishing campaign. A phishing kit bundles phishing website resources and tools, allowing the attacker to simply install it on the server and send emails to the targets, without any delay.

Anatomy of a phishing kit

The following image depicts how a phishing kit is made and how it works:

phishing kit


How to Prevent Phishing Attacks

Threat actors usually target corporations and organizations, rather than specific individuals. So, it is in the interest of both the organization and its employees to thwart any attempts to steal their confidential data. To achieve that, they have to consider the following steps: 

Employee Awareness

Awareness campaigns help resolve this issue to a great extent and minimize the risk arising from this attack vector. It enforces good cyber hygiene practices. Since phishing attacks may target any employee without exceptions, everyone including high ranking officials/ executives must be trained to identify the threat and tackle it. 

Multi-factor verification 

All requests for access or transfer of confidential or sensitive data should pass through several levels of verification before they are permitted. Two-factor Authentication (2FA) is the most effective way to prevent phishing attacks that target sensitive applications. 2FA relies on two factors to gain access to a file or a resource. This includes PINs/ passwords, OTPs, badges, biometrics, etc. Even if employees are compromised, multi-factor authentication measures reduce the chance of a successful cyber attack. 

Social media education 

This is an extension of employee awareness. It has often been found that the information posted by employees over social media were used by the attackers to craft phishing attacks. This necessitates awareness programs that educate them about social media best practices.

Anti-phishing tools 

Social engineering attacks such as phishing or whaling exploit human errors, unlike other forms of cyber attacks. Vendors who offer anti-phishing software and managed security services help prevent whaling and other forms of phishing attacks. 

The Anti-Phishing Working Group (APWG) is an organization dedicated to cybersecurity and phishing research and prevention. It provides resources for companies affected by phishing and conducts research to provide information on the latest threats. Companies may choose to report a suspected threat to APWG for analysis.

Most Expensive Phishing Attacks

1. Facebook and Google 

Facebook and Google, together, were scammed out of over $100 million, between 2013 and 2015. The actors carried out the campaign through an elaborate fake invoice scam. A Lithuanian hacker masqueraded as a large Asian-based manufacturer and sent each company a series of fake invoices.

2. Sony Pictures 

In another instance, Sony employees were targeted through a series of spear phishing emails. Linkedin was a part of the adversary’s tactics. They obtained names and titles of Sony employees from this professional networking website. The actors posed as their colleagues and sent malicious emails laced with malware, to unsuspecting targets. This led to a major data breach involving over 100TB of company data, which cost Sony more than $100 million.

3. Crelan Bank 

Crelan Bank in Belgium lost $75.8 million in a CEO fraud attack. The company was notified about this attack only during an internal audit. Although the attackers responsible have not been identified, the Crelan Bank implemented new security measures to prevent another similar attack.

For more details and insights about phishing email subjects refer to:

Contributors to this Article
Author Image
Anmol Kumar
Anmol is a Cyber Security Analyst at CloudSEK. He graduated from Quantum School of Technology, Roorkee with a bachelors degree in Computer Science. As an analyst he helps clients identify potential threats. He is also interested in traveling and photography.
Related Posts
Blog Image
November 4, 2023

Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.

Blog Image
September 8, 2023

Understanding Knight Ransomware: Advisory, Analysis

Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.

Blog Image
July 28, 2023

Amadey Equipped with AV Disabler drops Redline Stealer

Our researchers have found out The Amadey botnet is now using a new Healer AV disabler to disable Microsoft Defender and infect target systems with Redline stealer.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.