The Different Types of Phishing Attacks & How to Recognize Them

With the growing number of cyber-attacks, it’s important to understand what the different types of phishing are and how to spot them.


According to the FBI’s 2019 Internet Crime Report, they handled over 467,000 complaints and recorded more than $3.5 Billion in losses to individuals and companies.  Phishing was called out as the largest percentage of complaints.

The ways in which cyber-criminals prey on people hasn’t changed significantly in the last couple of years.  But their tactics and methodology have gotten more sophisticated.

But to understand what I mean by that, let’s start at the beginning and talk about what phishing is all about.

What is Phishing?

Simply defined, Phishing is the act of sending out false emails, with malicious intent.  Usually a phishing email impersonates a brand with the intention of stealing personal or corporate data.  And, over time, hackers have gotten smarter.  They utilize sophisticated social engineering tactics that can be very difficult to detect.

They also have a litany of methods at their disposal.  Next we’ll look at the different types of phishing attacks and explain how to spot them.

Common Types of Phishing Attacks

While names like pharming, smishing and whaling, they sound like something out of a sci-fi movie.  But their effects can be extremely damaging, so let’s dig into the details.

Spear phishing

Spear phishing targets specific individuals versus an entire group.  Criminals will expertly customize their communications to appear more authentic.  And they’ll use social media and other websites to help them target.  According to the SANS Institute, 95% of attacks on enterprise networks are the result of successful spear phishing.


Whaling is a specific phishing attack where the target is labeled as a “big fish” and is typically the CEO, President or high-ranking executive at a company. Attackers know that if they are able to successfully get key information from these victims, they will access to a large amount of sensitive company information. Because of that, they often take a lot of time to profile and “virtually stalk” their prey before they attack at just the right time.


Pharming is similar to phishing with one main difference.  Phishing uses email communications to lure in their target.  However, with pharming, you are simply typing in the correct URL to a trusted site only to be taken to a spoofed website.  Attackers can infect either the user’s computer or the website’s DNS server and redirect the user to this fake site.  While there the goal is to get your personal information – passwords, log in credentials, credit card – or to install malware on your computer.

Deceptive phishing

Deceptive phishing is the most common type of phishing.  In this scenario, they attacker sends you an email that sounds important or urgent and looks real.  But their goal is to get you to click on it and visit their malicious site or install malware on your computer.  Once you’re on their site, they try to steal your credit card information, or they obtain your password and email (which they can then try to use on other sites if you use the same password).  One common example of this goes something like this: Your bank sends you an email asking you to verify your account details and asks you to click on a link.  Another commonly used tactic is to hide malicious attacks in fake invoice attachments.

One type of deceptive phishing that has seen a huge uptick recently is Office 365 Phishing.  This can take the form of a fake email from Microsoft or mimic an alert that says there’s an urgent problem with your account and you must log in to fix it.  But all the while it is a ploy to get your log in credentials so that they can steal your data or infect your device with malware.


Vishing is the telephone equivalent of phishing.  While this seems harmless enough, it can be just as damaging as phishing.  The attacker engages in social engineering of the victim via the phone with the end goal of getting confidential information that can be used for theft.


Also called SMS phishing, Smishing is an attack that also uses social engineering techniques via text message.  Typically, the text will include a phony URL or phone number.  Just as in other attacks, the ultimate end game is to get your personal information that they can then use to steal your identity or commit fraud.

Protect Yourself from Phishing

In IBM’s 2019 Cost of a Data Breach Report, they estimate that 51% of data breaches are triggered by malicious.  And, according to Proofpoint, in 2018, 83% of all businesses were victim of a phishing attack.  With an issue that is so pervasive and potentially destructive, companies – both big and small – must put a plan in place to protect themselves.  So, what can you do?

  • Be suspicious.  If an offer in email looks too good to be true, it probably is.  Don’t fall for the bait.  Also, remember, most companies won’t ask you to log in directly from an email.  Keep your guard up.
  • Consider the request carefully, and don’t always respond immediately.  Ask yourself why someone would need this information, if this is typically how things are handled, and if this is coming from and going to the appropriate source.
  • Use strong anti-phishing software that protects your inbox and your internet browsing.
  • Regularly train and educate your staff members on how to effectively detect and avoid phishing emails.  It’s also a good idea to implement regular tests of your employees to keep their skills sharp.
  • Updating your browser and applications regularly is critical.
  • Two factor-authentication is also a great way to protect yourself from fraud.  That way if someone does get your password, they still can’t get in without your phone or other device you’ve set up as your back-up (second factor).

How can Innergi help you?

As a company specializing in online network security and email applications, we understand the inner workings of phishing and want to help keep your data safe.  If you have any questions on how to better prepare your business to fight off a phishing attack, then give Innergi a call today at 321-275-5580.



IBM: 2019 Cost of a Data Breach Report

FBI Internet Crime Report

Proofpoint Phishing

SANS Institute