Can You Spot the Most Dangerous Types of Phishing Attacks?
Phishing attacks occur when fraudsters impersonate a trusted company or person in order to steal your sensitive information, financial data, or passwords.
But while most people think of emails when they hear about phishing, scammers have more sophisticated ways to “phish” you — from fraudulent calls and texts to malicious websites and even hacked search results.
Phishing scams are on the rise — increasing by 47.2% and costing victims almost $2.7 billion in 2022 alone.
In this guide, we'll explore the main types of phishing to look out for and show you how to spot the warning signs. We'll also explain what to do if you unwittingly engage in phishing attempts, so you can respond quickly enough to protect your finances and identity.
What Is Phishing? How Can You Spot a Phishing Attack?
Phishing is a type of scam in which fraudsters impersonate a trusted brand, company, or individual in order to gain trust — and persuade victims to disclose sensitive information, send money, or click on malicious links.
If you fall for a phishing attack, you could compromise your identity, provide a scammer with your bank or credit card information, or lose access to your email and other sensitive accounts.
Phishing has become the most common form of cybercrime, with fraudsters sending an estimated 3.4 billion spam emails every single day [*].
The good news is that many phishing attacks have common red flags to watch out for.
Here are six warning signs of a phishing attack:
- Unsolicited calls, emails, texts, and messages. Phishing is a numbers game, as scammers target millions of people every day in hopes of engaging a small minority. If you’re not expecting a call or message, consider its arrival a warning sign of a phishing scam.
- The message’s tone or language seeks to create a sense of urgency. Phishing messages or calls often pressure you into taking immediate action. If a message elicits an emotional response or prompts you to do something right away, be skeptical.
- Look-alike email addresses, phone numbers, and profiles. Check for email addresses, phone numbers, or profiles that resemble those of well-known companies or specific individuals. Clone phishing scams use slight variations of the email addresses or phone numbers from trusted organizations, including the IRS, Microsoft, or Amazon.
- Strange grammar, spelling, and formatting. Many scammers come from non-native English speaking countries, so typos and unprofessional language can be telltale signs of phishing attacks.
- Suspicious links. Be cautious of links or attachments in unsolicited messages — especially if they lead to unfamiliar websites. Hover over every link to preview its destination, and look for odd-linking URLs that aren’t related to the company.
- Demands for gift cards or other non-reversible payments. Cybercriminals often request payment in non-reversible forms, such as gift cards. Legitimate businesses use more secure and traceable payment methods.
The bottom line: Each year, phishing scams grow more sophisticated. Aura’s all-in-one digital security solution can help protect you and your family against many common phishing attacks. Learn more about how Aura keeps you safe from online scams.
13 Common Types of Phishing Attacks (and How To Avoid Them)
- Email phishing
- Text message phishing (“smishing”)
- Phone scams (“vishing”)
- Spear phishing
- Whaling or executive phishing
- Search engine phishing
- Angler phishing (social media phishing)
- Pharming (fake websites)
- Fake pop-up ads
- Evil Twin phishing
- Watering hole phishing
- Man-in-the-Middle (MitM) attacks
- Business Email Compromise (BEC)
As scammers enhance their tactics, there are many new and evolving types of phishing attacks that you need to learn to recognize.
Here are 13 different types of phishing attacks to watch out for in 2023 — and how you can spot them:
1. Email phishing
In email phishing campaigns, fraudsters send emails pretending to be from a company you use, like your bank, Apple, Amazon, or Coinbase. In these emails, scammers try to pressure you into clicking on links, which lead to fake websites designed to steal your passwords and other sensitive information.
For example, in a common Bank of America phishing email, scammers claim your bank account information is suspended due to fraudulent activity. Under the pretense of helping you regain access, the scammers ask you to click on a link — but this takes you to a fake login page — where malware can steal your bank account number and password.
How to spot an email phishing scam:
- Check the sender’s email address (not just the “from” name). Anyone can change an email account’s “from” name to make themselves look more legitimate. Click on the sender’s name to reveal their email address. If it’s not from the company’s official domain (for example, “@bankofamerica.com”), it’s a phishing scam.
- Hover over links before clicking on them. Hover over any links in the email before clicking in order to reveal the actual URL. If the URL doesn't match the company’s official website (or looks suspicious), do not click on it.
- When in doubt, ignore the email or contact the company directly. Avoid clicking on links, downloading attachments, or providing personal information. Instead, contact the company directly by locating its official email address or phone number.
2. Text message phishing (also known as “smishing”)
Smishing — or "SMS phishing" — involves cybercriminals deceiving you through text messages in order to gain sensitive information or money. As with phishing emails, the perpetrators pose as trustworthy sources and lure victims with prize draw invitations or discount coupon offers.
For example, you might receive a fake delivery notification text message with a link to a malicious website. In other cases, you may receive a “suspicious login attempt” text message claiming to be from your bank.
How to spot a text message phishing scam:
- A text message requests personal information. If a text asks for your Social Security number (SSN) or password, it’s likely a phishing scam.
- The message asks you to click on a link to resolve a problem or win a prize. Legitimate businesses rarely use SMS messages in this way. Avoid the link, and check the company’s official website to see if there is really a prize draw.
- The message claims to be from a government agency. According to the Federal Communications Commission (FCC) [*], government bodies almost never initiate contact by phone or text.
3. Phone scams (also known as “vishing”)
Phone scams, also known as "vishing" (voice phishing), occur when scammers use phone calls to deceive you via social engineering tactics that are designed to get you to reveal personal information. These scams often involve fraudsters impersonating banks, government agencies, or tech support representatives.
Alexis Cleveland, a DoorDash employee, received an unexpected call from someone claiming to be from her support team. Minutes later, she became a victim in a $1 million scam that affected 700 people [*].
How to spot a vishing scam:
- The caller creates a sense of urgency. Phone scammers try to get you to act without thinking by claiming your bank account has been compromised, a friend is in trouble, or by using other made-up emotionally-charged situations.
- You’re asked to download a remote access app. If someone you don’t know wants you to grant them access to your device by downloading an app like AnyDesk or TeamViewer, consider this a major red flag. You can get legitimate tech support by contacting a company directly — support teams won’t call you without your consent.
- Call the company back directly. Ask for a reference, and then hang up and call the company or agency back by using its official phone number. This ensures that you’re talking to someone legitimate.
4. Spear phishing
Spear phishing is a targeted form of phishing in which attackers research their targets to create more sophisticated and compelling phishing messages. These phishing attacks can take place via emails, calls, text messages, or on social media platforms like LinkedIn.
In 2021, imposters used a spear phishing email to impersonate the U.S. Department of Labor [*]. This email cleverly disguised domains to ensure that the email looked authentic, which helped the criminals trick business owners and steal their Office 365 login credentials [*].
How to spot a spear phishing attack:
- Unexpected contact from someone in a trusted position. These attacks lull you into a false sense of security, as con artists impersonate C-suite members or IT support representatives. Always scrutinize both the email address and sender’s role to determine if this person would actually contact you.
- Consider the email's format. If it claims to be from IT support, does it match the style and structure of past communications? Look for oddities in design, language, and tone.
- Pressure to act. If the message instructs you to log in to a specific service or take urgent action on something, it's best to make a phone call to confirm this is a genuine request.
5. Whaling or executive phishing
A whaling attack is a type of phishing that specifically targets high-level senior executives, with the goal of stealing sensitive data or money (a form of CEO fraud). The imposters often use the executive's name, email signature, and other personal details to make the message seem real.
There are several approaches to this tactic — but the most common is to imitate senior executives — such as the company’s CEO — and ask for money transfers or to pay a fake invoice through an unverified method.
How to spot a whaling phishing attack:
- A sender’s email address doesn’t exactly match the company domain. For example, attackers often substitute an "m" in a domain name with an “rn” to fool the recipient.
- A request to wire money to an account. Whenever someone asks for money, make sure you verify the request. A quick phone call to the person making the request (such as the CEO) will help you avoid any mishaps.
6. Search engine phishing
Search engine phishing is a scam in which cybercriminals manipulate search engines like Google to list fake websites or fraudulent phone support numbers at the top of search results — making it more likely that you’ll click or call.
For example, until recently, searching 'GIMP' on Google displayed an ad for “GIMP.org,” the official site of the well-known GNU Image Manipulation Program. Although this ad claimed to lead to “GIMP.org,” it actually redirected to a deceptive site offering a 700-megabyte GIMP download that contained malware [*].
How to spot search engine phishing:
- Carefully examine the website's URL (web address). Phishing sites may slightly change or misspell domains, so look for inconsistencies. Some scammers also hack an official website’s domain name server (DNS) to create fake subdomains — for example, hackers took over the Virginia state website to host malicious content on two official-looking subdomains (vwn.virginia.gov and crc.virginia.gov).
- Check for HTTPS phishing. Legitimate websites typically use "https://" (not “http://”) in their URLs for secure connections. If the site doesn’t look secure, it could be a scam.
- Your device is acting strangely. If hackers have compromised your device, they could run malware in the background, which causes your device to overheat. If your laptop gets louder or your smartphone battery drains quickly, your device might have a virus.
7. Angler phishing (social media phishing techniques)
Angler phishing, also known as social media phishing, is a type of cyberattack that targets specific individuals on platforms like Facebook, Instagram, and Twitter. Usually, the attacker impersonates a trusted source — like an old friend — and sends a direct message describing an enticing offer or sensational story.
In 2022, a scammer acting as a customer service representative contacted a victim who had posted on social media about needing help with a cryptocurrency wallet. The fraudster led the victim to a malicious site — quickly stealing the victim’s seed phrase and draining their balance [*].
How to spot Angler phishing techniques:
- A stranger contacts you with an offer to help. If someone sends you a direct message (DM) with the offer of a reward, discount, or some help with a problem, tread carefully.
- A message or profile that doesn’t feel right. Many angler phishers create duplicate profiles of your friends or family members. But their messages will seem entirely out of character. These vague, random messages usually lack context and always include a link.
💡 Related: How To Tell If Someone Is Scamming You Online →
8. Pharming (fake websites)
Pharming is a type of phishing attack in which scammers redirect website traffic to fake websites without the user's knowledge or consent. Whereas traditional phishing emails lure individuals to fake websites, pharming seeks to dupe hundreds of victims with a large-scale scam.
When you click on ads that lead to bogus websites, you could become an identity theft victim if you share any personally identifiable information (PII) on the site, like your credit card details.
How to spot pharming (fake websites):
- Look out for unusual website redirects. If you end up on a different site without clicking on a link, it could be a sign of a pharming attack.
- Check the site URL spelling. Many fake websites mimic the names of well-known companies, like Amazon. But the domain URL will be altered slightly — with a dash, dot, or unusual ending.
- Browser warnings. If your antivirus software or browser displays security warnings when you arrive on a website that should be secure, exercise caution. It may be a sign that someone is trying to hijack your connection.
9. Fake pop-up ads
Hackers create fraudulent pop-up ads to spoof legitimate advertisements and system messages, including software updates and antivirus alerts. These fake pop-up ads aim to trick you into clicking on malicious links or calling phone numbers — putting you in direct conversation with con artists.
In August 2023, Cybernews warned of an Amazon Loyalty Program scam in which malicious pop-ups lured Amazon customers into sharing personal information by offering them chances to enter prize draws for tech gadgets [*].
How to spot fake pop-up ads:
- Examine the source of the pop-up. Legitimate pop-ups typically come from trusted sources, such as your operating system, browser, or installed software.
- Carefully read the ad content. Fake pop-ups often contain urgent or alarming messages, such as virus warnings or security alerts. The hacker’s goal is to make victims panic into taking action.
- Legitimate pop-ups typically don't request private information. If a pop-up requests sensitive information, it’s likely ransomware.
10. Evil twin phishing
The premise of fake websites goes a step further with evil twin phishing, in which cybercriminals create fraudulent Wi-Fi networks. If you connect to these networks, cybercriminals can intercept sensitive data or even hack your IP address.
This type of phishing is a growing problem, and you should think about this potential threat to your security before you connect to public Wi-Fi in cafes, hotels, and airports.
How to spot evil twin phishing:
- Multiple Wi-Fi networks with similar or identical names are available. If several options look the same, it's best not to take chances — one of them is probably an evil twin.
- The network requests excessive information. Most Wi-Fi networks only ask for the password. You might need to set up a profile with your name and email address in some public Wi-Fi portals. But if the portal requests more information, that's a red flag.
- Unexpectedly slow network speeds. Because evil twin networks are not legitimate, they are often slow. Also, you'll likely be spammed with messages, advertisements, and pop-ups, as opportunist hackers attempt multiple tricks to seize your information.
11. Watering hole phishing
Watering hole phishing is a scam that targets users by compromising websites they frequently visit, such as message boards, forums, or popular news sites. By inserting trojans or ransomware on the “watering hole” site, cybercriminals lay the bait — which can open the door to data breaches or financial losses.
One of the biggest hacks of all time was SolarWinds. The 2021 attack resulted from watering hole phishing tactics, as state-sponsored agents spied on cybersecurity companies, the U.S. Treasury Department, and Homeland Security [*].
How to spot watering hole phishing:
- Unusual browser behavior. If you experience constant redirects or unexpected downloads, approach with caution.
- Warnings from your antivirus software. If your browser flags the site as potentially unsafe, immediately leave.
- An increase in suspicious activities. If you notice unauthorized access to your device, it’s a sign of a watering hole phishing attack.
12. Man-in-the-Middle (MitM) attacks
In Man-in-the-Middle (MitM) attacks, scammers use vulnerabilities in Wi-Fi networks to intercept and alter communications between two parties without their knowledge — such as via text message conversations.
Ashley Liles was at the center of a bizarre MitM attack, in which the system administrator was initially helping police, when cybercriminals targeted his company. But Liles altered emails and Bitcoin wallet details from the scammers, seemingly hoping to intercept his company’s ransom payment. Police eventually figured out the truth, and Liles admitted his guilt in May 2023 [*].
How to spot Man-in-the-Middle attacks:
- Unexpected requests for sensitive information. If you're asked for unusual information during a conversation or transaction, it's a sign of a MitM attack.
- SSL/TLS certificate errors or warnings appear in your browser. Make a note of any error or message, and approach with extreme caution.
- Experiencing unusual delays. If transactions or conversations take longer than expected (and keep getting interrupted), leave immediately.
13. Business Email Compromise (BEC)
In Business Email Compromise (BEC) scams, cybercriminals gain access to a company's email system by impersonating executives, like the CEO or CFO. Attackers abuse this perceived position of power to coerce other employees into making wire transfers, giving up access to sensitive documents, and revealing confidential information.
How to spot Business Email Compromise (BEC) schemes:
- Sudden requests for wire transfers. Even if a request comes from a trusted source, take extra steps to verify that the email or text is legitimate.
- Emails are sent at unusual times. Attackers sometimes contact employees outside of business hours with urgent requests.
- Attempts to move the conversation to mobile devices. In some BEC scams, the threat actor tries to coerce targets into sharing their cell numbers, which enables the fraudster to continue the scam.
💡 Related: 20 Phishing Email Examples (and How To Spot Them) →
What To Do If You’re the Victim of a Phishing Scam
How you should respond to these common types of phishing scams depends on your level of engagement with the scammer.
☑️ If you’ve clicked on a phishing link:
- Do not share personal information. Never provide sensitive information, like your bank account details or passwords, when you receive unsolicited requests in emails, texts, or messages.
- Disconnect from the internet. Viruses and malware often require an internet connection to run properly. Cut them off to mitigate the damage.
- Delete automatic downloads. If you see any unexpected downloads or unfamiliar programs on your laptop, phone, or tablet, immediately delete them.
- Scan your device and all others on the same network. Use antivirus software to check for and remove malware. If you use other devices on the same network, scan those to identify and remove potential threats.
- Back up your files. Storing a safe copy of your important files on an external drive is best. If you're hacked, you won't lose everything.
☑️ If you accidentally gave a scammer money or sensitive data:
- Contact your bank and credit card companies. If you've shared sensitive information with phishers, contact your bank or credit card issuer to notify them about credit card fraud.
- Lock or freeze your credit file. A credit lock (or credit freeze) stops companies from accessing your credit file. These security precautions make it harder for scammers to open new accounts or take out loans in your name.
- Report phishing to the Federal Trade Commission (FTC). If you've shared personal information with scammers, file an official identity theft report with the FTC at IdentityTheft.gov.
- Follow the fraud victim’s checklist. A quick response can limit the damage to your credit score and finances. Follow the steps in our fraud victim’s checklist to minimize the damage that cybercriminals can cause to you and your family.
☑️ Additional steps to take if you click on a text scam link:
- Scan the Dark Web for your information. Having your information on the Dark Web puts you in the crosshairs of scammers. To find out what information hackers can access, check your email address with Aura's Dark Web scanner.
- Monitor your phone bills. Hackers could steal your phone number in a SIM swap scam or install malware on your device that costs you money without your knowing. Keep a close eye on your bills for unusual charges in order to avoid phone scams.
- Report the scam. If you receive a smishing text, forward it to SPAM (7726). You can also report scams to the FTC at https://reportfraud.ftc.gov/. If you disclose sensitive information via social engineering attacks or send spammers money, file a police report.
- Sign up for identity theft protection. Clicking on a fraudulent link can infect your mobile device and compromise your identity. By signing up for identity theft protection, you can get comprehensive protection for all of your devices, data, and online accounts.
How To Protect Yourself Against Phishing Scams
- Use secure and unique passwords for every account. Rather than reusing simple passwords, protect every account with a unique, complex combination of uppercase and lowercase letters, numbers, and symbols.
- Use a password manager. If you're having trouble remembering unique passwords, consider using a secure password manager like the one included with every Aura plan.
- Enable two-factor-authentication (2FA) on your accounts. You can make your accounts more secure by adding a second authentication factor to the login process — like a fingerprint scan, push notification, or hardware security key.
- Never give out passwords, PINs, or one-time use codes. Nobody needs to know this information, not even your family or anyone who claims to be from tech support.
- Don’t click on links in suspicious emails. Phishing only works when you engage with the scammers. If you avoid bogus links and attachments, it’s less likely that you’ll expose your information.
- Consider security awareness training for your company. Many phishing scams target employees. Consider signing up for a training program that will help employees avoid getting scammed.
- Always contact companies by using the information found on their official websites. When you want to get in touch, go directly to the company’s website and use the customer support information — never follow the details provided in an unsolicited message.
- Use Safe Browsing tools. A reliable ad and website blocker can automatically stop you from entering phishing sites or downloading malicious code.
Phishing Isn’t Slowing Down — Aura Can Help Protect You
In 2022, there were 300,497 phishing victims in the United States, with combined losses totaling more than $52 million [*]. As social engineering practices become more sophisticated, your chances are greater of losing money to different types of phishing.
Aura offers the best solution to protect your online, financial, and personal accounts in 2023. As the #1-rated identity theft protection platform, Aura has everything you need to keep your entire family safe.
In addition to award-winning identity theft protection and three-bureau credit monitoring with the industry's fastest alerts3, Aura gives you access to a military-grade virtual private network (VPN), antivirus software, and Safe Browsing tools to combat phishing, fraudulent websites, and malware threats.
Aura’s U.S.-based team of White Glove Fraud Resolution Specialists provide 24/7 support, and every adult on your Aura plan is covered by a $1 million identity theft insurance policy.