Phishing Techniques

1. Spear Phishing

Classic phishing campaigns send mass emails to as many people as possible, but spear phishing is much more targeted. The hacker has either a certain individual(s) or organization they want to compromise and are after more valuable info than credit card data. They do research on the target in order to make the attack more personalized and increase their chances of success. 

2. Session Hijacking

In session hijacking, the phisher exploits the web session control mechanism to steal information from the user. In a simple session hacking procedure known as session sniffing, the phisher can use a sniffer to intercept relevant information so that he or she can access the Web server illegally.

3. Email/Spam

Using the most common phishing technique, the same email is sent to millions of users with a request to fill in personal details. These details will be used by the phishers for their illegal activities. Most of the messages have an urgent note which requires the user to enter credentials to update account information, change details, or verify accounts. Sometimes, they may be asked to fill out a form to access a new service through a link which is provided in the email.

4. Content Injection

Content injection is the technique where the phisher changes a part of the content on the page of a reliable website. (example: wikipedia page changes by unauthorised people this is more identity theft , adding weird links to websites) This is done to mislead the user to go to a page outside the legitimate website where the user is then asked to enter personal information.

5. Phishing through Search Engines

Some phishing scams involve search engines where the user is directed to product sites which may offer low cost products or services. When the user tries to buy the product by entering the credit card details, it’s collected by the phishing site. There are many fake bank websites offering credit cards or loans to users at a low rate but they are actually phishing sites.

6. Link Manipulation 

Link manipulation is the technique in which the phisher sends a link to a fake website. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the website mentioned in the link. Hovering the mouse over the link to view the actual address stops users from falling for link manipulation.

7. Vishing (Voice Phishing)

In voice phishing, the phisher makes phone calls to the user and asks the user to dial a number. The purpose is to get personal information of the bank account through the phone. Vishing is mostly done with a fake caller ID. ​

8. Smishing (SMS Phishing)

Phishing conducted via Short Message Service (SMS), a telephone-based text messaging service. A smishing text, for example, attempts to entice a victim into revealing personal information via a link that leads to a phishing website.

9. Trojan

A Trojan horse is a type of malware designed to mislead the user with an action that looks legitimate, but actually allows unauthorized access to the user account to collect credentials through the local machine. The acquired information is then transmitted to cybercriminals.

10. Malware

Phishing scams involving malware require it to be run on the user’s computer. The malware is usually attached to the email sent to the user by the phishers. Once you click on the link, the malware will start functioning. Sometimes, the malware may also be attached to downloadable files.

11. Malvertising

Malvertising is malicious advertising that contains active scripts designed to download malware or force unwanted content onto your computer. Exploits in Adobe PDF and Flash are the most common methods used in malvertisements.

12. Ransomware

Ransomware denies access to a device or files until a ransom has been paid. Ransomware for PC's is malware that gets installed on a user’s workstation using a social engineering attack where the user gets tricked in clicking on a link, opening an attachment, or clicking on malvertising.

13. Website Forgery

Forged websites are built by hackers made to look exactly like legitimate websites. The goal of website forgery is to get users to enter information that could be used to defraud or launch further attacks against the victim.

14. Domain Spoofing

One example is CEO fraud and similar attacks. The victim gets an email that looks like it's coming from the boss or a colleague, with the attacker asking for things like W-2 information or funds transfers. 

15. Evil Twin Wi-Fi

Hackers use devices like a pineapple - a tool used by hackers containing two radios to set up their own Wi-Fi network. They will use legitimate-sounding network names which is common in a lot of public places. If you're not paying attention and access the network controlled by hackers, they can intercept any information you may enter in your session such as banking data. 

16. Social Engineering

Users can be manipulated into clicking questionable content for many different technical and social reasons. For example, a malicious attachment might at first glance look like an invoice related to your job. Hackers count on victims not thinking twice before infecting the network. 

17. Web Based Delivery

Web based delivery is one of the most sophisticated phishing techniques. Also known as “man-in-the-middle,” the hacker is located in between the original website and the phishing system. The phisher traces details during a transaction between the legitimate website and the user. As the user continues to pass information, it is gathered by the phishers, without the user knowing about it.

​

18. Keyloggers

Keyloggers refer to the malware used to identify inputs from the keyboard. The information is sent to the hackers who will decipher passwords and other types of information. To prevent keyloggers from accessing personal information, secure websites provide options to use mouse clicks to make entries through the virtual keyboard.

​

However, these may not be the only phishing techniques as phishers may come up with new ways as time passes. Hence, we have to always be vigilant to protect ourselves from these scams.