Phishers have created a whole library of different attacks they can use to try to harvest information from unsuspecting victims. Long gone are the days where a scammer would simply send a poorly-crafted unsolicited email to convince an individual to share banking credentials; as public awareness has increased, phishers have been forced to developed new and inventive ways of targeting their victims.

All of the attacks have the same founding similarities; the phisher pretends to be from a legitimate organisation and uses realistic fake emails or malware to fool their victim into giving the scammer their personal information. It is in the implementation that the strategies differ.

Spear Phishing

Spear phishing involves attacks targeting specific individuals or companies, rather than blanket 'catch-all' campaigns that hackers send to multiple organisations at once.

To increase their chances of success, hackers often obtain background information on their victims by searching social media profiles such that the emails appear realistic. Reports have shown that this technique is by far the most widespread, with upwards of 90% of attacks taking this form.

Whaling attacks are subsets of spear phishing attacks that specifically target senior executives of organisations. As these high-level targets have more access to financial resources or information, the hackers could potentially make a great deal of money from a successful phishing attack.

Scammers typically target employees who can authorise payments, or have access to the company's accounts for other legitimate reasons, and fool them into making payments to their own fake accounts under the disguise of being a legitimate vendor.

Hackers may use the email accounts compromised in whaling attacks to send emails ordering lower-ranking employees to authorise these payments. The employee in question is unlikely to question an email from one of their seniors in the company.

Whaling attack emails may also be disguised to look like legal subpoenas, customer complaints, or emails sent from an independent business authority. All have the same goal; to obtain sensitive information from the business in question which the phishers can then use for personal gains.

Pharming

Pharming depends on DNS cache poisoning using malware to direct users from a legitimate site to a fraudulent one. The hacker then tricks the victim into using their login credentials to attempt to log in the fraudulent site.

The scammers then collect their login details, which they can subsequently use to obtain their information from the legitimate site.

Clone Phishing

In clone phishing, the hacker creates a clone of a legitimate email containing an attachment or a link that is in the victim's inbox. The clone is created by removing the content and recipient address of the legitimate email and using it to create the clone.

The hacker replaced the attachment or link in the original email with a malicious version. The hacker then sends the email from an address which they have spoofed such that it looks like it comes from the original sender of the email.

The spammer may add a claim into the email saying that it is a resend of the original email, or a version containing updated information or an updated link.

Hackers who have already taken control of another victim's system often use cloning, as they can leverage their control of one system to pivot within an organisation and use emails from a trusted sender to reach their victims.

SMS Phishing

Phishers send SMS messages to victims from phishers intending to trick them into disclosing sensitive information. In many ways, SMS phishing is similar to email phishing.

The hackers disguise the SMS messages to look like they are from organisations of which the victim is a customer, such as their bank.

The text messages may also be sent with the intent of installing malware onto the victim's phone. The scammer can then access a variety of personal information from the device.