top of page

What are the different types of 'ishing' and what do they mean?

Updated: Apr 27, 2023



Cyber-attacks are becoming increasingly common, posing significant threats to individuals, businesses, and even governments. Cybercriminals employ a wide variety of methods, but only a few are especially common or efficient. The suffix "ishing" has been used to describe one category of methods. But what exactly are the different types of 'ishing,' and how can we identify and protect ourselves from their criminal activities?

Phishing

Among all the other types of 'ishing,' phishing is by far the most common and well-known. Criminals on the Internet use social engineering to get their hands on private information like passwords, banking information, and credit card numbers. Phishing attacks are carried out by email, and often get trapped in the spam filter.

In a phishing attack, the hackers pose as an official organisation to gain the victim's trust and obtain sensitive information. Once they have the target's attention, they'll write a convincing message to get them to perform some sort of action, like visiting a website or downloading a file. This could redirect the user to a rogue website that steals personal information or install malware on their computer. The family member impersonation has been prevalent this year, so ensure your team are aware of these kinds of attacks.

To protect yourself from phishing attacks, it's essential to be vigilant and cautious when opening emails, clicking links, or downloading attachments. Always verify the sender's identity and look out for tell-tale signs of phishing, such as poor grammar, low quality logos, spelling mistakes, or suspicious email addresses or URLs.

Spear Phishing

Spear phishing is an advanced form of phishing that targets specific people or businesses. When launching this kind of attack, cybercriminals usually conduct comprehensive investigations on their intended victim, learning details like their profession, hobbies, and network of friends and associates. By doing so, they can craft a message that is uniquely tailored to the target, making it more likely to succeed in fooling them.

Spear phishing attempts are especially dangerous because they usually target high-value individuals like senior executives or government officials, who could be seriously compromised if they inadvertently fall for the scam. Companies can better protect themselves from spear phishing by providing their staff with training and education that stresses the need of remaining vigilant and aware of potential security threats. It’s also important to empower your staff members to ask questions to confirm it’s a genuine message, even if it appears to be from a senior executive or CEO.

Whaling

Whaling is a specific type of spear phishing that targets high-level executives or other high-profile individuals within an organisation. The term 'whaling' is derived from the notion that these individuals are the 'big fish' within a company, and their compromise can lead to significant consequences for the organisation as a whole. Whaling attacks often involve sophisticated social engineering tactics and may use email spoofing or other methods to appear as if they originate from a trusted source.

Whaling attacks can be particularly damaging due to the level of access and authority that high-level executives possess within an organisation. Successful whaling attacks can result in the loss of large sums of money, intellectual property, or sensitive company data. To defend against whaling attacks, it's crucial for executives to be aware of the risks and implement robust security measures, such as two-factor authentication and employee training on recognising potential threats.

Smishing

Smishing, or SMS phishing, is similar to traditional phishing but is carried out via text messages instead of emails. Cybercriminals will send messages to potential victims, often containing a sense of urgency or an enticing offer. Like phishing, these messages will usually prompt the recipient to click on a link, call a number, or reply with personal information.

As with phishing, the best defence against smishing is to remain vigilant and cautious when receiving unsolicited messages. Never click on links or respond to text messages from unknown senders and always verify the legitimacy of the source before providing any personal information.

Vishing

Vishing, or voice phishing, is another variation of phishing, involving phone calls instead of emails or text messages. In a vishing attack, the cybercriminal will impersonate a legitimate organisation and attempt to deceive the victim into revealing sensitive information over the phone.

To protect yourself from vishing attacks, be wary of unsolicited phone calls and avoid providing personal information unless you can verify the caller's identity. It's also a good idea to have a healthy dose of scepticism and to question any requests for information that seem out of the ordinary – or even ones that don’t!

Pharming

Pharming is a more technical form of 'ishing', involving the manipulation of the Domain Name System (DNS) to redirect users to a malicious website. In a pharming attack, cybercriminals will exploit vulnerabilities in the DNS infrastructure to hijack the resolution process, causing users who attempt to visit a legitimate website to be unwittingly redirected to a fake site designed to steal their information or install malware.

Unlike phishing, which relies on deceiving users into clicking on malicious links, pharming attacks can occur without any direct interaction from the victim. To protect yourself from pharming attacks, ensure that your devices and software are up to date with the latest security patches and consider using secure browsing tools, such as HTTPS and DNSSEC, to help mitigate the risk of DNS tampering.

The various types of 'ishing' attacks share a common goal: to deceive individuals or organisations into revealing sensitive information or granting unauthorised access. By understanding the differences between these attacks and implementing appropriate security measures, you can reduce the risk of falling victim to these attacks. It’s important to report emails by forwarding them to report@phishing.gov.uk and texts to 7726 (it spells SPAM on the keypad which we think is a neat way to remember it.)

Stay vigilant, educate yourself and others, and always verify the legitimacy of any communication before taking action. Cybersecurity is an ongoing battle, and staying educated is your best line of defence, so get in touch today.

Comments


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

 

The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page