Types of phishing attacks and how to avoid them

Phishing attacks are social engineering attacks that attempt to obtain sensitive information, gift cards, or money from an unsuspecting individual or to infect their device with malware. There is no surefire way to prevent phishing attacks; however, your best defense is knowing how to spot these attempts and how to avoid them if you believe you are being phished.

Below are some of the main types of phishing attacks, but for more general information about phishing scams, check out this Phishing 101 article.

Spear phishing

Spear phishing targets a specific group or individual. The attacker will use personalized emails to trick individuals into revealing personal, sensitive data. These customized attacks are made to appear credible and convincing, using information gathered from social media profiles, public records, or other sources to create a personalized message that appears to be from a trusted source. A trusted source could be a colleague, boss, or friend. The goal is to trick users into revealing information or performing a specific action, such as transferring funds or downloading malware.

• How to spot and what to do: Look for emails addressed to you specifically where the content might be unexpected. If you are not sure the email comes from a trusted source check with them directly via another channel such as a telephone call. If it is a spear phish, report or delete the email using tools provided in your email service.

Smishing

Smishing is an attack that uses text messages or short message service (SMS) to execute.

A common smishing technique is sending a message to a cell phone through SMS that contains a clickable link or a return phone number. One of the most common examples of a smishing attack is an SMS message that looks like it came from your banking institution. It tells you your account has been compromised and that you must respond immediately by verifying your bank account number, SSN, etc.

• How to spot and what to do: Be very wary of any text messages that relate to money or accounts of any kind. Be suspicious of urgent requests. If a bank or any other entity wants you to contact them, call your bank using a publicly available telephone number. Ignore and delete any messages you get that you are unsure of.

Email phishing

The most common type of phishing attack is email phishing, which has been used since the 1990s. Hackers send these emails to any email address they can obtain, making these types of attacks very effective as they target a mass of people.

The email usually informs you that there has been a compromise to your account and that you need to respond immediately by clicking on a provided link. These attacks are usually easy to spot as language in the email often contains spelling and/or grammatical errors; however, with the help of AI chatbots like Chat GPT, these messages are becoming more sophisticated and harder to spot.

It’s important to always check the email source and the link you’re being directed to for suspicious language. It can give you clues as to whether the source is legitimate.

• How to spot and what to do: Look for emails with typos or with incorrect wording. Check the “from” address for every email you open to make sure it’s legitimate and expected. Don’t respond to or act on emails from people you don’t know.

Search engine phishing

Search engine phishing, also known as SEO poisoning or SEO Trojans, is where hackers work to become a top hit on a search using a search engine. Clicking on the link displayed within the search engine response directs you to the hacker’s website. The attackers then collect any data or information from you as you interact with their site. Hacker sites can pose as any type of website, but the prime candidates are banks, money transfers, social media, and shopping sites.

• How to spot and what to do: Never click on the top search engine result listed response to your search without inspecting it carefully. Attackers expect people to be careless! Check the URL of any site you interact with. If it doesn’t look correct, close your browser window right away.

Vishing

Vishing has the same purpose as other types of phishing attacks; however, this attack is accomplished through a voice call.

A common vishing attack includes a call from someone claiming to be a representative from Microsoft. The person will inform you that they’ve detected a virus on your computer and will ask you to provide your credit card details so the attacker can install an updated version of anti-virus software on your computer. The result—the attacker now has your credit card information and you have likely installed malware on your computer.

• How to spot and what to do: Check your caller ID before answering. If you don’t recognize the calling number send the call to voicemail. If you check your voicemail and it's a legitimate call, look up a publicly available number to return the call.

Whaling

Whaling is an even more targeted type of phishing that goes after the “whales (the big fish),” otherwise referring to the CEO, CFO, or any C-suit person within an industry or a specific business. A whaling email might state that the company is facing legal consequences and that they need to click on the link to get more information. The link will then take the person to a page where they’re asked to enter critical data about the company such as the tax ID or bank account numbers.

• How to spot and what to do: If you are in a leadership position and receive a request to share confidential or sensitive information, or to send money or gift cards then contact the correct department head to check that the request is legitimate prior to acting.

No matter the type of phishing attack, UC Davis Health staff need to be vigilant about phishing threats. The best defense against these attacks is knowledge about the types and how to spot and avoid them.

If you ever believe you’ve become a victim of a phishing attack on a UC Davis Health-owned device or personal device connected to the UC Davis Health Network, power down the device and contact the Technology Operations Center immediately at 916-734-4357.