There are many different types of phishing, such as phishing by e-mail, by phone call, by SMS, by QR Code or even in your diary… The social engineering developed by hackers is likely to see even more new types of phishing appear in the future.
In the meantime, you can find in our article a list of 11 types of phishing, ranging from the best known to the least frequent and emerging.
1. Phishing by e-mail
E-mail phishing, the most widely used type of phishing, is at the root of all the variations of phishing that exist today. It’s all done by e-mail, in the classic way.
An e-mail imitating a trusted or institutional source invites you to click on a link or pay an amount by entering your bank details. The aim may be to retrieve your personal data, retrieve your bank details or get you to make a transaction on an account while making you believe you’re acting on behalf of a trusted third party.
Falsifying an e-mail from a source known to distribute phishing e-mails is also known as clone-phishing.
2. Smishing, or SMS phishing
A contraction of the words “SMS” and “phishing”, smishing is a widespread technique that involves sending a message to a cell phone with an SMS, containing a fraudulent link and/or a telephone number to call back, usually in an emergency.
3. Vishing, or voice phishing
A contraction of the words “voice” and “phishing”, vishing is a phone call version of phishing.
To carry out vishing, cybercriminals use fraudulent telephone numbers, voice-altering software, text messages and social engineering techniques to trick users into divulging sensitive information. The aim remains the same: to trick you into revealing personal information or bank details.
Example: You receive a call from an employee at Microsoft or from your antivirus software telling you that you are currently the victim of an antivirus problem. To solve this problem, you need to update your system and/or reinstall your antivirus software.
This can be done right now with your fake agent on the phone, by means of an online payment, for which he’ll need your bank details.
This is an opportunity for the hacker to take your bank details, and install malware on your PC to steal more data.
4. Whaling, or “big fish” phishing
A contraction of the words “whale” and “phishing”, whaling is a type of phishing that most often targets companies, and more specifically, resources at the highest level of the organization chart, i.e. CEOs, CFOs or other managers with major responsibilities, and ideally, access to company accounts.
Example: an e-mail received states that the recipient’s company is being sued.
The recipient must then click on the link contained in this e-mail to obtain further information. Clicking on the link then redirects the recipient to a fake official website, where the tax identification number, bank account number etc. must be filled in, with the aim of regularizing the company’s situation and paying a fine to cancel the false proceedings.
5. Spear phishing
Harpooning is a method of phishing attack. No mass e-mailing this time, the attack is highly targeted. The attack is methodical, and can be organized by a group of hackers. More generally, it’s an attack on high-ranking government officials, or people holding state or industrial secrets.
Based on espionage, the hacker(s) will break into a person’s computer system to find out about their connection practices, their searches, their connection times, their online habits, their timetable, etc.
Understanding the target will enable the hacker or his group to define the most effective angle for phishing the victim, and getting him to reveal the confidential information he holds, depending on multiple variables. Hackers will even go so far as to infiltrate social networks to observe their target’s interests, personal concerns, points of vigilance and so on.
6. Spamdexing, or search engine phishing
A contraction of the word “spam” and the word “index” for search engine indexing, this fraudulent practice consists of taking you to a fraudulent site when you search the Internet, by indexing its fraudulent link as the first search result.
Once you’ve been lured to a fake website, any interaction with the links or pages that form part of it can be exploited by hackers. They can even pretend to be the site’s chatbot to get you to provide more and more information about yourself, to harvest sensitive or banking data for example.
These pirate sites can masquerade as any website, but the trend is towards imitation bank sites, imitation money transfer sites, with booby-trapped links that should lead you to social networks, or even fake online shopping sites.
7. Phishing on social networks
The aim is to capture victims from social networks such as Facebook, Instagram, Twitter or LinkedIn, either to get you to click on the wrong place and steal your personal data, or to take control of your own social network account, and thus usurp your identity.
8. Quishing, or QR Code phishing
This latest development, which was most strongly spotted at the end of 2023, is a godsend for hackers, since the QR code, also known as a flashcode, has been widely democratized in the wake of the Covid-19 pandemic. It can be found on restaurant tables, in museums, on advertising posters, brochures and sales leaflets, at trade fairs and even on the back of some business cards…
For hackers, this new QR code format presents an additional opportunity to more easily slip through the cracks of anti-spam or anti-phishing filters.
What really changes from another type of phishing is the format, since the scam starts not on the net or with a digital format, but on paper. The hook is therefore print.
There are two types of Quishing that we hear a little more about than the others:
a. The fake QR code linked to the payment of a parking fine
You’ve been surprised to receive a parking fine under your windscreen wiper, with a small piece of paper that looks like an official reproduction, and naturally, a QR code to pay your fine online. To pay your bogus ticket, you go to an unofficial website that looks exactly like amendes-gouv.fr, where your payment route will take you straight to a fisher’s account.
b. False QR code linked to payment for an electric vehicle charging station
Once again, this QR code scam is very difficult to detect. If you have an electric vehicle, it’s highly likely that you’ve had to recharge your vehicle somewhere other than your home.
In parking lots with electric charging stations, you can pay at the station using your smartphone.
Using a QR code affixed to the recharging station itself, you pay from your mobile for your vehicle to be recharged at a dedicated site, and your vehicle is expected to be recharged within an appropriate timeframe.
What if the sticker where the QR code is located was covered with its evil twin?
What if this QR code and the website you were redirected to from your cell phone were also exact copies of the ones you usually use to recharge your vehicle?
You’ll be able to pay for your electric recharge in complete peace of mind, and the transaction will not be made to the account of the supplier of your electric recharge station, but to that of a pirate.
Of course, you won’t have activated the charging station (which is activated by payment), and your electric vehicle won’t be recharged at all.
9. Phishing for fake appointments in your diary
This type of phishing doesn’t yet have a name, but it could be called meetphishing (or even meetshing?).
This consists of sending an invitation directly to your calendar. Since this contains a fraudulent link, you must make sure that you know the source before accepting it by checking the link (whether it contains a random sequence of numbers and letters, the name of an unknown sender, a strange beginning or terminology, etc.).
These invitations can be extended to all types of device, from Google Meet to your smartphone.
If in doubt, don’t click on the link, don’t accept the appointment, and block the sender immediately.
10. BEC – Business E-mail Compromise
BEC attacks are a type of e-mail phishing in which a company executive or other representative is impersonated. They may claim an urgent situation and ask you to take immediate action (click on a link, send information). It’s very different from other types of phishing since, as well as being targeted, it doesn’t come with malware, a link or a corrupted attachment.
This request probably goes against company security policy and common sense, but the false sense of urgency is designed to make you panic and act before you think.
11. EAC – Email Account Compromise
EAC is an attack aimed at compromising a user’s e-mail account, then gaining access to their inbox through various social engineering techniques. Once the e-mail account has been compromised, the attacker will then use it to send phishing e-mails to the user’s contacts, with the aim of stealing data, funds and sensitive personal information.