The different types of ‘ishing’ and what do they mean?

10 May 2023

a37a8e 7e41549025b741b7bfeeeabbb89f1c2emv2 The different types of 'ishing' and what do they mean?

As cyber security is a top priority for all businesses, the West Midlands Cyber Resilience Centre, a police-led organisation, discusses phishing and what it means for your organisation.  

Within the West Midlands, phishing is the number one threat to businesses when it comes to cybercrime. But did you know that most cyberattacks are successful due to human error – often by someone innocently clicking a link on a phishing email. 

The suffix ‘ishing’ has been used to describe one category of methods. This blog will discuss different types of ’ishing’ and how to identify and protect yourself from criminal activities.  

Phishing   

Phishing, usually via email, is the most common and well-known cyber-attack. Criminals use social engineering to get confidential information like passwords, banking information, and credit card numbers.  

In a phishing attack, the hackers pose as an official organisation to gain the victim’s trust and obtain sensitive information. Once they have the target’s attention, they’ll write a compelling message to get them to perform some sort of action, like visiting a website or downloading a file. This could redirect users to a rogue website that steals personal information or installs malware on their computers. Family member impersonation has been prevalent this year, so ensure your team are aware of these kinds of attacks.  

To protect yourself from phishing attacks, it’s essential to be vigilant and cautious when opening emails, clicking links, or downloading attachments. Always verify the sender’s identity and look out for tell-tale signs of phishing, such as poor grammar, low-quality logos, spelling mistakes, or suspicious email addresses and URLs.  

Spear phishing  

Spear phishing is an advanced form of phishing that targets specific people or businesses. When launching this attack, cybercriminals usually conduct comprehensive investigations on their intended victim, learning details like their profession, hobbies, and network of friends and associates. By doing so, they can craft a message uniquely tailored to the target.  

Spear phishing attempts are dangerous because they target high-value individuals like senior executives or government officials – those who could be seriously compromised if they inadvertently fall for a scam. 

Companies can protect themselves from spear phishing by providing their staff with training and education that stresses the need to remain vigilant and aware of potential security threats. Empowering your staff members to question whether it is a genuine message is essential. 

Whaling  

Whaling is a type of spear phishing that targets high-level executives or other high-profile individuals within an organisation. The term ‘whaling’ is derived from the notion that these individuals are the ‘big fish’ within a company and compromising them can have significant consequences for the whole organisation. Whaling attacks involve sophisticated social engineering tactics and may use email spoofing or other methods to appear as if they originate from a trusted source.  

Whaling attacks can be damaging due to the level of access and authority that high-level executives possess within an organisation. Successful whaling attacks can result in losing large sums of money, intellectual property, or sensitive company data. To defend against whaling attacks, executives must identify risks and implement robust security measures, such as two-factor authentication and employee training on recognising potential threats.  

Smishing  

Smishing, or SMS phishing, is like traditional phishing but is carried out via text messages. Cybercriminals will send messages to potential victims, often containing a sense of urgency or an enticing offer. These messages usually prompt the recipient to click a link, call a number, or reply with personal information.  

The best defence against smishing is to remain vigilant and cautious when receiving unsolicited messages. Never click on links or respond to text messages from unknown senders and always verify the source’s legitimacy before providing any personal information.  

Vishing  

Vishing, or voice phishing, is another variation of phishing involving phone calls instead of emails or text messages. In a vishing attack, the cybercriminal will impersonate a legitimate organisation and attempt to deceive the victim into revealing sensitive information over the phone.  

To protect yourself from vishing attacks, be wary of unsolicited phone calls and avoid providing personal information unless you can verify the caller’s identity. Remember to question any requests for information that seem out of the ordinary. 

Pharming  

Pharming is a more technical form of ‘ishing’ involving manipulating the Domain Name System (DNS) to redirect users to a malicious website. In a pharming attack, cybercriminals will exploit vulnerabilities in the DNS infrastructure to hijack the resolution process, causing users who attempt to visit a legitimate website to be unwittingly redirected to a fake site designed to steal their information or install malware.  

Pharming attacks can occur without any direct interaction from the victim. To protect yourself, ensure that your devices and software are up to date with the latest security patches and consider using secure browsing tools, such as HTTPS and DNSSEC, to help mitigate the risk of DNS tampering.  

Protecting yourself  

Understanding the differences between these attacks and implementing appropriate security measures will reduce the risk of falling victim. 

Stay vigilant, educate yourself and others, and always verify the legitimacy of any communication before acting. Cybersecurity is an ongoing battle, and staying educated is your best line of defence. 

The West Midlands Cyber Resilience Centre provides free guidance and tools and offers affordable cyber solutions, including security awareness training and vulnerability assessments. Sign up for your free toolkit here. 

Contact the Cyber Resilience Centre to learn more about the support on offer and receive a 10% discount on any cyber service.  

Report emails by forwarding them to report@phishing.gov.uk and texts to 7726. 

Colmore BID are passionate about keeping businesses safe. Since its inception in 2020, the BID has been a supporting partner of the West Midlands Cyber Resilience Centre and in 2021, Paul Street, the Strategic Project Officer for our Safe & Sound workstream, became one of the Centre’s first Advisory Group members.