Top types of phishing attacks to watch out for

Phishing attacks are more dangerous than ever, costing individuals and companies an average of $4.88 million per breach according to IBM. In addition to financial loss, phishing attacks pose a very real threat to reputation, perceived trust, emotional stability, and privacy of those impacted.

By understanding the different types of phishing attacks and how they function, individuals and organizations can better equip themselves with the tools and information they need for protection. Follow this resource for an overview of all the phishing attacks you may encounter in your personal life and workplace, with practical tips for identifying and blocking the attacks.

Phishing is a type of cyberattack where malicious actors attempt to gain access to sensitive information like credit card numbers, identity information, and login credentials or trick targets into downloading malware. According to the Phishing Trends Report by Hoxhunt, 80% of phishing campaigns aim to steal sensitive credentials.

Attackers leverage a variety of channels to reach their target audiences, and while email is most popular, about 40% of phishing campaigns now extend beyond this channel (Phishing Trends Report). The most sophisticated attacks employ multiple channels and techniques to gain sensitive information. 

This relatively new phishing attack format showcases the sheer power of AI to generate convincing content that effectively trick recipients. Deepfake videos are a type of phishing attack where attackers use AI-generated audio or video clips of trusted individuals, deceiving recipients into revealing sensitive information or transferring funds. 

Real impact: According to Forbes, “instances of deepfake phishing and fraud have surged by an astounding 3,000%.” This rise in deepfake phishing attacks are impacting real people and companies.

A cautionary tale: In Hong Kong, a finance employee was tricked into paying out $25 million dollars to attackers posing as his company’s chief financial officer after attending an AI-generated video call (CNN). The attacker leveraged deepfake video technology to impersonate multiple other trusted members of the staff, tricking the target employee to believe it was a legitimate call. This isn’t a one-off instance of finance employees being targeted either. A recent Medus report found that finance teams are disproportionately targeted by deepfake phishing attacks: 53% of finance professionals have been targeted by deepfake phishing attacks and 43% admitted to falling victim to the attack. 

Protect yourself with this tip: Be on the look out for any unnatural or “perfect” video content you consume. Extra smooth skin, lack of texture, reflections that seem misplaced, and audio that seems too crisp are all indicators you might be interacting with an AI generated deep fake video. 

Email-based phishing attempts are sent over email and often urge targets to open an attachment or click a malicious link. 

Email-based phishing, while common, can be incredibly dangerous. Phishing emails that mimic government agencies and representatives have grown by 35% since 2024 (Phishing Trends Report) and leverage the trust and authority these agencies have over the general public, tricking them into taking unsafe actions. 

Protect yourself with this tip: If you receive an email that looks suspicious, first check the sender's email address. If their email address features a misspelled domain or is clearly not associated with the person or agency it claims to be, ignore it. Typos or grammatical errors in the email contents could also indicate a phishing attack. Lastly, hover over any links before clicking to confirm the destination.

During smishing or SMS-based phishing attacks, malicious actors target individuals over text or other messaging apps like Whatsapp or Slack. These types of phishing attacks are also incredibly common, typically directing recipients to take an action like clicking on a link or wiring money. 

Protect yourself with this tip: If a message indicates a sense of urgency, try to contact the sender through verified channels before following any directions. 

Quishing, or QR code phishing, are attacks where malicious actors use seemingly legitimate QR codes to trick individuals into visiting phishing websites or downloading malware. This type of phishing attack can fool even the most secure experts due to the prevalence of QR codes in our modern world. QR codes appear on posters, billboards, emails, even restaurant menus! 

Protect yourself with this tip: Never scan a QR code from an untrusted source. If you are scanning a QR code from a menu or other physical item, ensure that it is the original and that you’re not scanning a sticker placed over-top the actual QR code. 

Vishing, or voice phishing attacks, utilize phone calls or voice memos to gain access to sensitive information like credentials, credit card numbers, and social security numbers. Once attained, this information is often used to impersonate individuals or steal from their bank accounts. These attacks can also be difficult to identify when malicious actors pose as government agencies or financial institutions.

Protect yourself with this tip: Pay attention to any emotions that arise when speaking with someone over the phone. Did this person appeal to your innate desire to help? Did they offer you something in return, for example, a share of funds? These social engineering strategies typically indicate a phishing scam.

Social media content, including targeted ads, direct messages (DMs), accounts, and organic posts can also be used as phishing attacks. Attackers may create fabricated social media account profiles with images of real people or products to trick victims into revealing sensitive information, paying for fake offerings, or downloading malware. 

Protect yourself with this tip: Check the user account handle of a profile before clicking on a provided link or sending information. Is the account verified and using expected spelling? If the handle is suspicious, do not interact with the account.

There are multiple browser-based phishing attack strategies that are deployed by malicious actors. 

A browser-in-the-browser (BitB) attack leverages a fake browser window to convince users they are interacting with a legitimate site. This stimulated browser window is hosted within the actual browser using HTML and CSS to replicate the site. This technique typically replicates a single sign-on window to trick users into providing their login credentials. 

Protect yourself with this tip: If the window does not resize, it may indicate a fake window and be cause for concern.

An archive-in-the-browser (AitB) exploits a .zip domain and convinces users they are opening a trusted file directly in their browser. Once opened, users may be prompted to interact with the fake archive, triggering malware downloads or fake login page attacks.

Protect yourself with this tip: Be suspicious of .zip website domains and do not click links from unknown senders. 

A “spray-and-pray” type of phishing attack targets a wide range of recipients with the assumption that a small percentage of victims will fall for the scheme. This kind of attack often features generic content and is not tailored or personalized for certain groups of people. While spray-and-pray phishing is not as effective as spear phishing cyberattacks due to their generic nature, they can still pose serious risks to those affected. 

Protect yourself with this tip: Avoid any message with grammar mistakes, typos, or suspicious links.

Spear phishing cyberattacks are highly targeted and personalized for a specific individual or small group of people. These attacks often target the recipient over multiple channels, leveraging information gathered about the person online. This information can be collected from a variety of sources including social media accounts, company websites, and data brokerage sites. Attackers may also impersonate trusted sources to make the message more believable. 

Because spear phishing is highly personalized, the recipients are much more likely to fall for the scam and share confidential information — like credentials — or download malicious software. 

Protect yourself with this tip: Limit what you share about yourself and your family online! Make social media accounts private when possible and consider offerings that delete any sensitive information and data you may have online. 

Phishing attacks come in many forms — including email, SMS, phone calls, social media, video calls, and more. By recognizing these attacks and taking precautions to protect yourself, everyone can stay safer online. 

Unfortunately, even the most seasoned security experts can be fooled by phishing attacks. With Bitwarden, benefit from enhanced phishing protection with the following capabilities:

• Passkey support for phishing-resistant authentication

• Autofill credentials on only trusted sites associated with logins

• Directly launch associated website from saved login items 

Plus, improve your overall security posture by generating unique passwords for every account and storing them in end-to-end encrypted Bitwarden Password Manager. Create your free account today or get started with a free business trial.