10 most common phishing attacks

May 27, 2018 by

Phishing is one of the most common ways for scammers to steal information. Through social engineering or deception, fraudsters attempt to trick people into handing over personal or confidential information to then use it for malicious purposes. With some basic information like your full name and address, a scammer could make you vulnerable to identity theft and with a username and answers to privacy questions, they might even be able to get into your online banking accounts.

Corporations are especially at risk, and despite the commonality of phishing attacks, many people remain unaware of how to spot him. According to a Verizon cybersecurity report, there was 9,576 email phishing incidents reported in 2015, and 916 resulted in a data breach. This means that almost 1 in 10 phishing attempts are successful. For people in the tech field, this might seem like a crazy number, but the target is usually someone outside of the bubble, unfamiliar with what a phishing attempt looks like.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

The fact is that there are many different types of phishing attacks. Some are generic emails that are easy to spot but more others can be especially tailored to the victim and might be difficult to warn users about.

These are the 10 most common types of phishing attacks.

Deceptive phishing

Deceptive phishing is by far the most common type of phishing attack in which scammers attempt to replicate a legitimate company's email correspondence and prompt victims into handing over information or credentials. Often, they are creating a sense of urgency to make people act quickly and without checking. Two-factor verification can be used to protect yourself. You should also always look for tell-tale signs such as grammar and spelling mistakes throughout the email or broad addressing terms.

Spear phishing

Spear phishing attacks are specifically tailored to one victim. Using knowledge gained from your social media profiles and other public information, a scammer can craft a legitimate-looking email to trap the victim into responding. Many times, these emails appear to come from a trusted source, like a business or a friend and ask for revealing information. Victims that respond to such emails can suffer from identity theft, malware, credit card fraud, and even blackmail.

Whaling / CEO fraud

Whaling is an attempt to go after the "big fish." First attackers will target high-level employees and executives to gain access to their email accounts or spoof them. If they're able to do that, it puts the entire business at risk.

When the CEO or the head of a department asks for some files, most people wouldn't question it, even if it's an odd request. That's what makes these types of attacks so dangerous. Not only that but with some less protected corporations, someone with access to a high-level account can also gain access to employees' information, hold the network hostage, and cause financial loss.


Vishing is a type of attack done through Voice over IP (VoIP). Because a VoIP server can be used to appear as virtually anything, and the caller ID can be changed, vishing attempts can be very successful. It might appear that someone close to the corporation is calling or like an important outside entity like a bank or the IRS.


Similar to Vishing, SMiSHing is done over the phone but in the form of text messages. These can be extremely wide-reaching as the scammer can send out bulk amounts of the same text to many different numbers. Sometimes, the scammer attempts to trick people into believing that they've won a contest, but the less obvious ones pose as banks and credit card companies. They will then attempt to get the person's information either by a link in the text or a prompt to call a number.

W2 phishing

W2 phishing can be a form of whaling. An attacker will use an executive's email or make one that appears similar and attempt to collect W2s and W9s of the employees to gain private information such as social security numbers and addresses. Tax season is usually the peak time to see these attacks since everyone is getting their information and files ready. Sometimes instead of coming from an executive, these attacks appear to come from the IRS which might seem obvious but when done effectively, can go under the radar.


Many people can spot a phishing email from a while away, so some scammers have turned to more sophisticated ways to defraud their victims. This has led to pharming, a type of attack that uses Domain Name System (DNS) cache poisoning. By using cache poisoning, an attacker changes the IP address associated with a website name and redirects it to a malicious website. The best way to protect against pharming is only to use HTTPS protected and secured sites when entering personal information.

Ransomware phishing

Many phishing emails contain a link to download malware, sometimes in the form of ransomware. Instead of looking for information, ransomware phishing attacks hold the infected computer hostage until the victims pay up. Unfortunately, many people that fall prey to this kind of attack also pay the ransom to get their files released, thereby contributing to the chance that this attack will happen again.

Dropbox phishing

Dropbox, a file-sharing platform is particularly interesting to scammers looking for personal information. A Dropbox phishing attack uses an email that appears to be from the website and prompts the victim to log in. Then, this information is logged by the attacker and used to log in to the victim's Dropbox. This often gives them the ability to access private files and photos as well as to take the account hostage. This type of attack is best prevented against by enabling two-factor verification.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Google Docs phishing

In the same as Dropbox phishing, Google Docs phishers spoof a legitimate-looking log in prompt to trick their victims into handing over their passwords. Through Google Docs, the attackers can then get into files, videos, documents, spreadsheet and whatever else is stored there. Again, two-factor verification may be used to protect yourself against this threat.

Educating employees is key to combatting these types of phishing attacks. To learn more about creating an effective security awareness program, read our best security awareness training article.


Varvara is a reporter and physics student from the New York City area. She is a contributor to various sites including InfoSec Resources and studies particle physics.