Types of Phishing Attacks: From Email to SMS and Beyond - Part 1

In October 2024, a sophisticated phishing campaign simultaneously targeted employees across 150 companies using seven different attack vectors—email, SMS, voice calls, social media, QR codes, search engines, and even physical USB drops. This coordinated assault demonstrated a fundamental truth about modern phishing: attackers no longer rely on a single method but deploy diverse tactics across multiple channels to maximize their success rate. The days of phishing being synonymous with just email fraud are long gone. Today's cybercriminals employ an arsenal of techniques, each designed to exploit specific vulnerabilities in how we communicate and interact with technology. From the mass-distributed spray-and-pray email campaigns that cast wide nets to laser-focused spear phishing attacks targeting CEOs, from SMS messages that bypass email security to voice calls using deepfake technology, the phishing landscape has evolved into a complex ecosystem of deception. Understanding these different attack types isn't just academic knowledge—it's essential survival information for navigating our interconnected digital world where a single successful attack can devastate individuals and organizations alike. ### Email Phishing: The Original and Still Most Prevalent Attack Vector Email phishing remains the dominant form of cyberattack, accounting for over 90% of all security breaches according to 2024 data. The enduring popularity of email phishing stems from its simplicity, low cost, and effectiveness. Attackers can send millions of emails for virtually no expense, and even a minuscule success rate yields significant returns. The basic email phishing attack involves sending fraudulent messages that appear to come from trusted sources, directing victims to fake websites or malicious attachments. The evolution of email phishing has been remarkable. Early attempts in the 1990s were crude, with obvious spelling errors and implausible scenarios. Today's email phishing campaigns use artificial intelligence to craft personalized messages, employ sophisticated HTML templates that perfectly mimic legitimate communications, and leverage psychological insights from behavioral science. Modern email phishing campaigns often involve multiple stages, beginning with seemingly innocent messages that establish trust before escalating to malicious requests. Deceptive phishing represents the most common form, where attackers impersonate legitimate organizations to steal credentials or personal information. These campaigns typically claim account problems, security alerts, or prize winnings. They direct victims to convincing fake websites that capture login credentials, credit card numbers, or other sensitive data. In 2024, the average deceptive phishing campaign targets over 50,000 individuals simultaneously, with success rates between 3-5%, meaning thousands of victims from a single campaign. Clone phishing takes sophistication to another level by creating nearly identical copies of legitimate emails users have previously received. Attackers obtain genuine emails through various means—compromised accounts, insider threats, or intercepted communications—then create malicious versions with altered links or attachments. Because victims recognize the email format and may have interacted with similar messages before, they're more likely to trust and engage with the cloned version. This technique has proven particularly effective against corporate targets, where routine communications like invoice approvals or document shares are common. Email phishing infrastructure has become increasingly complex and professional. Cybercriminal groups operate phishing-as-a-service platforms, offering complete packages including email templates, fake websites, victim credential panels, and even customer support. These services lower the barrier to entry, allowing individuals with minimal technical skills to launch sophisticated campaigns. The underground economy surrounding email phishing includes specialized roles: template designers, infrastructure providers, money mules, and cryptocurrency laundering specialists, creating a mature criminal ecosystem. ### SMS Phishing (Smishing): Exploiting Mobile Trust and Urgency SMS phishing, commonly known as smishing, has exploded in popularity as mobile devices have become primary communication tools. In 2024, smishing attacks increased by 328% compared to the previous year, making it the fastest-growing phishing vector. The effectiveness of smishing stems from several factors: people trust text messages more than emails, mobile screens make it harder to scrutinize message details, and the immediate nature of SMS creates natural urgency. The psychology behind smishing differs from email phishing. Text messages feel more personal and urgent than emails. When your phone buzzes with a message claiming your bank account has been compromised or a package delivery requires immediate attention, the instinct is to respond quickly. Mobile devices lack the robust security features of desktop computers, and the small screen size makes it difficult to examine URLs or sender information carefully. These factors combine to make smishing remarkably effective, with click rates often exceeding 20%, compared to 3-5% for email phishing. Package delivery scams represent the most common smishing attack in 2024. With the rise of e-commerce, most people regularly expect deliveries, making fake delivery notifications highly effective. Messages claim packages are held for customs fees, require address confirmation, or need scheduling for redelivery. These scams intensify during holiday shopping seasons, with some campaigns sending millions of messages daily. The Federal Trade Commission reported that delivery smishing scams cost Americans over $500 million in 2023 alone. Banking and financial smishing attacks create panic by claiming immediate threats to victims' money. Messages warn of suspicious transactions, frozen accounts, or expired cards, directing victims to call fake customer service numbers or visit phishing websites. These attacks often use caller ID spoofing to appear as legitimate bank numbers. Two-factor authentication codes are particularly vulnerable to smishing, with attackers sending fake security alerts to steal these codes in real-time, defeating this important security measure. Government impersonation smishing leverages authority and fear. Messages claim to be from the IRS about tax refunds or penalties, Social Security Administration about benefit problems, or law enforcement about legal issues. These attacks spike during relevant periods—tax season sees IRS scams, while election periods bring voter registration scams. International students and immigrants are particularly targeted with messages about visa problems or deportation threats, exploiting their vulnerable position and unfamiliarity with government communication methods. ### Voice Phishing (Vishing): The Human Touch of Deception Voice phishing, or vishing, adds a human element that makes it particularly persuasive and dangerous. Speaking with someone creates trust that text-based communication cannot match. Attackers use social engineering techniques refined over decades of telephone fraud, now enhanced with modern technology. In 2024, AI-powered voice synthesis allows criminals to impersonate specific individuals with frightening accuracy, making vishing more dangerous than ever. Technical support scams remain the most prevalent form of vishing. Callers claim to represent Microsoft, Apple, or internet service providers, warning of virus infections, hacked accounts, or expiring services. They guide victims through steps that provide remote computer access or reveal sensitive information. These scammers often keep victims on the phone for hours, building rapport and trust while systematically compromising their security. Elderly individuals are particularly vulnerable, with average losses exceeding $9,000 per victim. The emergence of deepfake audio technology has revolutionized vishing attacks. Criminals can now perfectly mimic voices using just minutes of recorded audio, often scraped from social media videos or voicemail messages. In 2024, a UK energy company lost $243,000 when criminals used deepfake audio to impersonate the CEO, instructing the finance department to transfer funds. Family emergency scams use this technology to impersonate relatives claiming to need immediate financial help, exploiting emotional bonds for financial gain. Hybrid vishing attacks combine multiple communication channels for enhanced credibility. Attackers might send an email or SMS first, then follow up with a phone call referencing the earlier message. This multi-channel approach builds legitimacy and catches victims off guard. Some sophisticated operations use call centers with multiple operators playing different roles—supervisor, technical specialist, security officer—creating elaborate scenarios that seem authentic. Reverse vishing represents an emerging threat where victims call attackers. Criminals post fake customer service numbers online, compromise legitimate websites to display wrong numbers, or use search engine optimization to rank malicious numbers above real ones. When victims search for customer service numbers and call these fake numbers, they unknowingly contact scammers who are prepared with convincing scripts and fake verification processes. ### Social Media Phishing: Exploiting Digital Relationships and Trust Social media platforms have become prime hunting grounds for phishers, offering rich information about potential victims and established trust relationships to exploit. With over 5 billion social media users worldwide in 2024, these platforms provide unprecedented opportunities for targeted attacks. Social media phishing isn't just about fake messages—it encompasses fake profiles, malicious apps, compromised accounts, and sophisticated social engineering that leverages the personal information people freely share online. Romance scams on social media have reached epidemic proportions, with losses exceeding $1.3 billion globally in 2023. Scammers create fake profiles using stolen photos and elaborate backstories, spending weeks or months building emotional connections with victims. They exploit loneliness and desire for connection, eventually requesting money for emergencies, travel to meet in person, or investment opportunities. The emotional manipulation involved makes victims reluctant to report these crimes, and many continue sending money even after friends and family warn them about the scam. Fake investment opportunities proliferate across social media, particularly cryptocurrency scams. Scammers impersonate successful traders, create fake investment groups, or hack verified accounts to promote fraudulent schemes. They post fabricated success stories, manipulated trading screenshots, and testimonials from fake accounts. The "pig butchering" scam, where criminals "fatten up" victims with small successful trades before stealing everything, has become particularly prevalent. Social media's ability to create echo chambers where false information seems credible makes these scams especially effective. Account takeover attacks through social media phishing have serious cascading effects. When attackers compromise one account, they immediately target the victim's connections, leveraging established trust. Messages from compromised accounts have significantly higher success rates because they come from known contacts. These attacks often spread virally through social networks, with each compromised account becoming a launch pad for further attacks. The interconnected nature of social media means a single successful phishing attack can compromise entire social circles. Malicious applications and quizzes represent a unique social media phishing vector. "Which Disney Princess Are You?" or "See Who Viewed Your Profile" applications request extensive permissions, harvesting personal data and contact lists. These apps often require users to grant access to post on their behalf, spreading to more victims automatically. While platforms have improved app vetting, malicious applications still slip through, particularly on less-regulated platforms or through side-loading on mobile devices. ### QR Code Phishing (Quishing): The Rising Threat in Physical and Digital Spaces QR code phishing, dubbed "quishing," has emerged as a significant threat as QR codes became ubiquitous during the COVID-19 pandemic. The shift to contactless interactions normalized QR code scanning for everything from restaurant menus to payment processing, creating perfect conditions for exploitation. Quishing attacks increased by 587% in 2024, making it one of the fastest-growing attack vectors. The danger lies in the opacity of QR codes—humans cannot read them directly, making it impossible to verify their destination without scanning. Physical QR code attacks involve placing malicious codes in public spaces. Attackers print stickers with malicious QR codes and place them over legitimate codes on parking meters, restaurant tables, public WiFi login points, or event posters. Victims scanning these codes might be directed to phishing sites, prompted to download malware, or connected to rogue WiFi networks. City parking meters have been particularly targeted, with fake QR codes stealing payment information from thousands of unsuspecting drivers. Email-based quishing bypasses traditional security filters that scan for malicious links and attachments. Since QR codes are images, they don't trigger URL scanning in most email security systems. Attackers embed QR codes in seemingly legitimate emails about package deliveries, account verifications, or special offers. When users scan these codes with their phones, they bypass corporate security measures, accessing phishing sites from personal devices that may lack adequate protection. The convergence of physical and digital in quishing attacks makes them particularly dangerous. A QR code on a flyer might lead to a sophisticated phishing site that adapts based on the victim's device and location. Attackers can track scan locations and times, building profiles of victims before launching targeted attacks. Some quishing campaigns use dynamic QR codes that change destinations based on various factors, making investigation and takedown efforts more difficult. Cryptocurrency and payment app quishing has become especially prevalent. Attackers create QR codes that initiate cryptocurrency transfers or payment app transactions when scanned. Victims might think they're paying for parking or making a donation, but they're actually sending money directly to criminals. The irreversible nature of many digital payments makes recovery impossible. Some sophisticated attacks use QR codes that install cryptojacking malware, using victims' devices to mine cryptocurrency without their knowledge. ### Search Engine Phishing: Manipulating Trust in Search Results Search engine phishing represents a sophisticated attack vector that exploits users' trust in search results. Attackers use search engine optimization (SEO) techniques and paid advertisements to rank malicious sites above legitimate ones. When users search for customer service numbers, banking websites, or software downloads, they may encounter phishing sites as top results. This attack method is particularly insidious because users actively seek out these sites, believing they're taking proactive security measures. SEO poisoning involves manipulating search rankings to promote malicious sites. Attackers create networks of fake websites with content optimized for specific keywords, particularly those related to financial services, technical support, or popular software. They exploit trending topics, creating phishing sites related to current events, celebrity news, or viral content. During tax season, searches for "IRS refund status" or "tax filing help" often return phishing sites among top results. The dynamic nature of search algorithms makes it difficult for search engines to completely eliminate these threats. Paid search advertisement phishing has become increasingly sophisticated. Criminals purchase ads that appear above organic search results, impersonating legitimate businesses. These ads often use display URLs that look legitimate but redirect to phishing sites. In 2024, researchers found over 10,000 malicious ads per day across major search engines, targeting everything from cryptocurrency exchanges to streaming services. The cost of these campaigns is offset by the high success rate—users who click on ads are often ready to make purchases or enter sensitive information. Typosquatting combined with search engine manipulation creates multiple opportunities for phishing. Attackers register domains with common misspellings of popular sites, then optimize these sites to appear in search results for the correctly spelled terms. Users who make typing errors or select autocomplete suggestions might land on these phishing sites. Mobile users are particularly vulnerable due to smaller keyboards and autocorrect features that might introduce errors. Local search phishing targets users seeking nearby businesses or services. Attackers create fake business listings on search engines and map services, complete with fake reviews and photos. When users search for local banks, government offices, or service providers, they might encounter these fake listings with phishing phone numbers or websites. This attack vector has proven particularly effective for technical support scams, with fake listings for printer support, router assistance, or software help. ### Business Email Compromise (BEC): The Billion-Dollar Targeted Attack Business Email Compromise represents the most financially damaging form of phishing, with losses exceeding $2.4 billion globally in 2023. Unlike mass phishing campaigns, BEC attacks are highly targeted operations that may unfold over weeks or months. Attackers thoroughly research their targets, understanding organizational hierarchies, business relationships, and communication patterns. They then impersonate executives, vendors, or partners to initiate fraudulent wire transfers, redirect payments, or steal sensitive