Types of Phishing Attacks: From Email to SMS and Beyond - Part 2

information. CEO fraud, the most common BEC variant, involves impersonating company executives to request urgent wire transfers. Attackers study executives' travel schedules, communication styles, and business relationships. They strike when executives are traveling or unreachable, sending urgent requests to finance departments. These emails often reference real business deals or acquisitions, demonstrating deep knowledge of company operations. The average CEO fraud attempt requests $130,000, with some successful attacks stealing millions in single transactions. Vendor email compromise targets the supply chain relationships between organizations. Attackers compromise or impersonate vendor email accounts, sending fake invoices or payment change requests to customers. They time these attacks strategically, often right before regular payment cycles or during busy periods when scrutiny is reduced. A single compromised vendor can be used to target dozens of customers, multiplying the attack's impact. The trusted relationship between vendors and customers makes these attacks particularly successful. Data theft BEC attacks focus on stealing sensitive information rather than immediate financial gain. Attackers impersonating HR departments request employee W-2 forms for tax fraud, executives request customer lists for competitive intelligence, or IT departments request login credentials for system access. This stolen information enables future attacks, identity theft, or sale on dark web markets. The value of stolen data often exceeds immediate financial losses, particularly when intellectual property or trade secrets are compromised. Attorney impersonation BEC adds legitimacy through supposed legal authority. Attackers pose as lawyers handling confidential or time-sensitive matters, pressuring victims to transfer funds or share information. They use legal jargon, reference real or fabricated legal issues, and emphasize confidentiality to prevent victims from verifying requests. These attacks often target high-level executives who regularly deal with legal matters and are accustomed to following attorney instructions without question. ### Angler Phishing: Hijacking Customer Service on Social Media Angler phishing represents a unique social media-based attack where criminals impersonate customer service representatives to steal information from frustrated customers. Named after the anglerfish that lures prey with a glowing appendage, these attackers monitor social media for users complaining about companies, then swoop in with fake offers to help. This attack vector has exploded with the rise of social media customer service, as companies increasingly use platforms like Twitter and Facebook for support. The typical angler phishing attack begins with social media monitoring. Attackers use automated tools to scan for keywords indicating customer frustration: "worst service," "need help," "account problem," or direct complaints to company handles. Within minutes of a complaint being posted, fake support accounts respond, often before legitimate company representatives. These fake accounts use names and profile pictures nearly identical to official accounts, with subtle differences like underscores or extra letters that users rarely notice when frustrated. The sophistication of angler phishing operations has increased dramatically. Criminal groups maintain dozens of fake accounts across multiple platforms, complete with verification badges obtained through various means. They create convincing profile histories, followers, and interactions to appear legitimate. Some operations use customer relationship management systems to track victims across multiple interactions, maintaining consistent personas and remembering previous conversations. This professionalism makes distinguishing fake support from real support extremely difficult. Financial services are particularly targeted by angler phishing due to the sensitive nature of banking issues and the urgency users feel when experiencing account problems. Fake support accounts direct victims to phishing sites disguised as secure portals, capture login credentials through fake verification processes, or obtain enough personal information to take over accounts through other channels. Cryptocurrency exchanges face especially severe angler phishing problems, as the irreversible nature of crypto transactions makes recovery impossible. The damage from angler phishing extends beyond individual victims to company reputation. When fake support accounts successfully scam customers, victims often blame the legitimate company for poor security or negligent customer service. Companies spend millions on brand protection services to identify and remove fake accounts, but the ease of creating new social media accounts makes this a constant battle. Some organizations have abandoned social media customer service entirely due to angler phishing risks. ### Pharming: The Invisible Redirect Attack Pharming represents one of the most technical and insidious forms of phishing, redirecting users to fraudulent websites without any action on their part. Unlike traditional phishing that requires clicking malicious links, pharming attacks poison the technical infrastructure that translates domain names to IP addresses. Victims typing legitimate URLs or clicking valid bookmarks still end up on phishing sites, making detection extremely difficult. This attack vector requires more technical sophistication but offers attackers persistent access to victim traffic. DNS cache poisoning forms the foundation of many pharming attacks. Attackers compromise DNS servers or routers, modifying the records that translate domain names like "bank.com" into IP addresses. When users attempt to visit legitimate sites, they're automatically redirected to attacker-controlled servers. These attacks can affect thousands of users simultaneously, particularly when ISP-level DNS servers are compromised. In 2024, a major pharming attack against Brazilian banks redirected millions of users over a five-hour period, resulting in thousands of compromised accounts. Router-based pharming has become increasingly common as home networks proliferate. Attackers exploit vulnerabilities in home routers, changing DNS settings to use malicious DNS servers. Every device on the network becomes vulnerable, from computers to smart TVs to IoT devices. Many users never change default router passwords or update firmware, leaving millions of devices vulnerable. The persistence of router-based pharming makes it particularly dangerous—victims remain compromised until the router is reset or replaced. Malware-based pharming modifies the hosts file on infected computers, creating local redirects that bypass DNS entirely. This file contains mappings of domain names to IP addresses that override DNS lookups. Sophisticated pharming malware updates these mappings regularly, adapting to takedown efforts and maintaining persistent redirects. Some variants only activate for specific sites or during certain time periods, making detection more difficult. The sophistication of pharming sites has reached remarkable levels. Attackers create perfect replicas of legitimate sites, including valid SSL certificates that display the reassuring padlock icon. They implement two-factor authentication flows that capture both passwords and authentication codes in real-time. Some pharming sites act as proxies, passing most traffic to legitimate sites while selectively stealing sensitive information, making them nearly impossible to detect through casual use. ### Watering Hole Attacks: Compromising Trusted Resources Watering hole attacks represent a strategic form of phishing where attackers compromise websites frequently visited by their targets, waiting for victims to arrive naturally. Named after predators that wait at watering holes for prey, these attacks exploit users' trust in familiar websites. Rather than sending phishing emails that might raise suspicion, attackers poison trusted resources, catching victims when their guard is down. This method has become increasingly popular for targeted attacks against specific organizations or industries. Industry-specific watering holes target professional communities. Attackers compromise trade publication websites, professional association portals, or industry forums, knowing that employees from target companies regularly visit these sites. A 2024 attack on a major aerospace industry publication infected thousands of defense contractor employees, as the site was considered a trusted resource for industry news. The malware delivered through these compromised sites often targets intellectual property or enables corporate espionage. Supply chain watering holes exploit the interconnected nature of business relationships. Attackers compromise vendor portals, software update servers, or partner extranets, affecting all organizations that rely on these resources. The SolarWinds attack, while not traditional phishing, demonstrated the devastating potential of supply chain compromise. When trusted infrastructure is compromised, even security-conscious organizations become vulnerable, as they must balance security with operational necessity. Geographic and demographic targeting makes watering hole attacks highly efficient. Attackers compromise local news sites, community portals, or regional service providers to target specific populations. Government employees might be targeted through compromised news sites covering politics, while healthcare workers might be targeted through medical journal sites. This targeted approach reduces the attacker's footprint while maximizing the likelihood of reaching intended victims. The technical sophistication of watering hole attacks continues to evolve. Modern attacks use exploit kits that automatically identify vulnerable browsers and plugins, delivering customized payloads based on detected vulnerabilities. Some watering holes only activate malicious code for visitors from specific IP ranges or with particular browser configurations, avoiding detection by security researchers. Advanced persistent threat groups often maintain multiple watering holes simultaneously, creating redundant infection vectors that ensure persistent access to target networks.