top of page
Search

What are the different types of phishing? And how can you protect yourself



Most of us have received a weird email or sketchy text message at some point or another that made us pause for a second. Was that really from your bank? Did your CEO actually just ask you to buy £500 in gift cards? Welcome to the world of phishing, where cybercriminals go “fishing” for your personal data, only their hooks are fake emails, text messages, and even voice calls. 

 

Phishing is one of the most common forms of cybercrime out there, and it’s getting sneakier by the day. But don’t worry, once you understand the different types, you’ll be much better prepared to avoid falling for them. 

 

Phishing (the classic email scam) 

This is the OG of phishing. Classic email phishing typically involves an email that looks legit, for example, it might claim to be from your bank, PayPal, Netflix, or even a coworker. They are usually carefully created to match company logos, and nowadays the grammar tends to be good because of AI tools. The goal is to trick you into clicking a link, downloading a file, or entering your login credentials. 

 

How it works: 

You get an email saying your account has been compromised or payment is due. It includes a link. You panic, click it, and then your login details are in the wrong hands. 

 

How to protect yourself: 

  • Always check the sender's email address carefully. 

  • Hover over links (don’t click!) to see where they really go. 

  • Don’t download attachments from unknown sources. 

  • Use multi-factor authentication (MFA) whenever possible. 

 

Smishing (SMS phishing) 

Smishing is phishing through SMS (text messages). It’s short, snappy, and often urgent. You might get a message like “Your package delivery is delayed, click here to reschedule,” followed by a malicious link. 

 

Why it works: 

We trust our phones. We also tend to respond quickly to texts, especially if they seem urgent or related to money, deliveries, or personal accounts. 

 

How to protect yourself: 

  • Be sceptical of messages from unknown numbers. 

  • Don’t click on short links in texts unless you’re expecting them. 

  • If it seems fishy, go to the website directly instead of clicking the link. 

  • Report smishing messages to your mobile provider (usually by forwarding to 7726). 

 

Voice phishing (vishing) 

Vishing is phishing done over voice calls. Yep, people are still using phones for scams. You might get a call from someone pretending to be from your bank, the IRS, tech support, or even your boss. 

 

How it works: 

The caller creates a sense of urgency. “There’s suspicious activity on your account.” Or “Your computer has been hacked, and we need remote access.” They want you to give up sensitive info or install something on your device. 

 

How to protect yourself: 

  • Never give out personal or financial info over the phone unless you initiated the call. 

  • Hang up and call the organisation back using the number on their official website. 

  • Be suspicious of caller ID, scammers can spoof numbers to make it look legit. 

 

QR code phishing (quishing) 

QR codes are everywhere now, from menus to car parks. But scammers are getting creative by replacing real QR codes with fake ones. You scan it, and you’re sent to a malicious website or prompted to download malware. 

 

Why it’s tricky: 

We’re trained to trust QR codes, especially in places like restaurants or on printed materials. But that trust can be exploited. 

 

How to protect yourself: 

  • Only scan QR codes from sources you trust. 

  • Avoid scanning random QR codes in public spaces or on suspicious emails. 

  • If a QR code opens a login page or asks for credentials, stop and think to yourself whether that makes sense for what you’re trying to do.  

 

Spear phishing 

Spear phishing is a very personal form of phishing as it’s when a scammer targets you specifically. They might know your name, your job, your colleagues, or even what projects you’re working on. 

 

How it works: 

Let’s say you’re in finance. You get an email that looks like it’s from your CFO, asking you to approve a wire transfer. They might use insider terms or reference real company detail because they’ve done their homework. 

 

How to protect yourself: 

  • Always verify unusual requests, especially when money is involved. 

  • Use a second communication method to confirm, like calling or messaging on Slack. 

  • Be cautious with what you share on LinkedIn or social media as attackers use that info. 

 

Whaling (big fish phishing) 

Whaling is like spear phishing, but it targets the high rollers, executives, and CEOs. Because of their access to sensitive information and financial power, they're big targets. 

 

How it works: 

A cybercriminal might impersonate the CEO and send an urgent request to finance: “We’re acquiring a company, keep this quiet and wire the funds ASAP.” These emails are carefully crafted and often appear incredibly legitimate. 

 

How to protect yourself: 

  • Executives should be trained just like everyone else as no one’s above being scammed. 

  • Implement strong internal approval processes for money transfers or sensitive data. 

  • Encourage a culture where employees feel safe verifying requests that are out of the norm, no matter who it comes from. 

 

 

Need some support with your organisation’s cyber security? Contact us today to find out how we can help.  

Comments

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

 

The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the West Midlands is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others.  Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the West Midlands provides affordable services and Cyber Essentials Partners if you need specific support. For specific questions please contact us.

 

The Cyber Resilience Centre for the West Midlands does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the West Midlands is not responsible for the content of external internet sites that link to this site or which are linked from it.

WMCRC Logo New white.webp

The Cyber Resilience Centre for the West Midlands is a trusted resource for  support to protect businesses and third sector organisations in the West Midlands region.

USEFUL LINKS

Home

About Us

Contact Us

Privacy Policy

Terms and Conditions 

Legal Disclaimer

CONNECT WITH US

  • Facebook
  • LinkedIn
  • X

© 2024 The Cyber Resilience Centre for the West Midlands

bottom of page