COMES IN ALL SHAPES AND SIZES
Spear-phishing targets a specific person or group of people, so it is often more sophisticated.
The attacker will try even harder to make the message as believable and as relevant to their target as possible. Their job is made easier by the fact that it is extremely easy to find information online nowadays - for example, through social media platforms, the targeted organisation's website, or even by reading (and potentially applying for) that company's job vacancies.
There are so many possibilities!
Whale-phishing, also called whaling, is very similar to spear-phishing but it targets high-profile business executives, managers, or supervisors who might have credentials to valuable accounts in the company.
In these cases, the emails and web pages used by the attacker are likely much more difficult to spot as fake. The best way to spot them is by paying close attention to the sender's email address and hovering over a link to reveal its true destination.
Vishing, or voice phishing, is a type of phishing attack perform via phone call. Vishing isn't as common as email phishing, but it can be harder to spot - we might naturally disclose more information while speaking to someone on the phone without thinking twice. Also, it is fairly easy for attackers to "spoof" a phone number: this means that they can pretend to be calling from a company, someone you know, or generally from a phone number that isn't theirs..
With vishing, bad actors are aiming to gather information about you, the company you work for, or get you to perform tasks that put your data at risk. Ultimately, they're looking for information that will benefit them or help to learn more about the targeted organisation.
They often pose as the IT department and try to do things such as getting you to change your password to something of their choosing, or disclosing your current password. You should never disclose passwords on the phone (or to anyone!), and always think before you answer any questions.
Image from nextadvisor.com
Smishing stands for SMS phishing. This technique is similar to traditional email phishing, but the message is sent via SMS. Typically, smishing messages contain malicious links for people to click on, which can prompt malware to be installed on the mobile device or lead to a fake phishing page.
Nowadays, mobile device use is getting increasingly popular amongst employees, who use their phones in order to access company systems and emails on the go - often in a rush. This makes mobile phones a very desirable target for phishers.
People are generally less aware of smishing, but the consequences can be as serious as when we click on a malicious link sent within an email.