Posted on

Cyber security awareness: Spotting different types of phishing

In our ever-changing digital world, it seems like there are new terms to learn every year — or maybe every month, week, or day, depending on who you hang out with.

While some of these are handy for showing off your social media cred (saving you any “how do you do, fellow kids?” moments), others, like “phishing”, are far more important to understand so you can stay safe from scams on and offline — both for yourself as an individual and for your organisation.

Whether they cast a wide net or specifically target company management in the hopes of a bigger payday, there are several ways phishing attacks can find their way to you.

Read on to see how familiar you are with some of the latest terms and methods scammers use for getting you hooked. You might even discover some new techniques and variations on old-time favourites so you can confidently side-step these attackers and help your friends, family, and co-workers to do the same.

What is phishing?

This play on the word “fishing” has a lot in common with the sport: scammers put out a lure and wait to see who bites.

If you’ve ever seen a fly-fishing lure, you’ll understand the importance of making sure whatever you put out there is attractive. Phishers get this, and they use it to their full advantage.

The lure might be attractive in the traditional sense, like the prospect of winning a once-in-a-lifetime competition, or they might take the sneakier tack of creating a sense of urgency by telling you about something like unusual activity on your bank account.

Either way, they’ll tempt you to take an action, like clicking on a link that will download malicious software (malware) to your device or sharing personal or financial information over the phone.

Common types of phishing

Email phishing

Delivering a phishing lure by email is one of the more common ways to carry out a phishing attack. A common technique is to impersonate a real person or company — also called “deception phishing”. These messages closely mimic the logos and branding of legitimate and even internationally recognised companies, so they look authentic at a glance. Heck, sometimes they even look authentic under close inspection.

The scammer’s goal might be to steal money, personal information, or passwords to use against you or to sell to others. To do this, they create fake email addresses designed to trick you into believing that you know and trust the sender. These emails appear to be coming from the right email address, but they’re fake as fake can be.

When a phishing message includes links, these will usually take you through to a scam website; and if there’s an attachment, it likely contains a nasty piece of malware tucked away somewhere inside it.

The good news is there are several common red flags you can watch out for, and knowing what they are will help you spot an email phishing scam the next time one lands in your inbox.

Keep an eye out for these things, and you’ll be on a much safer track.

  • Generic language. This might include greetings like “Dear sir or madam” and references to “your account” without mentioning any specifics.
  • Mistakes in spelling or grammar. Although the occasional typo or spelling error might slip through on an official email, messages from scammers tend to feature lots of these kinds of errors. Check any previous emails you’ve received from the company or individual and trust your gut — if the wording seems off, look closer before taking any action.
  • Message tone. Phishing messages often use tone to create a false sense of urgency or threat. For example, you may be pressured to take immediate action or risk a fine or service suspension. The goal is to make you panic, so you won’t think clearly before taking action — so if an email makes you feel like that, it’s definitely a sign to slow down and take your time.
  • Improbability. Another classic phishing technique is offering unbelievably good news — like a prize or refund that will be yours if you click on a link. If it seems too good to be true, it probably is.
  • Links or attachments. Most of us will receive legitimate links and attachments, too, so use your best judgment when it comes to these. Pay special attention to unexpected attachments, unusual file types, and senders who don’t usually email you. It’s also good to build a habit of hovering over links (especially if they’re shortened) to check where they’re sending you before you click. You might need to switch from your phone or tablet to a laptop to do this, but it’s well worth it.
  • Spoofed email addresses. Spoofing is when communications from an unknown source are disguised to look like they come from someone you know and trust. In the case of phishing emails, this involves sending them from addresses that look very similar to the ones you’re used to seeing in your inbox. If an email doesn’t look quite right, check it out with a healthy dose of scepticism — and be sure to compare it to any previous emails you’ve had from the same company.

So you’ve done all those things and found something phishy. What next?

  • Double-check the sender by looking more closely at the details. What you’re aiming to find is the email address itself and any servers it’s come through.
  • Back away from the links. If you’re not sure where links lead, it’s best to skip clicking on them. Already hovered over them, and they look dodgy? Give ’em a miss.
  • Ask someone you trust. If you have any doubts, get a second opinion from a family or friend. Bonus points if you have someone around who is super knowledgeable about things like this.
  • If in doubt: report, check with the source, or delete.
    • If you’ve received the email at your work address, report it to whoever is responsible for IT — they should be able to tell you what to do next, especially if your organisation already has a process for handling phishing.
    • You can use official contact information to check if the email is legitimate. For example, if the email says it’s from your bank, call the bank using the phone number on their website or on the back of your credit or debit card and ask if the email is genuinely from them.
    • Finally, you always have the option of deleting the email without clicking, replying, or using any contact information from it.

Website phishing

Like email phishing, website phishing is designed to get you to do one or more of these things.

  • Click links
  • Share personal — often financial — information
  • Download malware.

Here are some of the common places you might be at risk of website phishing.

  • Spoofed websites and apps. We mentioned spoofed email addresses before, and spoofing can also be used to make unfriendly websites and apps look like legitimate ones — so it’s worth paying close attention to make sure the site or app you’re using is what you think it is.
  • Website pop-ups. Watch out for messages from your web browser’s notification feature saying the website wants to send you notifications, and make sure you trust the site before accepting. If the site is dodgy and you click “Allow”, malicious code can be installed onto your device.
  • Ads. When you’re downloading a new app, you may come across ads designed to trick you into clicking them instead of the legitimate download you want. Look out for generic wording (like in phishing emails) and the tell-tale little “x” in the top right corner, which shows it’s an ad.

And here are some of the common red flags to look out for.

  • Suspicious content. Malicious websites may have branding that looks familiar (or at least close to something you recognise), but spelling mistakes, broken English, grammatical errors, or terrible quality images are all dead giveaways it’s not the site it’s pretending to be. Using an up-to-date browser can help you spot dodgy sites, too, as they often have built-in protection. If the website has been reported as being phishy, your browser will give you a big red warning sign to save you from making the mistake of clicking through.
  • Negative online reviews. If a web user has fallen victim to a website phishing attack, they may well share their experience online to warn others to avoid the site. A quick Google search should help you find anything you need to be aware of.
  • Unusual payment methods. If a website asks you to pay through a bank transfer, that’s a definite red flag. Most trustworthy sites will have well-known payment methods, including secure credit card transaction features.
  • Website URLs starting with http://. Websites that have a secure certificate (also known as an SSL certificate, which stands for “Secure Sockets Layer”) have URLs that start with https:// rather than http://, and these are the safest option for website users. Having this certificate means your connection to that website is secure and encrypted — so the data you enter will be safely and privately shared. It’s especially important if you’re sharing your contact or payment information. That said, it’s easy and free to get an SSL certificate, even for phishing sites — so while https:// means “secure”, it doesn’t necessarily mean “safe”. For example, a phishing site could have a secure certificate, and all that would mean is it’s stealing your information securely. The moral of the story is it’s still important to be careful, and if you see the URL only has http://, proceed with an extra dose of caution.

Now you know what to look out for, let’s run through some questions that will help you outsmart would-be website phishers.

  • Is the website address spelt correctly? Look closely. A common technique is to replace expected characters with ones that look the same but aren’t — for example, by replacing an “l” with a “1”. 
  • Does the URL start with https://? You can also look for a small padlock icon in the top left corner of the address bar in your web browser.
  • Does anything on the website look a bit… off? If it’s a spoofed website, tell-tale signs may include colours or fonts that don’t match the brand they’re trying to look like, as well as mistakes in spelling and grammar.
  • Are the payment methods secure? Secure credit card transaction options = yep; bank transfers = nope.  
  • Is an unfamiliar site trying to send you notifications? Only accept notifications from sites you know and trust. 
  • For apps, are you downloading them from a trusted source? You’ll be safest if you go through the official store for your device, like Google Play or the App Store.


Phishing messages sent by text message (also known as SMS, or “Short Message Service”) have their very own term: smishing.

When a scammer performs a smishing attack, they send huge batches of text messages to multiple numbers, hoping to lure someone into responding.

Like phishing emails, smishing messages often create a false sense of urgency with their tone, or they grab your attention by saying you’ve won a prize or something similar.

They’re trying to get you to respond immediately and take action before you’ve had a chance to think. The message may ask you to call a phone number or send you to a website — and this is where they catch you. 

Before you take any action, pause, take a breath and check these elements for red flags. 

  • Phone number. Pay attention to unknown numbers or overseas numbers.
  • Message tone. An urgent or demanding tone should set off your alarm bells.
  • Links. The message includes links it wants you to click.
  • Calls to action. The message is trying to get you to take some action. 

Next, run through this list of questions to work out what’s really going on.

  • Do you recognise the phone number? Check the phone number against official sources, like the website of the organisation it says it’s from. You can also Google the phone number, as a quick search will often turn up results of other people flagging it as a scam.
  • Is the tone of the message urgent? If it’s trying to convince you something’s wrong with one of your accounts and you need to take action RIGHT NOW, this is a good sign to slow down and do some more checks before you act. This is especially true if the message seems generic and doesn’t use your name.
  • Are there links in the message? If it’s trying to get you to click through to a website or download an app, there’s a strong chance something phishy is going on. Hover over any links to see where they lead and avoid clicking if they seem suspicious.
  • Is the message trying to get you to take action? A common example is asking you to reply with personal information like login or credit card details. Legitimate messages from credible sources won’t ask you to provide information like this.
  • Is the content of the message believable? Cases where it’s not may include winning a competition you didn’t enter or a notification about a service you didn’t sign up for.


Ever had a phone call from someone claiming to be from a trusted organisation, maybe helpfully alerting you to a virus on your computer or telling you about a problem with an account of yours? You’ve already experienced another type of phishing, known as vishing.

Vishing — or voice solicitation — has been around for a while. While many people know about it and realise it’s a scam, there are some variations that still work to catch folks out.

A visher typically calls with a plausible story and a trusted organisation name up their sleeve — say, the Inland Revenue Department, Microsoft, or a well-known internet service provider.

Once they have you listening, they’ll try to get you to reveal private information or even to allow them remote access to your computer.

Tiredness, illness, distraction, and lack of tech expertise can all cloud our judgment in situations like this and may cause you or someone you know to respond to the “urgent” request the visher is making.

If a caller asks you to do any of these things, it’s a red flag that this may be a vishing attempt.

  • Verify your username and/or password for an account
  • Give your banking details
  • Grant remote access to your computer
  • Download software
  • Key in specific numbers/codes on your phone to reverse call charges.

And here are some simple actions you can take to help you stay safe from vishers.

  • Check the phone number before answering the call. It’s okay to let it go unanswered if you’d rather look it up online first.
  • Call the company back on its official number. Get this from a credible source, like its website.
  • Independently verify the request. If you do answer and they ask you for personal information, verify that request before you take action. You can also do this by calling them back on its official number. 

The more targeted phishing attacks: spear-phishing and whaling

Spear phishing

This is a type of email phishing, and as you can probably guess from the name, it’s done with much more precision.

Instead of casting their net wide, attackers use data collected from public sources to target specific people.

They collect personal information that helps them tailor their phishing attempt, including things like the names of the person’s friends or pets, their home address and phone number, and where they work.

One example of a spear-phishing attack is receiving an email that has a bogus website link in it from what seems to be a trusted source, like a colleague — when in fact, the email address is spoofed. These types of attacks have a much higher chance of success than more generically worded ones.

It’s alarming to think you could be targeted like this, but like with all the other types of phishing, there are red flags you can watch out for. If you’ve received an email that seems to be from someone you know but doesn’t feel quite right, check for these things.

  • A different style of writing. It could be more formal or informal than they usually are, and there might be mistakes in spelling and grammar that you wouldn’t typically expect.
  • Urgent and unusual requests. If they’re asking for restricted information (like access to finances or other sensitive documents) that they don’t usually need, or asking for information immediately, stop and think more carefully before taking action.
  • They don’t typically email you. Many workplaces now use group chat systems like Slack for day-to-day communication, so even receiving an email from a workmate could be enough to set off alarm bells.
  • There’s a call to action in the subject line. You know the ones — they include words like “Follow up”, “Urgent”, “Important”, “Payment status”, and “Are you available?”

Luckily, fending off spear phishers can be relatively simple. 

  • If the email seems out of character for the person it appears to be from, check the email address to see if it’s actually from them.
  • Still not sure what’s going on? Check with the person through a different communication channel — give them a call, send them a text, or maybe even talk to them in person.


This is a type of phishing that targets the “big phish” — or the “whale”. 

Also known as CEO fraud, this is when attackers pretend to be senior team members so they can get access to privileged information or put themselves in a position to target other executives.

Social engineering — an attack technique that plays on human behaviour and error — is an important element in whaling attempts. Staff will understandably be reluctant to ignore or delay requests from someone more senior than them, and as a result, attackers can get access to computer systems which in turn could lead to sensitive information being leaked or money being stolen.

Whaling messages often include legitimate-looking corporate logos, email signatures, and real names of staff. But like always, there are clues to watch out for. If you think you might have received a whaling message, do a quick check of these elements.

  • Message sender and email address. The’” from” field of an incoming email may contain the real name of one of the higher-level folks in your team, but often the email address itself isn’t right. It might even be a personal address instead of a work one. Also, if senior management hasn’t contacted you before and you weren’t expecting them to, it’s most likely whaling in action.
  • Message content. Like with other phishing emails, whaling emails will likely include a request for sensitive or financial information. If you’re not expecting a request like this, consider it suspicious.
  • Message tone. If it’s urgent or demanding, and you don’t usually get emails like this from the person in question, this could be an attempted attack. The attacker is trying to get an emotional, rushed response from you, so it’s worth pausing and spending some time verifying whether the request is genuine. 
  • Message channel. CEO contacting you through Facebook? Probably suspicious.
  • Links or attachments. These are very common tools in whaling attacks for attackers to install malware in systems that allow them unauthorised access, so check them carefully.

Keep yourself safe from whaling scams with these simple steps. 

  • Beware of communication methods that are out of the ordinary, like a senior member of your team messaging you on a social media platform.
  • Check that the message was sent from a work email address and to a work email address. If there are personal email addresses anywhere in the mix, it’s likely to be a scam.
  • If the urgency of the message makes you feel like you have to take action immediately, do the opposite. Slow down, check the message carefully, and verify it before you do anything else.
  • Check any links and attachments before you click them.
  • Still not sure? Double-check with your supervisor before taking any action.

Phishing prevention in a nutshell

Phishing isn’t going away any time soon, so the best thing we can all do is be prepared and know what to look out for.

We hope this post has made that a little easier, and for good measure, here’s a round-up of how to stay safe.

  • Keep an eye out for generic language and mistakes in spelling and grammar — these are often clear signs that an email or website is not what it’s pretending to be.
  • If you get messages that have an urgent or demanding tone, check who they’re from and what they’re asking for before you take any action.
  • Verify requests by contacting the person or organisation using details from a credible source, like their official website.
  • Hover over links to see where they’re trying to send you. You can also do this with email addresses to check if they’re what you expect them to be.
  • Avoid clicking links or downloading attachments unless you’re certain they’re from safe and trusted sources. One file type that’s worth checking extra carefully is .exe, as this is commonly used for malware. Even .zip, .pdf, .xlsx and .doc files can have hidden malware, so it pays to approach with caution.
  • Take a breath and ask a friend for help. Remember, attackers want you to act without paying too much attention to the details. Slowing down and getting a second opinion from someone you trust who is more detached from the situation will help you regain your composure and look at things more clearly. This is especially important if you’re being asked to do something sensitive, like paying money or giving information.
  • If you think you’ve been phished, you can also contact your IT support team or your country’s Computer Emergency Response Team (in New Zealand, that’s CERT NZ). It’s their job to help, so don’t be too shy to ask.

Want to learn more?

Our online Security Awareness programme is full of short, engaging, and action-oriented courses designed to help you and your team build and grow their cyber security superpowers. And it includes a course all about Phishing, Vishing, and Smishing.

Grab a free trial for 14 days and see for yourself what makes our training different.