Sophisticated Phishing Attacks

With phishing attacks on the rise, hackers are employing increasingly sophisticated phishing tactics that conceal their malicious intentions by targeting individuals directly by using fraudulent emails, text messages or phone calls that include your personal information.
Learn how you can identify and protect yourself from sophisticated phishing attacks.
Spear phishing
Spear phishing is a sophisticated email phishing tactic designed to target a specific person. Spear phishing emails often contain personal or identifying information about the recipient to convince them that the email is coming from a legitimate source. Like traditional phishing tactics, spear phishers will often try to get you to share personal information or download malware disguised as files or software.
- Emails related to remote work. These commonly include information about missed meetings, requests to share sensitive documents, etc.
- Emails related to work that include calls for urgent action or unusual business practices.
- For example, you could receive an email disguised as coming from your department head or supervisor urgently requesting that you make a bulk Apple gift card purchase and email them the authorization codes.
- Initially, a work-related spear phishing email may just ask for you to respond to an urgent question. However, this can initiate a back and forth with you designed to gain your trust before the hacker asks you to purchase something on their behalf or share sensitive information.
- Emails related to current or world events. These can include requests for donations to support disaster relief or emails claiming to be from government or health organizations.
The following is a sample scenario for how a hacker could trick you into sharing your Instagram login information using common spear phishing techniques:
1. You receive an email from an account claiming to be associated with Instagram that includes your personal Instagram handle informing you that your account has been compromised and action is required to retain access to your account.
2. The email contains a number of red flags that could indicate that this is a spear phishing attempt:
a. The sender’s email address is a misspelled version of real Instagram email addresses or uses a third-party email domain.
b. The email includes spelling and grammatical errors.
c. The email is poorly formatted and images and logos are stretched or blurry.
3. The victim does not notice these warning signs and clicks on links embedded in the email, directing them to a fake website designed to look like the official Instagram login page.
4. The fake website contains a number of red flags that could be an indication that it is part of a spear phishing attempt:
a. The fake website’s URL does not match the official Instagram login URL.
b. The website includes spelling and grammatical errors.
c. The website is poorly formatted and images and logos are stretched or blurry.
5. The victim does not notice these warning signs and enters their login information into the fake website, including their username, original password and a new password to reset their account login credentials.
6. The spear phisher uses the login credentials provided to gain access to your real Instagram account or other websites, platforms or services you have accounts with.
Mobile device phishing
It is also common for malicious actors to now direct phishing attacks to a person’s mobile phone or tablet. Learn how you can spot fraudulent texts and phone calls.
Smishing
Smishing, also known as SMS phishing, is a phishing tactic that targets your mobile devices by sending misleading texts posing as communications from a trusted organization.
- Receiving texts from a phone number that is unknown to you.
- Texts with typos or grammatical errors.
- Messages containing an urgent request for personal information like login information or bank account details.
- Texts that require immediate action to avoid a problem like retaining access to an account.
- Messages that ask you to click a link or download a file of vague origins.
- Texts offering you something that sounds too good to be true with little to no action on your part.
- Check the authenticity of the sender’s phone number by visiting the organization they claim to be from’s official website to see if their number is listed.
- Contact the organization directly via email or publicly listed phone numbers to confirm if the text came from them.
- Verify your personal records to confirm if you have any services or subscriptions from the company in question.
- Ask yourself, “Would this company contact me via text message?”.
If you suspect that a text is a smish, don’t respond to the message and avoid clicking any suspicious links. Always block the number and delete the text to avoid further smishing attempts.
Vishing
Vishing, also known as voice phishing, is another phishing tactic that targets your mobile devices using live agents or automated calls claiming to be from a trusted organization. Vishing attacks usually take one of two forms:
Cold calls
In this scenario, you’ll receive a phone call from an unknown number claiming to be from an official organization requesting personal information or remote access to your device to solve a fake issue with an account or device.
Misleading ads and websites
Malicious actors may create fake online ads or websites that encourage you to call a number to sign-up for or purchase a fake service or product.
- Receiving calls from a phone number that is unknown to you.
- Ads or websites with typos or grammatical errors encouraging you to call a phone number to sign up for a service or resolve an imaginary issue with your device.
- The caller makes an urgent request for personal information or remote access to your device to resolve an issue like canceling a subscription or removing malware from your device.
- The caller makes use of social engineering tactics like keeping you on the call to gain your trust.
- The caller offers you something that sounds too good to be true with little to no action on your part.
- If the caller or number are unknown to you, end the call without providing personal information or granting remote access to your device.
- Check the authenticity of the caller’s phone number by visiting the organization they claim to be from’s official website to see if their number is listed.
- Contact the organization directly via email or publicly listed phone numbers to confirm if the call came from them.
- Verify your personal records to confirm if you have any services or subscriptions from the company in question.
- Ask yourself, “Would this company contact me over the phone?”.
If you suspect that a call is a vish, always block and delete the number to avoid further vishing attempts.
You can prevent future vishing attempts by registering your phone number with the Government of Canada’s National Do Not Call List for telemarketers (external link) . By registering your number, many telemarketers will be prevented from cold calling you, although it’s important to remember that this will not protect you from all vishing attacks.