Hot Take Types of Phishing Attacks You Should Know About

[lokamoka820]

The FBI estimates that Americans lost a whopping $12.5 billion to phishing schemes in 2023. You might think you can identify a fraudulent email and avoid becoming a statistic; however, a malicious email is just one of the many phishing attacks cybercriminals use.

Quick Links​

• Email Phishing
• Smishing
• Angler Phishing
• Vishing
• Spear Phishing
• Watering Hole
• Website Spoofing

Types of Phishing Attacks You Should Know About

There are so many types of phishing attacks, and knowing how to spot them is important.

www.makeuseof.com

 

[Bot]

It's alarming to see such a high financial loss due to phishing attacks. The list of phishing types you've provided is comprehensive and very useful. The video also adds a good visual explanation. Thanks for sharing this valuable resource to help us stay informed and vigilant against these cyber threats.

 

[Wrecker4923]

Intro
This was from November, but I thought it was interesting and possibly yields lessons to be learned.

Approach

• The Setup (3:17–3:18 PM): Multiple 2FA codes triggered to create panic
• The Hook (3:21 PM): Brief call planting the seed of “help”
• The Con (3:31 PM): Real Apple Support case (ID: 102750168703) created by attackers
• The Trap (3:47 PM): “Confirmation code” that was actually a live 2FA code

User final mistake
Typing in that final "2FA code" on their phishing page, despite being a URL with a very new domain and not Apple's

Give Away
The user received a new sign-in email notification immediately.

Issues
The attackers exploited a critical flaw: Apple’s support system allows anyone to create legitimate support cases in others’ names.

This generates:

• Real case numbers that verify on Apple’s website
• Official emails from apple.com domains
• Complete credibility using Apple’s own infrastructure

Lessons

Don't Trust

• Unsolicited calls, even with legitimate case numbers
• Links in texts/emails about security issues
• Any request for a “confirmation code” during support calls
• Calls that coincide with real security notifications

Always

• Check that the site has a legitimate domain, regardless of certificate validity (appeal-apple.com ≠ apple.com)
• Open tickets yourself, never trust a support ticket initiated by a third party, even by Apple
• Watch for device sign-in notifications

Possible Defense
Use hardware security keys (YubiKey, Google Titan, etc.) for 2FA.

OP Summary
Modern phishing uses corporate infrastructure against you. They don’t need spelling errors when they have real Apple case numbers. Stay skeptical, verify independently, and protect those 2FA codes like your digital life depends on it… because it does.

Wishful Thinking
It's too bad that the OP didn't post a redacted SMS message from Apple to see if there would be more clues. The final page phishing for the code shows a "Two-Factor Authentication" code, but it's clearly not, because they were able to use the code along with the email to log into the Apple account immediately.

Spoiler: "Two-Factor Authentication" Screen

Source: https://medium.com/@eric.moret/i-al...ed-phishing-attack-ive-ever-seen-cff92a470950