A Plethora of Phishing Scams

Word Count: 1,461 Estimated Read Time: 6 Min.

People love fishing… but not when scammers are the ones doing the “phishing” and people are the catch.  Phishing is when a cyber-criminal sends fraudulent communications that appear to come from a specific brand to trick customers into revealing sensitive information. That’s the kind of phishing – an online attack on a brand and its customers — that can hurt customers and kill a business.

Business owners often tune out when they hear about cyber crimes because they think that these attacks only happen to technology, banking, and fin-tech companies as well as global brands.  Not true.  But cyber-criminals want average business owners to think “that can’t happen to my company.”  It makes it easier for them to attack businesses that are ignorant and unprepared.

In reality, phishing scams are a major threat to all brands and their customers because they rely on deception and impersonation to steal sensitive information.  These cyber-attacks lead to financial loss for customers and damage the brand’s credibility, even when the brand was not involved at all and did nothing wrong. 

Three General Types of Phishing Attacks

It’s important to understand this kind of cyber crime.  There are three types of phishing scams used to attack brands and deceive their customers.

1. Email Phishing is the most common form of phishing. Attackers send out mass emails that appear to be from a legitimate company (like a bank, social media platform, or e-commerce site) and often contain a sense of urgency. The goal is to trick recipients into clicking a malicious link that leads to a fake website designed to steal their login credentials, personal information, or financial details.  But there are other types of phishing attacks that don’t rely on email.

2. Smishing, also known as SMS Phishing, uses text messages instead of emails to attack. Scammers send customers of a particular brand fraudulent messages that often include a link to a malicious website or a phone number to call. These messages can impersonate legitimate brands, such as delivery services or banks, to trick the recipient.

3. Vishing, also known as Voice Phishing, uses phone calls instead of emails. The attacker, pretending to be a representative from a trusted company, tries to manipulate the victim into revealing sensitive information over the phone.

Targeted Phishing Attacks

However, there are even more variations on email phishing.   

4. Spear Phishing – Unlike mass phishing, spear phishing, like actual spear fishing, is highly targeted. The attacker researches a specific individual or organization to craft a personalized and convincing message. They might use details about the person’s job role, interests, or relationships to make the scam more believable and increase the chances of success.
   
   
5. Whaling – Then there is whaling.  This is a form of spear phishing that specifically targets high-profile individuals, such as CEOs, CFOs, or other senior executives (“whales”).  Attackers leverage the authority of these positions to trick employees into performing actions like transferring large sums of money or divulging confidential data.
   
   
6. Business Email Compromise (BEC) – This type of phishing involves an attacker impersonating a business partner, vendor, or a senior executive (like the CEO) to trick an employee or customer into making a fraudulent payment or divulging sensitive information. These attacks often involve detailed research and are highly effective. 
   
   
7. Brand Impersonation – This is the overarching tactic where a scammer poses as a well-known, trusted brand to deceive customers. They use the brand’s logo, colors, and communication style to create a sense of legitimacy. The scam can be carried out through various channels, including email, social media, and fake websites.
   
   
8. Angler Phishing – This type of scam takes place on social media platforms. An attacker creates a fake social media account that looks like a legitimate brand’s customer service page. They then reply to users who are complaining or asking questions, impersonating a customer service agent, and attempt to direct the user to a malicious website or collect their personal details through direct messages.
   
   
9. Clone Phishing – The attacker creates a nearly identical replica of a legitimate email that a victim has previously received. They swap out the original malicious link or attachment with a new, fraudulent one. This makes the email appear authentic and can easily trick someone who has already received a similar, legitimate message.
   
   
10. Website Forgery/Pharming – Attackers create a fake website that is a near-perfect replica of a legitimate brand’s site.  With Website Forgery, a user is directed to the fake site through a malicious link in an email or text.  Pharming is a more sophisticated attack where malicious code is installed on a user’s computer or a DNS server is hijacked to automatically redirect the user to the fake website, even if they type the correct URL.
    
    
11. Search Engine Phishing (SEO Poisoning) – Attackers create fraudulent websites and use search engine optimization (SEO) techniques to make them rank highly in search engine results. When a user searches for a brand, they might click on the fake website and be directed to a site that steals their information.

Most business owners, leaders and C-Suite execs think they are absolutely too savvy to fall prey to this kind of scam.  Well, consider what happened to Ubiquiti Networks.

Case Study:  Gone Phishing and Landing a Whale

One prominent case study of a phishing attack on a U.S. business is the Business Email Compromise (BEC) and Whaling attack in 2015 on Ubiquiti Networks, a technology company specializing in wireless data communication and networking products.  So a tech company was able to be attacked by a more cunning cyber-criminal organization.

An attacker impersonated high level execs at Ubiquiti and specifically targeted a high-level accounting and finance officer at a Ubiquiti subsidiary in Hong Kong who had the authority to initiate large wire transfers. The attacker posed as the company’s CEO and an external attorney, pressuring the employee to act quickly on a confidential deal.

Through a series of fraudulent emails, the attacker tricked the employee into making a total of 14 unauthorized wire transfers to overseas bank accounts. These transfers, which were supposedly for a confidential acquisition, were made over a 17-day period.  What’s worse, the company did not even discover the fraud on its own. The scam was only uncovered when the FBI notified Ubiquiti that its Hong Kong bank account might be a victim of fraud. At that point, the company had already lost approximately $46.7 million!

Ubiquiti responded first by making a public disclosure.  The company filed a public document with the Securities and Exchange Commission (SEC), disclosing the details of the fraudulent scheme and the financial loss. This was a critical step in fulfilling their legal and ethical obligations to shareholders.

They also took legal action. Ubiquiti worked with law enforcement, including the FBI, and other authorities to try and recover the stolen funds. Ubiquiti was able to recover $8.1 million and legally freeze another $6.8 million.  But nearly two-thirds of the funds – over $30 Million — were lost.

Most importantly, they conducted an internal investigation.  They wanted to determine how the breach occurred and to identify the specific vulnerabilities that were exploited.  This happened a decade ago, but what could the company have done to thwart this attack?  The investigation revealed several key weaknesses that allowed the attack to succeed.

To prevent future attacks, the company took a few proactive steps:

– Ubiquiti implemented a strong verification process for large transactions.  The most critical failure was the lack of a simple, robust verification protocol for wire transfers. A policy requiring a phone call or in-person verification for any significant financial transaction, especially one with a sense of urgency, could have easily exposed the scam.

– Ubiquiti started Employee Security Awareness Training.  Phishing attacks succeed by preying on human error and trust. Regular and targeted security training for all employees, particularly those in high-risk departments like finance, is essential.

While specific, detailed, post-attack measures are often kept confidential for security reasons, the Ubiquiti case became a textbook example of the financial and reputational damage of BEC scams. It spurred many companies to adopt more rigorous security protocols.

Next week, we will look at the specific measures that can be taken to combat the various kinds of phishing.  As Richard Clarke, Former U.S. National Coordinator for Security, Infrastructure Protection, and Counter-terrorism, put it: “If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.”  So stay tuned and you’re sure to catch some big ideas to quash the phishing and protect your brand.

Quote of the Week
“The most sophisticated attack is a well-written email.”
Kevin Mandia, CEO, Mandiant (now part of Google Cloud)

© 2025, Keren Peters-Atkinson. All rights reserved.