Types of Phishing and How to Protect Yourself

Phishing is a type of security threat where fake websites, emails, texts, or other methods will ask you to provide security details, such as your account credentials, in order to steal your identity or money or infect your device with harmful viruses. 

Have you ever opened an email that appeared to be from a trusted source, but something didn’t seem right once you had a chance to look at it carefully? This may have been a phishing attempt—when a hacker tries to get your personal information by impersonating a website or person you trust. Cyberattacks in the US continue to surge, occurring more and more each year. According to Check Point, cyberattacks in the US increased by 57 percent in 2022 when compared to 2021 [1]. 

In this article, you’ll learn more about how hackers use phishing to steal your personal data and careers to consider that fight against cyberattacks. 

What is phishing?

Phishing is a type of targeted security attack designed to motivate you to provide your personal information. Let’s explore how that might look in practice. Imagine you receive an email that looks like it’s from your bank alerting you to fraudulent activity on your account. In the email, you see a link to log into your bank account and verify whether or not the transactions are fraudulent. The problem is the email and the corresponding link are both fake. When you “log in'' to your account on the fake website, you’ll provide your login credentials to the hackers. 

In our example above, hackers attempt to gain access to an online bank account, but phishing is a technique hackers can use to gain all kinds of personal information. In some cases, the hacker may use phishing to gain access to your email account, where they might be able to find more information to trick you or someone with whom you work with more personalized phishing attacks. In other cases, the phishing attempt may contain a form of malware that downloads to your computer when you open the email. Phishing is a popular method among bad actors, as over 1.28 million phishing sites exist online as of the second quarter of 2023 [2].

Types of phishing

Phishing comes in many forms, including social engineering, email phishing, spear phishing, clone phishing, pop-up phishing, website spoofing, and more. Let’s take a closer look at these types of phishing and what you can do to protect yourself. 

Social engineering

A social engineering cyberattack is any time a cybercriminal uses social interaction to access an otherwise secure network. Social engineering is a broad category that phishing attacks fall into, but it’s not limited to digital methods of communication. Criminals using this method might research you before they contact you to provide you with a made-up story containing enough relevant details that you feel compelled to act. For example, you might receive a phone call claiming that a loved one is in danger and needs your help immediately, but when you contact your loved one, they are safe. 

Email phishing

Email phishing is one of the most common types of phishing, and scammers will sometimes use it in addition to other forms of phishing, such as an email leading you to a spoofed website, which might request your banking information. Sometimes, you can spot email phishing attempts because something looks off. For example, in the email, the company might claim to be Facebook (instead of Meta), use bad grammar or incorrect spelling, have an urgent tone, or contain an attachment. 

Spear phishing

With spear phishing, hackers find personal details about you and then use those to craft a lie that targets you specifically, causing you to react by giving them sensitive information. For example, a scammer might learn what company you work for and use spear phishing in an email to pose as a coworker asking questions about security protocols. 

Clone phishing

Clone phishing is similar to spear phishing since hackers can specifically target your personal situation, but the fake email is a near duplicate of another email you receive. Looking closely, you might spot the difference, such as a letter instead of a number in the email address. Scammers usually accomplish clone phishing by intercepting an email before it reaches its target audience, modifying the email, and sending out another one with a note such as “resending” or “trying again.” 

Pop-up phishing

Pop-up phishing happens when you're browsing a website and you get a pop-up ad advising you to take immediate action by clicking a link. A common pop-up phishing scheme occurs when you see an ad alerting you to a virus on your computer. This is likely an attempt to get you to download malware. 

Website spoofing

A website spoof happens when scammers create websites that are nearly identical to corporate-branded websites in the hope that people will attempt to make purchases and enter their private data into the fake site. Sometimes, email phishing scams will include links to spoofed websites. In some cases, you’ll notice that the URL of the website isn’t the same as the real site you were trying to reach. 

Tips to stay safe

By staying aware of phishing methods and making informed choices, you can take action and develop habits that keep you safe from cyberattacks, such as double-checking websites and adding pop-up blockers to protect yourself from hackers. Here are some additional tips to keep in mind: 

• Stay calm and wait before reacting. Take your time and ask yourself questions to be sure you fully understand the situation if you receive an urgent request. 

• Reach out. If you receive an urgent phone call about a loved one from a third party, reach out to see if you can verify the phone call you received before you share personal information. 

• Always double-check the website address. Before placing an order or entering sensitive information into a website, inspect the URL and ensure you’re at the correct website. It’s possible for a spoofed website to appear sophisticated enough that it’s difficult to spot. 

• Use multi-factor authentication. Multi-factor authentication is when you need to enter two or more credentials before you can access an account, such as entering a username and password and then confirming with a PIN code sent to your smartphone. These added layers help keep your accounts secure. 

• Install anti-virus software and pop-up blockers. Setting automatic updates can help you keep your software current without thinking about it. Making sure your software remains current and installing ad blockers assists in deterring security threats. 

• Never open links or attachments from suspicious emails. If you suspect an email might be a phishing attempt, do not open or download attachments or links. You can always access the correct link you are looking for through a trusted website instead of through your email. 

Careers that counteract phishing

If you want to help people protect themselves from cyberattacks, you may want to pursue a cybersecurity career as a threat hunter, a digital forensics analyst, or a security architect. These three potential careers help combat phishing and other bad actors. 

Threat hunter

Average annual salary in the US: $96,713 [3]

Job outlook (projected growth from 2022 to 2032): 32 percent [4]

Education requirements: To become a threat hunter, you'll likely need to earn a bachelor’s degree in computer and information technology or a related field, although this is not required in every situation. If you receive training within the industry as well as certifications, it also is possible for you to pursue this career.  

As a threat hunter, you will be a cybersecurity analyst actively looking for vulnerabilities and malicious actors who would harm your company. You will work on a team with other security professionals and try to find and correct potential threats before they become incidents. In this role, you will also need to communicate your findings with stakeholders and keep up to date with the latest security threats and solutions. Finally, to be successful in this career, you need strong communication skills, the ability to recognize patterns, and knowledge of forensics. 

Digital forensics analyst

Average annual salary in the US: $109,608 [5]

Job outlook (projected growth from 2022 to 2032): 13 percent [6]

Education requirements: To become a digital forensics analyst, you typically need to earn a bachelor’s degree in digital forensics, computer science, or a related field, but you may be able to enter the field by earning certifications in digital forensics. Certifications can also increase your employability when you have a degree. 

As a digital forensics analyst, you will assist in investigating crimes involving digital evidence, such as computer fraud. In this role, you may recover data deleted by suspects, trace the actions of hackers, and secure digital files to prevent tampering. Keeping a chain of custody will prepare data for lawyers to use in court.  

Security architect

Average annual salary in the US: $157,762 [7]

Job outlook (projected growth from 2022 to 2032): 4 percent [8]

Education requirements: To become a security architect, you'll likely need to earn a bachelor’s degree in computer science, engineering, or a related field. 

As a security architect, you will be responsible for engineering the security system for your entire company network. You will communicate with senior leadership to design a security plan and safety features while staying current on the latest cybersecurity trends. In this role, you may also lead a team of security professionals in executing the security plan. 

Learn more with Coursera.

To take the next step and learn more about preventing phishing attacks or start an exciting cybersecurity career, consider earning your Google Cybersecurity Professional Certificate on Coursera. This eight-course series can help you prepare for a job as a cybersecurity analyst or security operations center analyst, among other in-demand cybersecurity roles.