11 Types of Phishing Attacks You Need to Know to Stay Safe

11 Types of Phishing Attacks You Need to Know to Stay Safe
Userlevel 7
Badge +48

One of the more worrying findings of the 2020 Webroot Threat Report was a 640% year-over-year rise in the number of active phishing sites on the web. While these still make up a minor portion of all malicious sites, cybercriminals are clearly finding them profitable enough to be worth investing time and labor on.

Phishing attacks are also diversifying considerably from what people often think of as the typical, email-based attack. To help our Community to be better identify the growing number of forms these attacks take, we’re beginning a series of posts describing them. We’ll begin with a typical phishing attack before elaborating on ten more subtypes including spear phishing, search engine phishing, business email compromise and more.

But first, the good ol’ phishing we’ve come to know and loathe.

Download the 11 Types of Phishing eBook


Standard Phishing: Casting a Wide Net

At its most basic, standard phishing is the attempt to steal confidential information by pretending to be an authorized person or organization.

FYI: Most sources credit the first description of a phishing attack to a paper by the International HP Users Group, Interex in 1987.


An Example of Standard Phishing

This tactic has, in the past, been more about quantity versus quality. The audience was broad and emails were riddled with noticeable errors.

As phishing has developed, it’s become more sophisticated and harder to spot.

Tip: Do you know how to tell if an email’s legit? Here are five ways to spot a phishing email

10 replies

Userlevel 3
Badge +3

I came here to read about phishing and its 11 types.

What I got was an explanation of one, 1, form and to get the others, I needed to click on the box, which I did. Took me to another site that requested information that you already have on me.

I also replied to your survey and it would not let me proceed because I had entered some comments into OTHER box. The survey would not let me proceed because I did not check any of the options you provided, because they didn't apply.

The only reason I am replying here is because I am incensed about the difficulty getting some information on phishing when your email, from a trusted source Webroot, said to come here to get information.

I am not going to reenter my personal information which you already have. The behavior here very closely mimics that of a Phishing site!

Userlevel 7
Badge +36


Userlevel 2
Badge +9

Can a moderator explain the need to reenter credentials?

This post is riddled with noticeable errors.

I came here from a link in an email received from webroot.

NEWSLETTER: Not your old man's phishing attack

In the very same email there are other links:

COVID-19 and the Indispensable MSP
»read post » http://click.service-webroot.com/ 

Is it acceptable to use http instead of https these days?


Userlevel 2
Badge +3

Webroot has a very informative and interesting newsletter that it emails to subscribers.  In today’s newsletter (081620), in an article about phishing, there is a link to an e-book on 11 types of phishing attacks.  When you click on the link, it asks for your name and contact information.  Is this a test of one’s level of caution about phishing?  I am, of course, joking, sort of.  But it seems a cautionary tale to provide this info in a phishing article.

Userlevel 7
Badge +63

I’m sure @freydrew  we see all these comments and make a reply!

Badge +3

I won’t restate all of the (well justified!) comments already pointing out the irony of this newsletter article and associated link.

Of course, we all know that information about website visitors is valuable, and it’s not necessarily a nefarious deed for a website operator to try to harvest it.

What bothers me far more than the amateur-night, phishing-adjacent nature of this debacle - is that it’s WEBROOT that is doing it! The reason that WE are the audience is because we are obviously relying on WEBROOT to be the guardians of our PII.

I mean, we’re already Webroot users, and part of the “Webroot Community”, or we wouldn’t be getting the newsletter, right? So as @wgr points out, they already have that info (and I have no problem with them making a new user register before reading the article).

It’s that fact that really bothers me, because none of the reasons for this additional request for identifying info make me feel all warm and fuzzy about having Webroot as the my “protector”.



Not the best way to gather information from potential customers. I have seen the request for information on a lot of pages from Webroot, even if I just filled in my details on another request.