Article

What are the most common types of phishing attacks?

Phishing is the fraudulent practice of sending emails pretending to be from a reputable source, asking individuals to reveal personal data such as login credentials, bank cards information or even money. A malicious actor will tailor an email to speak directly to you and urge immediate action, before making a personal information request, persuading you to open a malicious attachment or providing a dangerous URL link to follow.

It only takes one successful phishing attempt to steal your data or even compromise your network. Although the malicious actor’s ultimate goal is always the same, cybercriminals have found many ways to launch their attack.

Some of the different types of phishing attacks consist of:

Email phishing: malicious actors send emails to users, impersonating a known source or legitimate organization.
Spear Phishing: targets a specific individual or group such as a system administrator, in order to steal data or install malware on the targeted network.
Whaling/ CEO fraud: a cybercriminal masquerades as a senior executive at an organization, when sending an email, and directly targets other senior or important individuals at an organization, with the aim to reveal sensitive data or initiate transfer of money.
Vishing: this phishing attack is accomplished through a voice call, to gain access to a targeted victim’s personal information.
Smishing: uses text messaging or short message service (SMS) to execute the attack. This attack is successful when the target responds to the action demanded in the received text such as clicking on a link or sending back money.
Angler phishing: phishing attacks launched using false corporate social media accounts.

In Rwanda, reporting from the Central Bank has noted that the most common methods observed in recent years are phishing attacks that rely on email, text message and phone calls, which respectively correspond to the use of email phishing, smishing and vishing.

So how does one protect themselves against these three common types of phishing attacks?

E-mail phishing

Pause and think before taking any immediate action as requested from an email;
Look out for spelling errors, poor grammar, unprofessional graphics, unnecessary urgency or generic greeting such as ‘Dear Customer’ instead of your name;
Do not click on links or download attachments if you are not absolutely confident about the source of an e-mail;
Educate staff to identify fake and malicious e-mails and stay vigilant;
Consider the use of a security e-mail gateway with maintenance of filters (anti-spam, anti-malware, policy-based filtering).

Smishing

Always approach urgent account updates and limited time offers by SMS as caution signs of possible smishing;
Remain skeptical, and if doubtful, contact the institution directly through another channel, as any urgent notices can be verified directly on your online accounts or via an official phone helpline.

Vishing

If the identity of a person on the other end of the phone call sounds mysterious and has an offer too good to be true, or you receive a phone call from a person or a recording requesting personal information, hang up;
If the call claim to be coming from a trusted organization and request for personal information, hang up and call that entity directly to confirm their request.

Other useful prevention actions against phishing:

Avoid clicking on random links, especially shortened links found on social media or SMS;
Avoid over-sharing personal information on social media, e.g. duration of absence from office or home, flight information, current location etc.;
Check the domain name of the websites you visit for typos, especially for sensitive websites like bank websites. Cybercriminals usually register fake domains that look similar to legitimate ones and use them to ‘phish’ their targets. Looking only for an HTTPS connection is not enough;
Enable two-factor authentication, whenever applicable, to prevent account takeovers by criminals;
Use strong and unique passwords for every online service. Avoid re-using the same password for various online accounts, as it is a serious security flaw;
Report all phishing attempts to designated authorities.

20 January 2022

More updates

28 January 2025

5 Ways to Keep Data Private on Data Privacy Day

There’s no better time than International Data Privacy Day to learn simple, effective ways to protect your personal data.

09 January 2025

2025 Data Privacy Week: Empowering organizations to safeguard personal data

The Data Protection Office (DPO) is set to observe National Data Privacy Week from January 27–31, 2025.

08 January 2025

2025 Icyumweru cyahariwe kurinda amakuru bwite: Gufasha abaturage n’ibigo kurinda amakuru bwite

Guharanira kurinda amakuru bwite n’imibereho bwite muri iyi si y’ikoranabuhanga.

11 December 2024

NCSA conducts national cyberdrill to strengthen cybersecurity readiness

The cyberdrill aims to ensure national stakeholders can protect critical information infrastructure and minimize cyber incidents.

It only takes one successful phishing attempt to steal your data or even compromise your network. Although the malicious actor’s ultimate goal is always the same, cybercriminals have found many ways to launch their attack.

Some of the different types of phishing attacks consist of:

Email phishing: malicious actors send emails to users, impersonating a known source or legitimate organization.

Spear Phishing: targets a specific individual or group such as a system administrator, in order to steal data or install malware on the targeted network.

Whaling/ CEO fraud: a cybercriminal masquerades as a senior executive at an organization, when sending an email, and directly targets other senior or important individuals at an organization, with the aim to reveal sensitive data or initiate transfer of money.

Vishing: this phishing attack is accomplished through a voice call, to gain access to a targeted victim’s personal information.

Smishing: uses text messaging or short message service (SMS) to execute the attack. This attack is successful when the target responds to the action demanded in the received text such as clicking on a link or sending back money.

Angler phishing: phishing attacks launched using false corporate social media accounts.

In Rwanda, reporting from the Central Bank has noted that the most common methods observed in recent years are phishing attacks that rely on email, text message and phone calls, which respectively correspond to the use of email phishing, smishing and vishing.

So how does one protect themselves against these three common types of phishing attacks?

E-mail phishing

Pause and think before taking any immediate action as requested from an email;

Look out for spelling errors, poor grammar, unprofessional graphics, unnecessary urgency or generic greeting such as ‘Dear Customer’ instead of your name;

Do not click on links or download attachments if you are not absolutely confident about the source of an e-mail;

Educate staff to identify fake and malicious e-mails and stay vigilant;

Consider the use of a security e-mail gateway with maintenance of filters (anti-spam, anti-malware, policy-based filtering).

Smishing

Always approach urgent account updates and limited time offers by SMS as caution signs of possible smishing;

Remain skeptical, and if doubtful, contact the institution directly through another channel, as any urgent notices can be verified directly on your online accounts or via an official phone helpline.

Vishing

If the identity of a person on the other end of the phone call sounds mysterious and has an offer too good to be true, or you receive a phone call from a person or a recording requesting personal information, hang up;

If the call claim to be coming from a trusted organization and request for personal information, hang up and call that entity directly to confirm their request.

Other useful prevention actions against phishing:

Avoid clicking on random links, especially shortened links found on social media or SMS;

Avoid over-sharing personal information on social media, e.g. duration of absence from office or home, flight information, current location etc.;

Check the domain name of the websites you visit for typos, especially for sensitive websites like bank websites. Cybercriminals usually register fake domains that look similar to legitimate ones and use them to ‘phish’ their targets. Looking only for an HTTPS connection is not enough;

Enable two-factor authentication, whenever applicable, to prevent account takeovers by criminals;

Use strong and unique passwords for every online service. Avoid re-using the same password for various online accounts, as it is a serious security flaw;

Report all phishing attempts to designated authorities.

	info@ncsa.gov.rw
	9009 / 0781813310
	‎+250 791 445 224