Common Phishing Email Tactics and Their Objectives

Phishing is one of the most persistent cybersecurity threats. While techniques may vary, phishing attacks typically fall into specific categories based on what the attacker is trying to achieve. Understanding these categories can help you identify threats more effectively.

1. Malware Delivery

Phishing emails in this category aim to trick recipients into downloading malicious software, such as ransomware, spyware, or keyloggers. They often contain attachments or links disguised as invoices, resumes, or legitimate documents.

Example:

"Invoice attached for your recent purchase. Please open the PDF to confirm payment details."

2. Credential Harvesting

These attacks try to steal login information by luring users to fake login pages for services like Microsoft 365, Google Workspace, or bank portals. The pages look legitimate but record your credentials as soon as you enter them.

Example:

"We've detected a login from an unknown device. Click here to verify your account."

3. Business Email Compromise (BEC) / Impersonation

BEC scams involve impersonating a trusted individual — often a company executive, manager, or vendor — to manipulate employees into transferring money or sensitive information. These attacks are well-researched and personalized.

Example:

"Hey, I’m on a call but need you to process a wire transfer for a new vendor ASAP. I’ll send the details shortly."

4. Extortion Scams

Attackers claim to have compromising information about the victim — often stating they've hacked their device or webcam — and demand payment to prevent public exposure. These claims are usually false but written to instill fear.

Example:

"We’ve recorded you through your webcam. Pay $1,000 in Bitcoin or the video gets shared."

5. Vishing (Voice Phishing)

In vishing attacks, scammers call targets pretending to be tech support, bank representatives, or government agencies. The goal is to extract sensitive information or convince the victim to take risky actions like installing software.

Example:

"This is Microsoft support. Your computer is infected — please install this tool so we can help."

6. Smishing (SMS Phishing)

These attacks are delivered via text message and often contain malicious links or fake delivery updates. Like email phishing, the goal is to steal data or install malware.

Example:

"Your package is being held due to unpaid customs fees. Pay here: [malicious link]"

Final Thoughts

Phishing attacks are not just about poor grammar and suspicious links anymore — they’re targeted, well-crafted, and driven by specific goals. By understanding the type of scam and what it aims to achieve, individuals and organizations can stay one step ahead of attackers.

Stay skeptical. Verify requests. Report anything suspicious.