- ICO Warns of Festive Mobile Phone Privacy Snafu
- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
- El papel del CIO en 2024: una retrospectiva del año en clave TI
- How control rooms help organizations and security management
- ITDM 2025 전망 | “효율경영 시대의 핵심 동력 ‘데이터 조직’··· 내년도 활약 무대 더 커진다” 쏘카 김상우 본부장
6 Common Phishing Attacks and How to Protect Against Them
Phishing is still as large a concern as ever. “If it ain’t broke, don’t fix it,” seems to hold in this tried-and-true attack method. The Verizon 2023 Data Breach Report states that phishing accounted for 44% of social engineering incidents overall, up 3% from last year despite stiff competition from pretexting attacks. In the wake of more “malicious” threats (APTs, recompiled malware code, fileless malware, and emerging ransomware) the simplest method seems to still be the best.
Why is phishing such a favorite among black hats? Because it plays on what has been often described as cybersecurity’s “weakest link”: us. As the 2023 DBIR revealed, 74% of breaches involved the human element, and that largely means employees being duped into clicking on malicious links and diving into fraudulent sites.
That’s why it’s important that all companies know how to spot some of the most common phishing scams if they are to protect their corporate information. It’s also crucial that their employees are familiar with some of the most common types of techniques that malicious actors use to pull off these scams. After all, they’re the ones on the front lines. However, it’s unfair to put all the blame on humans as weak security measures account for much of the exploits that slip through. A person can’t click on what’s not there, so email security platforms, digital risk protection, and anti-phishing solutions are a key element. However, you can’t defend against what you don’t understand.
Towards that end, let’s discuss six of the most common types of phishing attacks and highlight some tips that organizations can use to defend themselves.
1. What is Deceptive Phishing?
Deceptive phishing is the most common type of phishing scam. In this ploy, fraudsters impersonate a legitimate company or recognized sender to steal people’s personal data or login credentials. Those emails use threats and a sense of urgency to scare users into doing what the attackers want.
Techniques Used in Deceptive Phishing
Vade Secure highlighted some of the most common techniques used in deceptive phishing attacks. These are as follows:
- Legitimate links – Many attackers attempt to evade detection from email filters by incorporating legitimate links into their deceptive phishing emails. They could do this by including contact information for an organization that they might be spoofing.
- Blend malicious and benign code – Those responsible for creating phishing landing pages commonly blend malicious and benign code together to fool Exchange Online Protection (EOP). This might take the form of replicating the CSS and JavaScript of a tech giant’s login page to steal users’ account credentials.
- Redirects and shortened links – Malicious actors don’t want to raise any red flags with their victims. They therefore use shortened URLs to fool Secure Email Gateways (SEGs). They also use “time bombing” to redirect users to a phishing landing page only after the email has been delivered. After victims have forfeited their credentials, the campaign then redirects victims to a legitimate web page.
- Modify brand logos – Some email filters can spot when malicious actors steal organizations’ logos and incorporate them into their attack emails or onto their phishing landing pages. They do so by looking out for the logos’ HTML attributes. To fool these detection tools, malicious actors alter an HTML attribute of the logo such as its color.
- Minimal email content – Digital attackers attempt to evade detection by including minimal content in their attack emails. They might elect to do this by including an image instead of text, for instance.
Recent Examples of Deceptive Phishing Attacks
We’ve seen deceptive phishing campaigns make headlines this past year. On September 9th, it was discovered that the X (formerly Twitter) account of Vitalik Buterin, co-founder of Etherium, had been hacked. Attackers used a falsified tweet originating from Buterin to lure users into a phishing scam, posting that a free commemorative NFT would be offered to anyone who clicked the link. However, the deceptive link required victims to attach their blockchain accounts to the phishing site before any NFTs were “paid out”; in the end, the victims were the only ones paying.
Also seen this past year was the phishing campaign that capitalized on the collapse of Silicon Valley Bank (SVB). Posing as SVB customers, threat actors sent emails to their customers requesting future payments be routed to a different account (given the fact that SVB was going under). Those who believed the scam redirected their future payments directly into the hands of attackers.
According to data by Check Point Research, retail giant Walmart was the most imitated brand of Q3 2023, accounting for 39% of all phishing attempts. Following were Microsoft (14%) and Wells Fargo (8%), a significant change from last year. In Q3 of 2022, shipping company DHL took top spot, albeit with 22%, with Microsoft again in second place (16%) and LinkedIn coming in third (11%). It is possible that this trend could reveal the beginnings of a shift to phish more inexperienced users (like consumers), rather than targeting business leaders who may be more cyber-aware. Although DHL is used by companies and consumers alike, a savvy professional may be aware that scammers favor shipping ploys around the holidays, whereas an average consumer may not.
How to Defend Against Deceptive Phishing
The success of a deceptive phish hinges on to what extent an attack email resembles official correspondence from a spoofed company. Acknowledging that fact, users should inspect all URLs carefully to see if they redirect to an unknown and/or suspicious website. They should also look out for generic salutations, grammar mistakes, and spelling errors.
2. What is Spear Phishing?
Not all phishing scams embrace “spray and pray” techniques. Some ruses rely more on a personal touch. They do so because they wouldn’t be successful otherwise.
That’s the logic behind spear phishing schemes.
In this type of ploy, fraudsters customize their attack emails with the target’s name, position, company, work phone number, and other information to trick the recipient into believing that they have a connection with the sender. Yet the goal is the same as deceptive phishing: get the victim to click on a malicious URL or email attachment so that they’ll hand over their personal data. Given the amount of information needed to craft a convincing attack attempt, it’s no surprise that spear-phishing is commonplace on social media sites like LinkedIn where attackers can use multiple data sources to craft a targeted attack email.
Techniques Used in Spear Phishing
Provided below are some of the most common techniques used in spear phishing attacks:
- Housing malicious documents on cloud services: CIO reported that digital attackers are increasingly housing malicious documents on Dropbox, Box, Google Drive, and other cloud services. By default, IT is not likely to block these services, which means the organization’s email filters won’t flag the weaponized docs.
- Compromise tokens: CSO also noted that digital criminals are attempting to compromise API tokens or session tokens. Success in this regard would enable them to steal access to an email account, SharePoint site, or other resource.
- Gather out-of-office notifications: Attackers need lots of intelligence to send a convincing spear-phishing campaign. Per Trend Micro, one way they can do this is by emailing employees en masse and gathering out-of-office notifications to learn the format of the email addresses used by internal employees.
- Explore social media: Malicious actors need to learn who’s working at a targeted company. They can do this by using social media to investigate the organization’s structure and decide whom they’d like to single out for their targeted attacks.
- Artificial Intelligence (AI): AI has opened the door for nearly all phishing attacks to soon become “spear phishing” in nature. In the phishing arena, AI does several things: it scrapes social media sites for personal data, making it easier for hackers to customize emails and fraudulent communications, and it creates “deepfake” videos that make customized deception even easier. As SC Media reports, thanks to AI “cybercriminals will have access to an ever-growing treasure trove of data, from open-source data such as job postings to personal information leaked in data breaches, with which to craft highly targeted spear phishing lures.”
Examples of Spear Phishing Attacks
We’re all familiar with LinkedIn spear phishing scams that materialize in the form of customized fake job offers. More than just acute disappointment, these scams can introduce real danger. Said the researchers at the eSentire Threat Response Unit, “Upon opening the fake job offer, the victim unwittingly initiates the stealthy installation of the fileless backdoor, ‘More Eggs’. Once loaded, the sophisticated backdoor can download additional malicious plugins and provide hands-on access to the victim’s computer.” And if we thought those LinkedIn scams were scary before, they’re now worse than ever thanks to this year’s meteoric advancements in AI.
NBC recently reported that ever since ChatGPT came out, there has been a huge increase in spear phishing. In the interview, Eve Chen, CEO of Trend Micro, notes three reasons why:
- AI “sources” the victims, allowing scammers to identify their next targets.
- ChatGPT can granularly customize targeted messages, producing incredibly convincing spear phishing emails, phone scams, or video scams.
- “Scam GPT” is an as-a-Service model in which attackers subscribe to this service to get pre-scripted email scams for a reasonable cost.
Generative AI has made targeted attacks extremely easy to do, removing many of the roadblocks of time, painstaking reconnaissance, and overall believability.
How to Defend Against Spear Phishing
To protect against this type of scam, organizations should conduct ongoing employee security awareness training that, among other things, discourages users from publishing sensitive personal or corporate information on social media. Companies should also invest in spear phishing prevention solutions that analyze inbound emails for known malicious links/email attachments. This solution should be capable of picking up on indicators for both known malware and zero-day threats. Additionally, targeted social media protection solutions can monitor for threats specifically on those platforms, weed out false positives, and block attacks.
3. What is Whaling?
Spear phishers can target anyone in an organization, even executives. That’s the logic behind a “whaling” attack. In these scams, fraudsters try to harpoon an exec and steal their login details.
In the event their attack proves successful, fraudsters can choose to conduct CEO fraud. As the second phase of a Business Email Compromise (BEC) scam, CEO fraud is when attackers abuse the compromised email account of a CEO or other high-ranking executive to authorize fraudulent wire transfers to a financial institution of their choice. Alternatively, they can leverage that same email account to conduct W-2 phishing in which they request W-2 information for all employees so that they can file fake tax returns on their behalf or post that data on the dark web.
Techniques Used in Whaling
Whaling attacks commonly make use of the same techniques as spear phishing campaigns. Here are a few additional tactics that malicious actors could use:
- Infiltrate the network: A compromised executive’s account is more effective than a spoofed email account. As noted by Varonis, digital attackers could therefore use malware and rootkits to infiltrate their target’s network.
- Follow up with a phone call: The United Kingdom’s National Cyber Security Centre (NCSC) learned of several instances where attackers followed up a whaling email with a phone call confirming the email request. This social engineering tactic helped to assuage the target’s fears that there could be something suspicious afoot.
- Go after the supply chain: Additionally, the NCSC has witnessed a rise of instances where malicious actors have used information from targets’ suppliers and vendors to make their whaling emails appear like they’re coming from trusted partners.
Recent Examples of Whaling Attacks
This year, a phishing kit known as EvilProxy was caught poaching executives on job search platform Indeed. The attacks focus primarily on C-suites in the United States, particularly within the industries of financial services, real estate, and manufacturing. A phishing email containing deceitful links would be sent to identified targets. When clicked, these links directed to fake Microsoft Online pages where the executives would log in and unwittingly offer up their credentials.
And there is no shortage of statistics on BEC. Accounting for over $2.7 billion in adjusted losses per the most recent FBI Internet Crime Report, BEC depends on whaling to fuel the fire. Early this year, researchers discovered two groups using executive impersonation to launch these kinds of attacks in at least 13 different languages. Automation tools (Google Translate was cited in this case) have come a long way in making this possible, or at least profitable, to do so. Says Crane Hassold, director of threat intelligence at Abnormal Security, “These attacks demonstrate that BEC is a global issue and not just an English-only phenomenon. Our findings also show how cybercriminals are always looking to exploit various tools, such as Google Translate, to expand their potential victim population.”
How to Defend Against Whaling
Whaling attacks work because executives often don’t participate in security awareness training with their employees. To counter the threats of CEO fraud and W-2 phishing, organizations should mandate that all company personnel—including executives—participate in security awareness training on an ongoing basis. Business email compromise and social engineering tactics can also be mitigated by secure email security measures that catch malicious senders should one slip through.
Organizations should also consider injecting Multi-Factor Authentication (MFA) channels into their financial authorization processes so that no one can authorize payments via email alone.
4. What is Vishing?
Until now, we’ve discussed phishing attacks that for the most part rely on email. But fraudsters do sometimes turn to other media to perpetrate their attacks.
Take vishing, for example. This type of phishing attack dispenses with sending out an email and goes for placing a phone call instead. As noted by Comparitech, an attacker can perpetrate a vishing campaign by setting up a Voice over Internet Protocol (VoIP) server to mimic various entities in order to steal sensitive data and/or funds. Malicious actors used those tactics to step up their vishing efforts and target remote workers in 2020, found the FBI.
Techniques Used in Vishing
Here are some common techniques used in vishing attacks:
- “The mumble technique”: Digital attackers will oftentimes incorporate unique tactics to go after specific targets. For instance, as reported by Social-Engineer, LLC, when they attempt to target customer service representatives or call center agents, malicious actors might use what’s known as “the mumble technique” to mumble a response to a question in the hopes that their “answer” will suffice.
- Technical jargon: If malicious actors are targeting a company’s employees, Social-Engineer, LLC noted that they might impersonate in-house tech support by using technical jargon and alluding to things like speed issues or badging to convince an employee that it’s okay for them to hand over their information.
- ID spoofing: Here, a malicious actor disguises their phone number to make their call look like it’s coming from a legitimate phone number in the target’s area code. Twinstate noted that this technique could lull targets into a false sense of security.
Recent Examples of Vishing Attacks
Just last year, Cisco fell prey to a clever vishing attack that started with the compromise of an employee’s Google account. Stored passwords were compromised, and then voice phishing was used to get the employee to accept the MFA push that ultimately allowed the attacker to access the corporate Virtual Private Network (VPN).
If current AI capabilities are any indication, this is only the beginning. AI can now clone anyone’s voice, having the ability to con even “voiceprint” security systems such as the one used by the Australian Tax Office (ATO). If this is a susceptible target, how much more are we when we pick up the other end of the line? In one instance earlier this year, Vice reporter Joseph Cox was able to use an AI-replicated version of his own voice to crack access to his bank account. In another, the same trick was used by Guardian Australia journalist Nick Evershed to gain access to a government sponsored self-service portal.
How to Defend Against Vishing
To protect against vishing attacks, users should avoid answering calls from unknown phone numbers, never give out personal information over the phone, and use a caller ID app.
5. What is Smishing?
Vishing isn’t the only type of phishing that digital fraudsters can perpetrate using a phone. They can also conduct what’s known as smishing. This method leverages malicious text messages to trick users into clicking on a malicious link or handing over personal information.
Techniques Used in Smishing
Webroot identified some techniques commonly used by smishers:
- Trigger the download of a malicious app: Attackers can use malicious links to trigger the automatic download of malicious apps on victims’ mobile devices. Those apps could then deploy ransomware or enable nefarious actors to remotely control their devices.
- Link to data-stealing forms: Attackers could leverage a text message along with deceptive phishing techniques to trick users into clicking a malicious link. The campaign could then redirect them to a website designed to steal their personal information.
- Instruct the user to contact tech support: With this type of attack tactic, malicious actors send out text messages that instruct recipients to contact a number for customer support. The scammer will then masquerade as a legitimate customer service representative and attempt to trick the victim into handing over their personal data.
Recent Examples of Smishing Attacks
SMS scams have become so ubiquitous that it’s hard to pinpoint just a few. From first-hand accounts of people asking for an urgent favor, to meandering WhatsApp chats impersonating family members (and ultimately leading to crypto conversations), message-based phishing attempts are on the rise.
Further examples from this year alone include Facebook Messenger smishing attempts (I’ve had a few) encouraging you to apply for grants, and banking-related notifications “from” institutions such as Wells Fargo requesting unsolicited account verification.
Proofpoint’s 2023 State of the Phish report reveals that 76% of organizations experienced a smishing attack in 2022.
How to Defend Against Smishing
Users can help defend against smishing attacks by researching unknown phone numbers and by calling the company named in suspicious SMS messages if they have any doubts.
6. What is Pharming?
As users become wiser to traditional phishing scams, some fraudsters are abandoning the idea of “baiting” their victims entirely. Instead, they are resorting to pharming. This method of phishing leverages cache poisoning against the Domain Name System (DNS), a naming system which the Internet uses to convert alphabetical website names, such as “Microsoft.com,” to numerical IP addresses so that it can locate and thereby direct visitors to computer services and devices.
In a DNS cache poisoning attack, a pharmer targets a DNS server and changes the IP address associated with an alphabetical website name. That means an attacker can redirect users to a malicious website of their choice. That’s the case even if the victim enters the correct site name.
Techniques Used in Pharming
Included below are some pharming tactics identified by Panda Security:
- Malicious email code: In this variant of a pharming attack, malicious actors send out emails containing malicious code that modifies host files on the recipient’s computer. Those host files then redirect all URLs to a website under the attackers’ control so that they can install malware or steal a victim’s information.
- Targeting the DNS server: Alternatively, malicious actors might opt to skip targeting individual users’ computers and directly go after a DNS server. This could potentially compromise millions of web users’ URL requests.
Recent Examples of Pharming Attacks
In August, researchers discovered MaginotDNS, a potent new cache poisoning attack that can take down entire Top-Level Domains (TLDs) by targeting Conditional DNS (CDNS) resolvers. Roughly one-third of all CDNS servers are vulnerable to this particular pharming attack, due to inconsistencies in implementing security checks in different DNS server modes.
In another instance, Proofpoint revealed that it had detected a pharming campaign targeting primarily Brazilian users. The operation used four distinct URLs embedded in phishing emails to prey upon owners of UTStarcom and TP-Link routers. Whenever a recipient clicked one of the URLs, the campaign sent them to a website designed to execute Cross-Site Request Forgery (CSRF) attacks on vulnerabilities in the targeted routers. Successful exploitation enabled malicious actors to perform Man-in-the-Middle (MitM) attacks.
How to Defend Against Pharming
To protect against pharming attacks, organizations should encourage employees to enter in login credentials only on HTTPS-protected sites. Companies should also deploy anti-virus software on all corporate devices and implement virus database updates on a regular basis. Finally, they should stay on top of security upgrades issued by a trusted Internet Service Provider (ISP).
Conclusion
Using the guide above, organizations can spot some of the most common types of phishing attacks. Even so, that doesn’t mean they will be able to spot every phish. Phishing is constantly evolving to adopt new forms and techniques. With that in mind, it’s imperative that organizations conduct security awareness training on an ongoing basis so that their employees and executives can stay on top of phishing’s evolution. This goes hand in hand with an automated security approach that stays current with today’s phishing trends and builds in the policies needed for future-proof defense.
To learn more about how to build your email security and anti-phishing strategy, click here.