Phishing attacks are among the most common forms of cybercrimes regardless of location, industry, or company size. Often they prompt victims to click on or download malicious links that can break through the system’s defenses.
In 2019, there were over 114,702 phishing incidents, and the numbers increased to 241,324 incidents by 2020. Subsequently. Verizon’s Data Breach Digest discovered that 90% of all data breaches include phishing attempts.
Also, an analysis of 55 million emails reveals that one in every 99 emails is a phishing email. Therefore, it is crucial to increase awareness of the different phishing forms, alongside implementing the best penetrating test engagements and anti-phishing security measures to safeguard against phishing attacks.
What is Phishing?
A phishing or phishing scam is a form of fraudulent activity. An attacker may clone the ‘image’ of a reputable person or entity in the form of communication such as email.
Phishing is also one of the oldest types of cyber-attacks, dating as far as the 1990s.
On many occasions, attackers use phishing emails to send malicious and harmful links and attachments. These attachments and links can carry out different functions ranging from extracting account information to log-in credentials from victims. Phishing attacks are also rapidly growing and becoming more challenging as perpetrators have the advantage of the rapid growth of technology alongside well-produced off-the-shelf templates and tools.
The Dangers of Phishing Attacks
As said earlier, phishing relies on electronic communication and social networking techniques. Therefore, even as phishing emails are popular, other prevalent methods include sending direct messages via social networks and SMS text messages.
Perpetrators commonly gather public information and background on their intended victim to learn about their work and personal history, interests, and activities. They usually use social networks such as Twitter, Facebook, and LinkedIn to gather information like email addresses, names, and job titles of potential victims.
With the information they collect, they can send believable emails to their potential victims
A victim would generally receive a message that looks like it was sent from a known organization or contact. This message will contain malicious file attachments or links to malicious websites. In either instance, these malicious links or attachments would install malware on the user’s device or direct him/her to a fake website. This phony website or malware will extract information such as credit card details, account IDs, and passwords.
It was easy to identify phishing messages in the past because they looked fake and were poorly written. However, many cybercriminal groups are beginning to use the same techniques that professional marketers use to identify the message that will attract and grab the receiver’s attention. Subsequently, malware is even more sophisticated, making them difficult to detect, recognize and remove.
Common vs. Targeted Phishing Attacks: Similarities and Differences
Although all phishing attacks have similarities, just as we described above, there are two primary types of phishing attacks: common and targeted phishing attacks.
A phishing attack may be common if the perpetrator carries out a broad attack aimed at many users (or targets). The approach here is about quantity instead of quality. Attackers may only use minimal preparation with the expectation of having a few targets become victims.
In contrast, targeted phishing attacks may be designed to target a specific individual or an organization. The most basic form of this phishing attempt is known as spear phishing.
Generally, perpetrators will carefully find additional information on email, website addresses, company logos of companies, or other businesses the company works with. Sometimes they might also gather personal or professional details about the target. All this information is collected to create a phishing message that is as authentic as possible. A notable spear-phishing event was Threat Group-4127 (Fancy Bear), which used spear phishing tactics to target email accounts connected to Hilary Clinton’s 2016 presidential campaign. Consequently, they could make Hilary Clinton Campaign Chair John Podesta give up his Gmail password and attack over 1,800 Google accounts.
We do not base this classification on the different phishing channels and techniques but the attacker’s approach. Therefore, all phishing attempts and channels can fall under both categories; the difference is the attacker’s route.
Be Wary About Clicking on Phishing Emails
When phishing emails are created on a broad basis, there are a few ways to distinguish them from real messages, even when they seem to have attributes such as corporate logos and other identifying data. Here are some clues to look out for:
- Attackers may design messages to provoke a sense of urgency or fear
- The sender uses Gmail or other public addresses instead of a corporate email address
- The message contains misspelled URLs, subdomains, and other suspicious elements.
- The message seeks personal information such as passwords or financial details
- The message has spelling or grammatical errors.
Phishing emails delivered by email without specific targets are also termed ‘bulk’ phishing. Do realize that phishing emails may also be created with a particular target in focus. In 2016, workers at the University of Kansas were tricked using a phishing email, to which they gave access to their paycheck deposit information, subsequently losing their wages.
Phishing is alarming on Social Media
People are getting more thoughtful about clicking on links in strange emails. However, social media phishing is on the rise because people are more trusting of such avenues. A recent study shows people fall prey to social media-oriented email subjects, with LinkedIn being the most dominant.
CEOs are not Immune to Phishing
Whaling is a variation of spear phishing. Usually, targets are C-level or senior executives within an organization. This is why it can be commonly called CEO fraud. Whaling messages will make receivers assume they are carrying out tasks related to their executive roles. This kind of attack usually has a low success rate.
But, when such a whaling attack accomplishes its goal, the result is enormous as attackers may gain sensitive information such as company secrets, authorizing large payments, and other high-level credentials to company accounts. There have been occasions when organizations lost tens of millions of dollars to such circumstances. In 2008, several CEOs received emails with FBI subpoenas attached. Many of these CEOs unknowingly downloaded keyloggers alongside the attachments resulting in a 10% success rate from over 2,000 victims.
Stay Away From Emails Received Twice
Cloned phishing is also dangerous. In this case, the phishing attacks take the shape of a clone (or copy) of a legitimate message that the receiver had received earlier. In this case, specific changes will be made to ensnare the target (invalid URL links, harmful attachments). This attack has higher possibilities of being effective because the attacker uses a legitimate message. Sometimes, the sender or recipient may have been previously hacked by a malicious third party, thereby offering access to that legitimate email.
Be wary about Public and Free Wi-Fi
Phishers sometimes start up a Wi-Fi access point that deceptively looks like the real-sounding access point. When victims connect to the ‘evil twin network,’ the attackers access all transmissions to and from the victim’s devices. This includes passwords, user iDs, and other sensitive information. Phishers can also use the evil twin network to target victim devices and send their own fraudulent prompts.
Phishing goes Beyond the Internet
Voice phishing (vishing) is a form of phishing that happens using plain old telephone service (POTS) or voice over IP (VoIP) systems. Victims will receive voicemails notifying them of suspicious activities on their credit or bank account in this peculiar event. The call will then solicit victims to respond and verify their identity, thereby compromising their accounts credentials.
A similar example is SMS phishing (Smishing). This is a mobile device-oriented phishing attack involving text messaging to convince victims to install malware or disclose their account credentials.
Pharming is a phishing scam that involves DNS cache poisoning to redirect users from a legitimate website to a fraudulent one. Here users will be tricked to attempt to log in to a fake website with their credentials.
Phishing Kits; what are they?
Phishing tools are becoming widespread and accessible at incredibly low costs. Today’s cybercriminals now have access to phishing kits which has further muddled the waters. These phishing kits are packaged website, emails, and other communication tools and resources that cybercriminals with minimal technical skills can use to launch phishing campaigns. Some phishing kits also allow attackers to spoof trusted brands, increasing the risks of someone clicking on fraudulent links.
According to Akamai’s research on Phishing-Baiting the Hook, there are over 11 kit variants for Dropbox, 7 for DHL, 14 for PayPal, and 62 kit variants. Fortunately, anti-phishing sites are being updated regularly with known phishing kits.
However, Duo Labs report showed that of 3,200 phishing kits discovered by Duo, only 27 percent were reused. The subsequent evaluation showed that a single change to one file in the kit could result in two different kits, even when they are identical.
Nevertheless, having a solid security team can help track phishing kits, focusing on where credentials are being sent. Further correlation of actors to specific kits and campaigns will help find creators.
Types of Phishing Techniques
Besides understanding the different phishing scam approaches, we also need to learn about their mechanisms and techniques. Attackers use a wide range, including texting, instant messaging, email, and social media, to carry out attacks. School phone calls have once been used to carry out such attacks.
- Link spoofing: Link spoofing involves sending a malicious URL that resembles an original URL. The objective is that the receiver may not notice the slight difference. For instance, an authentic link, abclogistics.com, may be transformed to www.ab1clogistics.com. Therefore, users must carefully look at links received before clicking on them. In some instances, the displayed text for the link will suggest a reliable destination, which in reality, goes directly to the phisher’s site.
- Link shortening: Perpetrators can use link shortening services such as Bitly to hide links to the destination. So, victims have no way of knowing they are visiting legitimate web or malicious resources.
- Malicious and Covert Redirects: In this case, attackers may force the user’s browser to interact with an unexpected website. The attacker sends malicious redirects to redirect all visitors to an undesired, attacker-controlled website forcibly. Attackers accomplish this by uncovering an existing bug in a website or compromise the website using their own redirection code.
- Filter evasion: Phishers may also use images instead of text which is more challenging to detect in phishing emails. In response, it is essential to have sophisticated anti-phisher filters which can recover hidden text within images using optical character recognition (OCR).
The Lure of Social Engineering
Many kinds of phishing attacks involve some form of social engineering, psychologically manipulating users into actions such as opening an attachment, clicking on a link, or directly divulging confidential information.
Besides impersonating a trusted entity, the phisher will also create a sense of urgency to make users take action as fast as possible, often without thinking about the implications of their actions.
For instance, attackers may claim that accounts have been seized or shut down unless the victim takes action.
Click Baits and the Time of Crisis
Alternatively, attackers may use fake news articles designed to ignite outrage, causing the victim to click a link without adequately considering its destination. In such instances, victims may receive an imitation ‘virus’ that sends notifications or redirects to pages where attempts will be made to exploit web browser vulnerabilities and install malicious software.
Such fake news attempts are wildly successful in times of crisis. Therefore, the present COVID-19 situation presents an ample opportunity for cybercriminals to lure victims.
People in these times are on edge and actively searching for information. They are also in search of information or direction from their employers, government, and other authorities. Attackers can use phishing email attempts with lures about instructions for tasks or new information supposedly from reputable organizations they expect.
These lures can prompt victims into making that impulsive move and subsequently infecting or compromising their systems.
These impulsive moves are classified as cognitive bias. Cognitive bias is a strong, preconceived notion of something or someone based on information perceived to have, lack, or have. Such preconceptions are mental shortcuts supposed to help the brain make sense of what’s happening and quickly respond. According to SecurityAdvisor, there are five types: hyperbolic discounting, recency effect, authority bias, curiosity effect, and halo effect. In Lay terms, cognitive bias translates to triggers in the brain prompting us into action, especially when we receive information that fuels our emotions related to fear, urgency, sympathy, sympathy, curiosity/voyeurism, and greed.
The present COVID-19 pandemic creates opportunities for fear, curiosity, and sometimes sympathy. Subsequently, more employees work from home, presenting gaping cybersecurity holes and increased opportunities for phishing.
Anti-phishing; Safeguarding and Preventing Phishing Attacks
Currently, there are diverse anti-phishing strategies that we can implement to protect against the risk of phishing. These strategies range from legislation and compliance to technology with a specific focus on protecting against phishing attacks.
We can implement these measures on both personal and organizational levels, and they include:
1. Spam filters
Spam filters are also crucial in mitigating the risks of phishing. Sophisticated spam filters use machine learning and natural language processing approaches to classify phishing emails and may help reject emails from fraudulent addresses.
2. Anti-phishing web security gateways
Popular browsers such as Google Chrome, Internet Explorer, Safari, Mozilla Firefox, and Opera often contain anti-phishing measures that alert users about fraudulent websites. However, it is also essential to implement robust anti-phishing systems to safeguard the company’s website. A great example is multi-factor authentication systems requiring users to use at least two different log-in methods.
Financial institutions are also implementing measures where users receive verification and authorization requests for banking transactions. Security skins, anti-phishing toolbar, Identity Cue, user-selected images, and security skins are also prominent for protecting against website/page hijacking. Do note that several phishing methods can defeat many such typical systems, primarily when we use them in isolation.
3. Enterprise mail authentication
Organizations can also have at least one email authentication to confirm and verify inbound emails. This might include DomainKeys Identified Mail (DKIM) protocol which enables users to blog messages except for those with cryptographically signed
4. Active monitoring
Round-the-clock systems can also help organizations track, analyze and take prompt actions against phishing. These systems can track and analyze server traffic for spikes which can be indications of even DDoS attacks. These systems are usually implemented alongside network and desktop software.
Our organizations should also reward good behavior by rewarding organizations to spot phishing emails. It is also vital for individuals and organizations to report phishing to volunteer and industry groups such as PhishTank, and OpenPhish. These websites, alongside Anti-Phishing Working Group Inc and the Federal government’s OnGuardOnline.gov website, also offer advice on spotting, avoiding, and reporting phishing attacks.
6. Incident response strategies
Besides actively combating phishing attempts, we must also implement recovery plans in the event of a phishing attack. We need backup processes to quickly restore content on servers, endpoints, and workstations to mitigate disruptions in our operations.
7. User training
Our people are an essential line of defense against phishing attacks. They are also the weakest link. According to Cofense, preventing and combating phishing attacks starts with user behavior and awareness to protect your business against the most common hacking methods.
Therefore, we must train employees, contractors, and other principal human resources to recognize phishing attempts and deal with them appropriately. They need to study a vast amount of phishing attack examples especially real-world scenarios.
Simulated phishing campaigns targeting staff can also help our organizations measure the effectiveness of their training. Organizations can also pen-test for weak spots, which can be used to educate employees. Do bear in mind that these training must pay attention to the importance of cognitive biases or just-in-time nudges that can make employees take those impulsive actions prompted by those emails.
Phishing attacks are rapidly evolving at an unprecedented speed, and no company or individual is immune to such attacks.
Furthermore, the weakest security connection is the user, but they can also become our greatest assets against phishing attempts. Consider the case of Upsher-Smith Laboratories, a U.S drug company, which was swindled out of over $50 million within three weeks. The phishers had impersonated the company’s CEO and sent out phishing emails to the company’s account payable coordinator with instructions to make nine fraudulent wire transfers. The company could only recall one wire transfer reducing their loss to $39 million, but it was still a significant loss. Implementing robust security policies and procedures is vital to mitigating phishing scams. But we must not forget that phishing attacks can get through no matter the security measures in place. In an event such as this, training employees to quickly detect the fraudulent nature of phishing communication and respond appropriately would have helped limit or avoid such an enormous loss.
We need to educate, inform and empower them with stringent security training to help them make better security decisions and actively combat cybersecurity threats.