Every data breach and online attack seems to involve some kind of phishing attempt to steal password credentials, to launch fraudulent transactions, or to trick someone into downloading malware. Indeed, Verizon’s 2020 Data Breach Investigations Report finds that phishing is the top threat action associated with breaches.
Enterprises regularly remind users to beware of phishing attacks, but many users don’t really know how to recognize them. And humans tend to be bad at recognizing scams.
According to Proofpoint’s 2020 State of the Phish report, 65% of US organizations experienced a successful phishing attack in 2019. This speaks to both the sophistication of attackers and the need for equally sophisticated security awareness training. Add in the fact that not all phishing scams work the same way—some are generic email blasts while others are carefully crafted to target a very specific type of person—and it gets harder to train users to know when a message is suspect.
Let’s look at the different types of phishing attacks and how to recognize them.
Phishing: Mass-market emails
The most common form of phishing is the general, mass-mailed type, where someone sends an email pretending to be someone else and tries to trick the recipient in doing something, usually logging into a website or downloading malware. Attacks frequently rely on email spoofing, where the email header—the from field—is forged to make the message appear as if it were sent by a trusted sender.
However, phishing attacks don’t always look like a UPS delivery notification email, a warning message from PayPal about passwords expiring, or an Office 365 email about storage quotas. Some attacks are crafted to specifically target organizations and individuals, and others rely on methods other than email.
Spear phishing: Going after specific targets
Phishing attacks get their name from the notion that fraudsters are fishing for random victims by using spoofed or fraudulent email as bait. Spear phishing attacks extend the fishing analogy as attackers are specifically targeting high-value victims and organizations. Instead of trying to get banking credentials for 1,000 consumers, the attacker may find it more lucrative to target a handful of businesses. A nation-state attacker may target an employee working for another government agency, or a government official, to steal state secrets.
Spear phishing attacks are extremely successful because the attackers spend a lot of time crafting information specific to the recipient, such as referencing a conference the recipient may have just attended or sending a malicious attachment where the filename references a topic the recipient is interested in.
In a 2017 phishing campaign, Group 74 (a.k.a. Sofact, APT28, Fancy Bear) targeted cybersecurity professionals with an email pretending to be related to the Cyber Conflict U.S. conference, an event organized by the United States Military Academy’s Army Cyber Institute, the NATO Cooperative Cyber Military Academy, and the NATO Cooperative Cyber Defence Centre of Excellence. While CyCon is a real conference, the attachment was actually a document containing a malicious Visual Basic for Applications (VBA) macro that would download and execute reconnaissance malware called Seduploader.
Whaling: Going after the big one
Different victims, different paydays. A phishing attack specifically targeting an enterprise’s top executives is called whaling, as the victim is considered to be high-value, and the stolen information will be more valuable than what a regular employee may offer. The account credentials belonging to a CEO will open more doors than an entry-level employee. The goal is to steal data, employee information, and cash.
Whaling also requires additional research because the attacker needs to know who the intended victim communicates with and the kind of discussions they have. Examples include references to customer complaints, legal subpoenas, or even a problem in the executive suite. Attackers typically start with social engineering to gather information about the victim and the company before crafting the phishing message that will be used in the whaling attack.
Business email compromise (BEC): Pretending to be the CEO
Aside from mass-distributed general phishing campaigns, criminals target key individuals in finance and accounting departments via business email compromise (BEC) scams and CEO email fraud. By impersonating financial officers and CEOs, these criminals attempt to trick victims into initiating money transfers into unauthorized accounts.
Typically, attackers compromise the email account of a senior executive or financial officer by exploiting an existing infection or via a spear phishing attack. The attacker lurks and monitors the executive’s email activity for a period of time to learn about processes and procedures within the company. The actual attack takes the form of a false email that looks like it has come from the compromised executive’s account being sent to someone who is a regular recipient. The email appears to be important and urgent, and it requests that the recipient send a wire transfer to an external or unfamiliar bank account. The money ultimately lands in the attacker’s bank account.
According to the Anti-Phishing Working Group’s Phishing Activity Trends Report for Q2 2020, “The average wire transfer loss from Business Email Compromise (BEC) attacks is increasing: The average wire transfer attempt in the second quarter of 2020 was $80,183.”
Clone phishing: When copies are just as effective
Clone phishing requires the attacker to create a nearly identical replica of a legitimate message to trick the victim into thinking it is real. The email is sent from an address resembling the legitimate sender, and the body of the message looks the same as a previous message. The only difference is that the attachment or the link in the message has been swapped out with a malicious one. The attacker may say something along the lines of having to resend the original, or an updated version, to explain why the victim was receiving the “same” message again.
This attack is based on a previously seen, legitimate message, making it more likely that users will fall for the attack. An attacker who has already infected one user may use this technique against another person who also received the message that is being cloned. In another variation, the attacker may create a cloned website with a spoofed domain to trick the victim.
Vishing: Phishing over the phone
Vishing stands for “voice phishing” and it entails the use of the phone. Typically, the victim receives a call with a voice message disguised as a communication from a financial institution. For instance, the message might ask the recipient to call a number and enter their account information or PIN for security or other official purposes. However, the phone number rings straight to the attacker via a voice-over-IP service.
In a sophisticated vishing scam in 2019, criminals called victims pretending to be Apple tech support and providing users with a number to call to resolve the “security problem.” Like the old Windows tech support scam, this scams took advantage of user fears of their devices getting hacked.
Smishing: Phishing via text message
Smishing, a portmanteau of “phishing” and “SMS,” the latter being the protocol used by most phone text messaging services, is a cyberattack that uses misleading text messages to deceive victims. The goal is to trick you into believing that a message has arrived from a trusted person or organization, and then convincing you to take action that gives the attacker exploitable information (like bank account login credentials, for example) or access to your mobile device.
Smishing is on the rise because people are more likely to read and respond to text messages than email: 98% of text messages are read and 45% are responded to, while the equivalent numbers for email are 20% and 6%, respectively.And users are often less watchful for suspicious messages on their phones than on their computers, and their personal devices generally lack the type of security available on corporate PCs.
Snowshoeing: Spreading poisonous messages
Snowshoeing, or “hit-and-run” spam, requires attackers to push out messages via multiple domains and IP addresses. Each IP address sends out a low volume of messages, so reputation- or volume-based spam filtering technologies can’t recognize and block malicious messages right away. Some of the messages make it to the email inboxes before the filters learn to block them.
Hailstorm campaigns work the same as snowshoe, except the messages are sent out over an extremely short time span. Some hailstorm attacks end just as the anti-spam tools catch on and update the filters to block future messages, but the attackers have already moved on to the next campaign.
Learn to recognize different types of phishing
Users aren’t good at understanding the impact of falling for a phishing attack. A reasonably savvy user may be able to assess the risk of clicking on a link in an email, as that could result in a malware download or follow-up scam messages asking for money. However, a naive user may think nothing would happen, or wind up with spam advertisements and pop-ups. Only the most-savvy users can estimate the potential damage from credential theft and account compromise. This risk assessment gap makes it harder for users to grasp the seriousness of recognizing malicious messages.
Organizations need to consider existing internal awareness campaigns and make sure employees are given the tools to recognize different types of attacks. Organizations also need to beef up security defenses, because some of the traditional email security tools—such as spam filters—are not enough defense against some phishing types.
Editor’s note: This article, originally published on January 14, 2019, has been updated to reflect recent trends.
Copyright © 2020 IDG Communications, Inc.