Today, most people are familiar with the term. Phishing – a type of social engineering where a cybercriminal sends a fraudulent message designed to trick a human victim into revealing sensitive information. Back in the ’90s the phrase “Phishing Attack” would have generated some very peculiar images in the minds of most individuals. But the early ’90s is when phishing as an attack strategy was just getting its feet wet. The rise of the internet and email provided brand new attack vectors for cybercriminals and con men who previously relied on more personal methods of communication to perpetrate their attacks. Since the internet’s inception, phishing attacks have continued to rise year over year. APWG, an international consortium dedicated to Anti-Phishing activities, reported that in 2020 the number of phishing attacks observed by its members doubled over the course of the year from ~100,000 in the month of January to ~200,000 in the month of December and most recently reported 222,127 attacks in June 2021 alone. Given the increasing number of phishing attacks, it can be helpful to understand some of the most common attacks, how to spot them and what to do about them. Let’s take a look at the 5 most common phishing examples.
1. Email Phishing
Email phishing is the most common phishing strategy and often the most successful. In an email phishing attack, the cybercriminal attempts to make contact with the target in an attempt to extract personal information or direct a user via a link to a phishing web page. The entire goal of the cybercriminal is to trick the user into believing that the message they are receiving is from a trusted source. The trusted source may be a bank, a credit card company, a social networking site, an online payment website, a store, a friend, a relative, etc, anyone who the target would feel compelled to respond or provide additional information. The attacks often utilize a call to action that entices a user to click a link included in the email. Oftentimes the message is “time-sensitive” and not acting immediately will have a negative impact.
How to identify email phishing:
When reading an email, always look for these telltale signs of a phishing attack:
Emails Demanding Urgent Action
- Emails threatening a negative result, or a loss of opportunity unless urgent action is taken, are often phishing emails.
Emails with Bad Grammar and Spelling Mistakes
- Emails with spelling mistakes are often linked to phishing emails but not for a lack of attention to detail by the cybercriminal. Spelling mistakes can help circumnavigate logic used in email filters trying to pick up on common phishing phrases as well as to weed out targets that likely won’t fall victim to the scam.
Emails with an Unfamiliar Greeting or Salutation
- Phishing emails often begin with an overly formal salutation like “Dear Sir or Madam”.
Inconsistencies in Email Addresses, Links & Domain Names
- Before clicking anything in an email always check for inconsistencies in the email address, a shortened URL, or hyperlinked text. Don’t just check the name of the person sending you the email. Check their email address by hovering your mouse over the ‘from’ address. Make sure no alterations (like additional numbers or letters) have been made. Cybercriminals can spoof email addresses making them appear real with slight character variations, malicious links can be hidden by a shortened URL and hyperlinked text can be disguised using custom formatting.
- Attachments can be dangerous. Malicious attachments are one of the main tools used by cybercriminals to infect devices with malware, such as trojan, spyware, and ransomware. Always be vigilant when working with emails that contain attachments.
Similar to phishing emails, smishing uses the same strategy but is perpetrated using text messages (aka sms) to your mobile device. According to Hootsuite’s Digital 2021 Executive Summary Report, over 66% of the world’s population have cell phones, making for over 5 billion possible targets for cybercriminals.
How to identify smishing:
The same tactics are used in smishing campaigns as in phishing campaigns but the medium is unique and there are certain things to look for to determine that the text is a scam.
A Text message from unknown/suspicious numbers
- Smishing messages are often sent from an email address or web based service which results in the sender’s phone number displaying as a shortened phone number also known as a short code.
A text message with a link or request to respond
- Legitimate companies will never request confidential information via text message. If you are ever in doubt, always go directly to the source by logging into a service through their legitimate website.
3. HTTPS Phishing
HTTPS phishing gives a malicious website the illusion of security with the “padlock next to the URL bar” indicator. HTTPS or Hypertext Transfer Protocol Secure is used to indicate secure communication over a computer network. By including an HTTPS hyperlink in an email cybercriminals are able to trick users into believing the message is secure and trustworthy. Historically, a website with an HTTPS distinction was associated with safe and secure communications. While this encryption sign used to be exclusive to sites that were verified as safe, now any site can get this. According to APWG’s 2019 report, over 50% of phishing websites now have the HTTPS distinction. So, your connection and the info you send while interacting with that site may be secure, but you’re providing the information directly to a criminal.
How to identify HTTPS phishing
Suspicious URL formatting or structure
- Cybercriminals can easily create phishing websites that are visually similar to an organization’s legitimate websites. Some cybercriminals will even go so far as to directly copy the source code of the legitimate website to mimic it identically. To distinguish the two, take note of the URL in the address bar of your web browser, closely analyze the characters and ensure that there are no missing or swapped characters.
4. Spear Phishing
Spear phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim. Many phishing strategies involve casting the widest net possible to ensnare as many victims as possible, with spear phishing, a cybercriminal crafts a curated attack targeting a specific individual or group of individuals. An example of a common spear phishing attack could be an email from a hotel’s rewards program indicating the user has reached a new tier of membership. Cybercriminals regularly use past data breaches as ammunition to craft these curated attacks. According to KnowBe4, a security awareness and training solution provider, 91% of successful data breaches start with a spear-phishing attack?
How to identify spear phishing:
Spear phishing emails will use all of the same tactics as a regular phishing email but the level of detail used in the attack will be heightened. In the sample above the sender’s email address display name is Sam’s Club and the email body attempts to imitate the Sam’s Club logo. The email proceeds to request immediate action to verify a purchase and to claim a $50 Offer.
Emails from Companies you may or may not do business with
- Spear Phishing attacks utilize popular brand names and organizations to increase the target’s perceived safety while interacting with the message.
Whaling takes spear phishing a step further by specifically targeting high-level individuals at an organization. Typically, this includes the C-Suite or anyone who has the power to process a request that only high-level targets have the power to do, like confirm a wire transfer or provide company secrets. In some cases, the cybercriminal impersonates the CEO or other corporate officers to convince employees to carry out financial transfers.
How to identify whaling:
Suspicious requests from individuals in your organization
- Cybercriminals will impersonate real members of the targets organization. It is crucial to verify any urgent requests with the requesting individual via a trusted method of communication such as telephone, encrypted chat tool, or in-person prior to carrying out the task.
Closely inspect the sender’s email address
- As with other targeted phishing emails, the sender’s display name and email address will likely resemble a familiar pattern but under close scrutiny will not be accurate. Check for missing characters, character swaps, and non-standard characters in the email address itself.
How to Prevent These 5 Phishing Examples
Humans are the weakest link in the proverbial security armor so it is important they are trained to be able to identify phishing attacks. Employee training services like KnowBe4 provide scenario-based training to improve the chances of an employee’s chance of catching a phishing attack.
Require multi-factor authentication
Since cybercriminals often look to steal user credentials, requiring multi-factor authentication can reduce this risk. By requiring 2 or more pieces of evidence to verify their identity cybercriminals who are able to gain access to user login credentials will not be able to gain full access to the targeted source.
Monitor and disrupt fake websites
Organizations in highly targeted industries, like financial services and healthcare, often use services like ZeroFox who can monitor for and expediently disrupt and take down spoofed versions of their websites.
The best way to address phishing attacks at their source is to know the tactics and techniques used before you are targeted. Through employee training and automated detection of phishing URLs, fake profiles and websites, security teams can help prevent potential damage from a phishing attack. Particularly as phishing TTPs grow more sophisticated through the use of phishing kits and other tools, security teams must remain vigilant and aware of the latest phishing trends. Access more resources and learn about ZeroFox’s anti-phishing protection solution here.