Phishing Trends: It’s No Longer About Malware

Phishing has been and continues to be one of the most common attack methods cyberattackers use because it is so effective. Phishing allows cyber attackers to bypass most security controls. Reports such as the Verizon DBIR and the Microsoft Digital Defense Report continue to cite phishing as one of the biggest risks. In recent years, moreover, phishing has continued to evolve. While many of the emotional lures used to victimize people have remained the same, both the modalities and the targets of cyberattackers have changed.

Modalities

Traditionally, phishing has been done via email. However, messaging technologies such as Apple’s iMessage, WhatsApp and standard SMS capabilities are now being used. Phishing attacks via SMS are becoming more popular because many cell phones do not have filtering capabilities, which means scams and attacks are much more likely to get through. Since text messages tend to be much shorter and contain little context, it’s also much harder to tell what’s legitimate and what’s an attack. Therefore, when training employees, security awareness trainers should point out that phishing attacks are no longer just via email, but via any type of messaging technology.

Targets

In the past, the goal of cyber attackers was to use phishing attacks to install malware on the victim’s computer. However, as malware infections have become easier for IT security teams to detect, this approach has changed dramatically. In today’s world, there are three other targets of phishing attacks.

Spying on passwords

Phishing is used to trick victims into clicking on a link that takes them to a website that spies on their passwords. Once a person’s credentials are stolen, cyber attackers can do a lot of damage without being noticed. For example, cyber attackers send emails pretending to be from a bank in order to use those credentials to access personal financial accounts and steal money. Another common phishing lure is sending emails pretending to be from Microsoft so the attackers can steal credentials for users’ work-related Microsoft 365 cloud accounts.

Getting victims on the phone

More and more phishing attacks don’t have a link or attachment, just a phone number as the point of attack. The cyberattacker’s goal is to get the victim to call a phone number. Once the victim is on the phone, the cyber attackers pressure people with stories and emotions to get them to take actions, such as revealing their passwords, buying gift cards, or transferring money from their bank accounts to accounts controlled by the attackers. Attackers have learned that while these attacks usually involve much more effort because they are not automated, they are often more successful and profitable because they can defraud people out of their checking, savings, or retirement accounts and steal their entire life savings.

Scams

Many phishing emails contain neither a link nor an attachment. uch phishing emails contain neither a link nor an attachment. Instead, the messages are often very short and impersonate someone the victim knows or trusts, such as their boss, a colleague, or a vendor they work with or shop with. BEC (business email compromise) or CEO fraud attacks are a common example where cyber attackers send an urgent email to a specific person in Accounts Payable posing as a very high-level executive and pressuring the person to approve an invoice or payment. The person in accounts payable thinks they are doing the right thing and doesn’t realize they are approving a payment to cyber criminals.

The point is to find out what type of phishing attacks are occurring in the company. For this, check with the cyber threat intelligence team, the email support team or those responsible for email filtering or perimeter protection. If an anti-phishing solution is deployed, the IT security team can log and categorize the types of phishing attacks in the organization.

Most common phishing indicators

What should security awareness trainers teach employees so they can easily recognize these ever-evolving attacks? It is not recommended to teach employees about different types of phishing attacks and all possible lures. Not only would this overwhelm employees, but the attackers are constantly changing their baits and techniques, so it would quickly become outdated. Trainers should instead focus on the most common indicators and clues to an attack.

This way, employees are trained and empowered to take action regardless of the cyberattackers’ methods or lures. Educators should also convey that phishing attacks are no longer just about email, but use a variety of messaging technologies. This is why the indicators below are so effective, as they are present in almost every phishing attack, regardless of the target and whether it is via email or messaging.

Urgency
Any email or message that conveys a strong sense of urgency and attempts to pressure the victim into making a mistake. An example is a message from the government stating that taxes are past due and the recipient will end up in jail if he or she does not pay immediately. The greater the urgency, the more likely it is an attack.

Pressure
Any email or message that pressures an employee to ignore or circumvent company policies and procedures. BEC/CEO fraud attacks are a common example.

Curiosity
Any email or message that arouses great curiosity or is too good to be true, such as an undelivered UPS package or a refund from Amazon.

Tone of voice
An email or message that appears to be from an employee, but the wording doesn’t sound like them, or the general tone or signature is wrong.

Generic
An email that comes from a trusted organization, but uses a generic salutation such as “Dear Customer.” If FedEx or Apple has a package for a recipient, the delivery people should know the name as well.

Personal email address
Any email that appears to be from a legitimate company, vendor or employee, but uses a personal email address such as @gmail.com.

Phishing indicators without recommendation

These are typical indicators that have been recommended in the past, but are no longer recommended.

Spelling errors
Trainers should stop reporting that spelling or grammatical errors are indicators of phishing. In today’s world, recipients are more likely to receive a legitimate email with spelling errors than a sophisticated phishing attack. Spelling errors will most likely become even rarer as cyber attackers use AI solutions to create and review their phishing emails and correct any spelling or grammar errors.

Hovering over the sender email
A commonly taught method is to hover over the link to determine if it is legitimate. This method is no longer recommended unless you are dealing with a very technical audience. The problem with this method is that you have to teach employees how to decode a URL – a confusing, time-consuming and technical skill. In addition, many of today’s links are difficult to decode because they are rewritten by phishing security solutions like Proofpoint. It can also be difficult to navigate links on mobile devices, and ultimately, that’s one of the most common ways people read email. And if every employee in the organization is trained to hover over and analyze every link in every email, it’s a behavior that’s extremely costly to your organization.

Lance Spitzner

is director of security awareness at the SANS Institute.