Phishing attacks explained, examples, and how to combat phishing attacks.
2023 Mid-Year Threat ReportPhishing is a social engineering cybersecurity attack that attempts to trick targets into divulging sensitive/valuable information. Sometimes referred to as a “phishing scam,” attackers target users’ login credentials, financial information (such as credit cards or bank accounts), company data, and anything that could potentially be of value.
Large organizations have long been at risk of phishing attacks due to their sheer size and opportunity for attackers to find holes in their security systems. If the phishing attack is successful, an employee falling victim to the con could put their entire company in jeopardy of future turmoil. Organizations must assess how vulnerable they are to phishing attacks through penetration testing engagements and implementing the findings in security awareness training programs.
At its most basic definition, the term phishing attack often refers to a broad attack aimed at a large number of users (or “targets”). This can be thought of as a “quantity over quality” approach, requiring minimal preparation by the attacker, with the expectation that at least a few of the targets will fall victim to it (making the minimal up-front effort attractive even though the expected gain for the attacker isn’t usually all that big).
Phishing attacks typically engage the user with a message intended to solicit a specific response (usually a mouse click) via an emotion or desire, such as the following examples:
There are plenty of ways which attackers will attempt to get their hands on your information with a single email. However, there are often indicators to help determine whether or not an email is legitimate.
Attackers have innovated on phishing attacks over the years, coming up with variations that require more up-front effort by the attacker but result in either a higher rate of victims or a higher value “payout” per victim (or both!).
When a phishing attack is customized to target an organization or specific individual(s), it’s referred to as spear phishing. These attacks involve additional information gathered ahead of time and incorporate other elements—such as company logos, email and website addresses of the company or other businesses the company works with, and sometimes professional or personal details of a target—in order to appear as authentic as possible. This additional effort by the attacker tends to pay off with a larger number of targets being duped.
Learn more about spear phishing attacks.
As a variation of the spear phishing attack, whaling targets an organization’s senior or C-level executives. Whaling attacks typically take specific responsibilities of these executive roles into consideration, using focused messaging to trick the victim. When a whaling attack successfully dupes a target, the attacker’s windfall can be substantial (e.g. high-level credentials to company accounts, company secrets, etc.).
Learn more about whaling attacks.
Another variation on spear phishing attacks is clone phishing. In this attack, targets are presented with a copy (or “clone”) of a legitimate message they had received earlier, but with specific changes the attacker has made in an attempt to ensnare the target (e.g. malicious attachments, invalid URL links, etc.). Because this attack is based on a previously seen, legitimate message, it can be effective in duping a target.
And More
Attackers continue to seek out new and creative ways to target unsuspecting computer users. A recent phishing attack involved a Google Doc that was received via email from a user known to the target, but would then try to gain the target’s Google login credentials (and also spam itself out to all emails in the target’s address book). And more passive attack types, like pharming, can result in the same losses as other phishing attacks.
Attackers use a number of mechanisms to phish their targets, including email, social media, instant messaging, texting, and infected websites—some attacks are even carried out using old school phone calls. Regardless of the delivery mechanism, phishing attacks utilize certain techniques to execute.
One common deception attackers use is making a malicious URL appear similar to an authentic URL, increasing the likelihood that a user will not notice the slight difference(s) and click the malicious URL. While some of these manipulated links can be easily identified by targeted users who know to “check before they click” (e.g. authentic URL thelegitbank.com vs. shady URL theleg1tbank.com), things like homograph attacks, which take advantage of characters that look alike, can reduce the efficacy of visual detection.
Links aren’t the only item that attackers can spoof. Websites can be spoofed or forged to appear as if they are the authentic, legitimate site by utilizing things such as Flash or JavaScript, allowing attackers to control how the URL is displayed to the targeted user. This means that the site could show the legitimate URL even though the user is actually visiting the malicious website. Cross-Site Scripting (XSS) takes this attack one step further: XSS attacks exploit vulnerabilities in the legitimate website itself, which allows the attacker to present the actual website (showing the legitimate URL, legitimate security certificates, etc.) and then quietly steal the credentials the user provides.
Redirects are a way attackers can force a user’s browser to interact with an unexpected website. Malicious redirects typically involve a website that is normally/willfully visited by the targeted user, but then forcibly redirects all visitors to the undesired, attacker-controlled website. An attacker can accomplish this by compromising a website with their own redirection code or by discovering an existing bug on the target website that allows a forced redirect through specially crafted URLs, for example.
As the name implies, covert redirects make it less obvious to the target user that they are interacting with an attacker’s site. A common scenario of a covert redirect would be where an attacker compromises an existing website by giving a new action to an existing “Log in with your Social Media account” button that a user might click in order to leave a comment. This new action collects the social media login credentials the user provided and sends them to the attacker’s website before proceeding to the actual social media website, leaving the targeted user none the wiser.
The following suggestions are designed to prevent and disarm phishing attacks from succeeding:
In this installment of Whiteboard Wednesday, Senior Product Marketing Manager, Justin Buchanan, discusses how employees can recognize potential phishing threats in the workspace.
Additionally, it's also good practice to regularly scan user and infrastructure systems for malware and keep them current on software updates/patches.
The breadth of phishing attacks and attack methods out there may sound scary, but with proper training around what a phishing attack is, how it works, and how it can harm users and their organizations, you can help ensure you’re as prepared as possible to recognize the threat and mitigate it accordingly.