Phishing first started to appear about 30 years ago, and it looked much different than it does today. Back then, threat actors would cast a wide net in the hopes of snagging a few users. It wasn’t a focused or targeted effort.
Those days are gone. Phishing campaigns now are focused enough to target key individuals at specific companies and users of specific services. Threat actors will impersonate vendors, package carriers, and organization members to get what they want.
How Does Phishing Work?
Phishing essentially uses a type of message that’s designed to lure targeted users into an interaction by sending a response, clicking a link, or going to a webpage.
The endgame in phishing is either to get you to give up information or to download malware of some kind—with the intent being financial gain. If you don’t give up your credentials directly, the malware can scrape your credentials.
How Has Phishing Evolved?
Phishing started to evolve quickly as IT automation developed. Website bots were introduced as virtual assistants, and that technology was quickly picked up by bad actors to produce phishing campaigns. That allowed them to create better phishing messages.
In the early days, phishing tactics were essentially “the Nigerian prince needs money.” Those scams soon became pretty obvious. With the advent of automation, the messaging became more subtle. Because things were automated, threat actors were able to more quickly gather a larger audience to phish.
Attackers could gather more email addresses and target more users, but more importantly, they could slice and dice those users into specific groups so they could create better messaging. The message would be focused to a particular set of users where it would be more likely to resonate, raising their click-to-email ratio.
That tactic has evolved again with the advent of artificial intelligence. The capabilities of AI tools have taken phishing to a whole new level. At this point, the messages are nearly flawless. Bad actors are scraping corporate sites with AI and putting together their own tailored messages using known and trusted corporate branding.
Recent Trends in Phishing Tactics
Overall, phishing has become much more aggressive. In the past, phishing was more of an ask. The threat actor might tug at your heartstrings a little bit, but they did little more than throw messages out there to see who would click on them.
Nowadays, phishing is aggressive and urgent. The language is almost always a time sensitive call to action:
- “You need to do something before close of business today or your company will incur significant cost or penalty.”
- “If you don’t do this now, your driver’s license will be canceled or your passport is going to be canceled.”
- “The IRS is going to seize your bank accounts if you don’t pay your back tax bill immediately. Click here to take care of it.”
Threat actors play on an aspect of human emotion that makes us want to resolve urgent problems. People instinctively switch into crisis resolution mode without taking time to evaluate the situation more closely. It’s how we’re wired. There’s a lot more psychology in these messages now than there used to be.
In general, be wary of requests to send money, to update or verify account numbers, and to change passwords. Here are some other recent evolutions in phishing attacks that you should be aware of.
Homograph Attacks
One newer evolution in phishing is the use of non-English character sets or other look alike characters in English email addresses and web links. Attackers use foreign characters in the “from” email address or links that look like English letters, in order to appear that they’re using a legitimate email address from an actual company.
For example, certain non-English characters can render to look like an “a,” so the sender’s email appears to be a legitimate email address from amazon.com or facebook.com. At first glance, it looks real, but it’s not actually a company address. When a bad actor uses a company’s branding and it looks like it’s coming from the company name, then it feels like a legitimate message.
It’s a very subtle tactic and it allows threat actors to be much more savvy. This is incredibly hard to spot, even for vigilant users. See the below example to illustrate. Which is the real link?
Spear Phishing
Spear phishing happens when threat actors use the knowledge they’ve gained through social engineering to run a targeted spam campaign.
The scope of spear phishing can be widened or narrowed depending on the intent of the attack. For example, a threat actor may choose to target an entire company, or a specific department within a company. Since the goal of phishing is most often financially motivated, spear phishing against finance departments is common.
Whaling
Whaling is when threat actors spear phish specifically against senior executives in an organization. Those are the big fish, so to speak — hence the term whaling.
With whaling, you’re more likely to see company-level messages with some sort of purported harm to organization unless immediate action is taken. They tend to have a lot of social engineering behind them — they know about the executives and who they are, what they do, and who their friends and colleagues are, etc.
Bad actors do their homework in crafting their whaling attacks. Those whaling messages will often include personal elements that they’ve scraped about the individual.
The message may appear to come from a colleague, a co-worker, the administrative assistant, or a friend at another company: “Hey, did you know that there’s this major concern out here? You should click to read the article.”
It will often use very intimate personal details that the executives might not expect the hacker to have. Executives might not realize how much personal information is available publicly that could have been gleaned.
Smishing
“Smishing,” or SMS phishing, is any type of phishing that happens through SMS text messages instead of email. A common one is a mail carrier impersonation: Your package is late. Click here for the tracking number.”
Smishing can occur in very targeted contexts, as well. For example, a threat actor might target an assistant while pretending to be an executive, asking for them to send information to an unrecognized phone number because their phone died and it’s an emergency.
Vishing
Vishing is a term used for a phishing campaign via phone call, or voice phishing. The original vishing campaign, from years ago, was the call you’d get from the guy claiming to be Windows IT, saying you have a virus and you need to pay to get it fixed before you lose your data.
That tactic has evolved and attackers are now using deepfake technology. For example, there are documented instances of somebody getting a call from their boss, whose voice had been impersonated.
Vishing can be a voicemail, or it could be what feels like a live voice call, because deepfakes can become interactive. Once a threat actor has your voice pattern, they’re not limited in their script.
Voice prints can be captured in innocuous ways. There are plenty of sources to find a voice — webinars, company videos, or social media videos — and it doesn’t take much material to develop a reasonable facsimile of your voice.
This tactic has been used heavily against the elderly population, with callers impersonating a family member and requesting money be wired, transferred, or even mailed immediately to resolve some crisis.
What’s Next in Phishing
Verizon’s 2023 security report claimed that 36% of all data breaches involved phishing. I personally think that’s a low estimate. Digital Guardian seems to believe closer to 90% of corporate breaches were the result of phishing.
Regardless of which source you believe, it’s highly unlikely that phishing attacks are going to decrease anytime soon. The statistics clearly show that people just keep clicking those links. So we’re going to continue to get more email, more voice calls and more SMS messages.
Vishing was a part of the recent MGM breach. The attackers pretended to be employees and they coerced the helpdesk to reset two-factor credentials. Look for more of this to come as part of complex attacks in 2024.
I think with the continuing development of AI tools, the black hats will get more savvy and they’re going to learn how to make the phishing messages even more personalized. It started out with that wide net, and then it became spear phishing, followed by whaling. I think we’re quickly going to get to the point where we’re going to see personalized phishing with a target of one.
Bots, automation, and AI are going to be able to produce a phishing message that’s specifically designed for you. They know as much information about you as they possibly can. And using that information in nefarious ways, they can craft language that is most likely to resonate with you in order to get you to click the link or take some other inappropriate action.
How to Protect Yourself from Being Phished
Protecting yourself begins with your company’s corporate email solution. Whether you’re using Microsoft, Google, or another provider, you need to turn on your phishing tools at an aggressive level.
It may be inconvenient for users, because messages are going to end up in quarantine. You’ll have to teach users about spam quarantine and train them to check spam folders for messages. Users also need to be educated on how to avoid spam filters if the messages they’re sending are legitimate.
There are solutions like Proofpoint and Barracuda that can be layered on top of your email solution that will provide additional filtering. Those are great tools if that’s something that your company can afford and is willing to implement. It may add another level of complexity and management, but it significantly cuts down on the spam.
Regardless of your operating budget, every company should train their users on phishing. If your company isn’t doing a phishing awareness campaign right now, you’re missing the boat.
Phishing training should use some real-world examples so that your employees understand the true nature of the threat. You can also run internal phishing campaigns, which expose vulnerabilities without the consequences.
Take a doubt-first perspective, especially if an email is urgent, or if it includes links that you’re being requested to click on. As a personal rule, I never click a link in an email message.
Don’t interact in any way with phishing emails if at all possible. It’s better that they just get deleted and go unopened, because you’re much more likely to fall off the threat actor’s radar that way. The moment you start interacting with those messages, you’re more likely to get even more of them because they know you opened it.
Finally, trust but verify. If you do get an email and somebody is asking you to do something urgent, pick up the phone and call. Don’t use the contact information that’s provided in the message. Use your address book or information you already have on file or your speed dial on your phone.
Black Kilt Helps Your Company Defend Against Phishing Attacks
Black Kilt is able to help you fine tune your email filters. We can implement filters if you don’t already have them, and we can get your emails set up securely so that spammers aren’t using your domain to send from in the first place.
We can also help you to develop and deliver both phishing training and in general cybersecurity awareness training, so that your users can be more vigilant, a little less trusting and a little more skeptical of these nefarious campaigns.
We’re more than happy to craft some phishing messages and work with you to test your employees on the effectiveness of your training.
