Phishing – It’s Not About Malware (Or Even Email)

Uploaded on 2023-06-28 in TECHNOLOGY--Resilience, JOBS-Training, FREE TO VIEW

Phishing has been and continues to be one of the most common attack methods (often called TTPs) cyber attackers use because it is so effective.

Phishing is a simple attack vector that enables cyber attackers to bypass most security controls.

Reports like the Verizon DBIR or the Microsoft Digital Defense report continue to identify phishing as a top risk.    

Several Trends We Are Seeing

Over the past several years phishing has continued to evolve.  While many of the emotional lures used to get people to fall victim remain the same (covered in more detail below), we have seen changes in both cyber attacker modalities and goals.

1.    Modalities:    Traditionally phishing was done through email.  However, we have seen a shift where messaging technologies are also being used, to include Apple’s iMessage, WhatsApp and standard SMS functionality.  Texting phishing attacks have become increasingly popular as many phones lack any type of filtering capability, which means scams and attacks are far more likely to get through.  Also, since text messages tend to be much shorter with little context, it’s much harder to confirm what is legitimate versus what is an attack.  As such, when training your workforce emphasise that phishing attacks no longer just happen over email, but via any messaging technology.

2.    Goal:     Traditionally the goal of cyber attackers with phishing attacks was to install malware on the victim’s computer. However, malware infections are becoming easier and easier for security teams to detect, so that approach has radically changed.  In today’s world we are seeing three other goals of phishing attacks. 

a.    Gaining Passwords: Phishing is used to get victims to click on a link that takes them to a website that harvests their passwords.  Once an individual’s credentials are stolen, cyber attackers can cause a great deal of damage while operating undetected.  For example, cyber attackers will send out emails pretending to come from peoples banks so they can reuse those credentials to access and steal money from peoples personal financial accounts.  Another common phishing lure is sending emails out pretending to come from Microsoft so attackers can steal peoples login credentials for their work related Microsoft 365 cloud accounts.    

b.    Getting People on the Phone: An increasing number of phishing attacks have no link or attachment, only a phone number as their point of attack.  The cyber attacker’s goal is to get the victim to call a phone number.  Once the victim is on the phone, cyber attackers will use stories and emotion to pressure people into taking actions, such as giving up their passwords, purchasing gift cards or transferring money from their bank accounts to accounts controlled by the attacker.  Attackers have learned that while these attacks usually require far more work as they are not automated, they are often more successful and profitable as they can fool people out of their checking, savings or retirement accounts, stealing their entire life savings. 

c.    Scams: Many phishing emails have no link or attachment, instead the messages are often very short and impersonate someone that the victim knows or trusts, such as their boss, a co-worker or a vendor they work or shop with.  BEC (Business Email Compromise) or CEO Fraud attacks are a common example, when cyber attackers send an urgent email to a specific individual in accounts payable pretending to be a very senior executive, pressuring the individual to approve an invoice or payment. The accounts payable person believes they are doing the right thing, not realising they are approving a payment to cyber criminals.

One way you can determine what type of phishing attacks your organisation is seeing is check with your Cyber Threat Intelligence team, your Email Support team or anyone responsible for your email filtering or perimeter defenses.  If you have some type of anti-phishing solutions (such as Proofpoint) your security team can log and categorise the type of phishing attacks your organisation is seeing.  

Below is an example of a real report for a real company, this was generated by Proofpoint.  In this chart we see the following. 

  •  69% of all phishing emails attempt to take the victim to a website to gather information.  This is primarily password harvesting but may also include sites that include “surveys”.
  •  14% are imposter based attacks, this would include scams such as BEC attacks, gift card, or billing / invoice scams.
  •  8% are Telephone Oriented Attack Delivery (TOAD) attacks.  This is a new category that Proofpoint added in 2023 due to the increase of these type of phishing attacks. The goal is for the victim to call a phone number.
  • Only 9% of all phishing emails are attempting to infect the victim with malware (via clicking on a URL or opening an email attachment).

The key takeaway here?  Phishing is no longer about infecting your computer.  The primary goal of phishing is to steal peoples credentials (logins and passwords) so they can then login as their victims.  

In addition, we see both Imposter based (like BEC) and Telephone based phishing attacks continue to rise.  Who needs to steal money or passwords when you can literally just ask for it.  If you can pull reports like the one above, you can track who cyber attacker phishing TTPs change over time.  

Most Common Phishing Indicators

What should we teach people so they can easily detect these ever-evolving attacks? We do not recommend that you try to teach people about every different type of phishing attack and every lure possible.  Not only is this most likely overwhelming your workforce but cyber attackers are constantly changing their lures and techniques.  Instead, focus on the most commonly shared indicators and clues of an attack. This way your workforce will be trained and enabled regardless of the method or lures cyber attackers use.  In addition, emphasise that phishing attacks are no longer just about email but use different messaging technologies.   That is why the indicators below are so effective, they are common in almost every phishing attack, regardless of the goal and if its via email or messaging.  

  • Urgency:   Any email or message that creates a tremendous sense of urgency, trying to rush the victim into making a mistake.  An example is a message from the government stating your taxes are overdue and if you don’t pay right away you will end up in jail.  The greater the sense of urgency the more likely it is an attack.
  •  Pressure:   Any email or message that pressures an employee to ignore or bypass company policies and procedures.  BEC / CEO Fraud attacks are a common example.
  • Curiosity:   Any email or message that generates a tremendous amount of curiosity or too good to be true, such as an undelivered UPS package or you are receiving an Amazon refund.
  • Tone:   An email or message that appears to be coming from a co-worker, but the wording does not sound like them, or the overall tone or signature is wrong.
  • Generic:   An email coming from a trusted organisation but uses a generic salutation such as “Dear Customer”.  If FedEx or Apple has a package for you, they should know your name.
  • Personal Email Address:   Any email that appears to come from a legitimate organisation, vendor or co-worker, but is using a personal email address like @gmail.com.  

Phishing Indicators We No Longer Recommend

These are typical indicators that have been recommended in the past but we no longer recommend them.

  • Misspellings:   Avoid using misspellings or poor grammar as an indicator, in today’s world you are more likely to receive a legitimate email with bad spelling than a crafted phishing attack.  Misspellings will most likely become even less common as cyber attackers use AI (Artificial Intelligence) solutions to craft and review their phishing emails and correct any spelling or grammar issues.
  • Hovering:   One method commonly taught is to hover over the link to determine if its legitimate.  We no longer recommend this method except for highly technical audiences.  Problems with this method include you have to teach people how to decode a URL, a confusing, time consuming and technical skill.

In addition, many of today’s links are hard to decode as they are re-written by phishing security solutions such as Proofpoint. Also, it can be difficult to hover over links with mobile devices, one of the most common ways people read email.  Finally, if you train every employee in your organisation to hover over and analyse every link in every email, that is an extremely high-cost behavior to your organisation.

To help your workforce better understand and defend against these type of attacks, here are several OUCH newsletters you can share with your workforce.  OUCH is a free, monthly security awareness newsletter published every month by SANS, with each edition translated into over 20 languages.  

  • Emotional Triggers – How Cyber Attackers Trick You
  • Charity and Disaster Scams
  • Phishing Attacks are Getting Trickier
  • Vishing – Phone Call Attacks and Scams
  • Social Engineering Attacks

To learn more about leveraging Cyber Threat Intelligence, how to more effectively manage human risk, and earn the SSAP consider the three day SANS MGT433 Managing Human Risk course.

Lance Spitzner is Director of SANS Security Awareness                       Image: iStock

You Might Also Read: 

Cyber Security Awareness Training For Management & Employees:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Innovation In Cyber Security: NDR Meets XDR
Browser-Based Social Engineering Trends »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IP Performance

IP Performance

IP Performance Limited is a leading supplier of customised network infrastructure and security solutions.

OpenSphere

OpenSphere

OpenSphere is an IT company providing security consultancy, information system risk management and security management services.

AppViewX

AppViewX

AppViewX is a global leader in the management, automation and orchestration of network services in data centers.

London Office for Rapid Cybersecurity Advancement (LORCA)

London Office for Rapid Cybersecurity Advancement (LORCA)

LORCA's mission is to support the most promising cyber security innovators in growing solutions to meet the most pressing industry challenges and build the UK’s international cyber security profile.

Kryptus

Kryptus

Kryptus provides a wide array of solutions for hardware, firmware and software ranging from semiconductors to complex digital certificate management systems.

VKANSEE

VKANSEE

VKANSEE offer the world's thinnest optical fingerprint sensor for mobile device protection.

Penningtons Manches Cooper

Penningtons Manches Cooper

Penningtons Manches Cooper is a leading UK law firm providing high quality legal advice in areas including Data Protection, Cyber Security and Cyber Crime.

SkillCube

SkillCube

SkillCube is one of the pioneers in India focusing on Cyber Security Skill Development Solutions.

Accredia

Accredia

Accredia is the national accreditation body for Italy. The directory of members provides details of organisations offering certification services for ISO 27001.

IT Search

IT Search

IT Search is a specialist IT recruitment company focusing on Cyber Security, IT Infrastructure, Software, Data, Digital Transformation and C Suite leadership positions.

Netlinkz

Netlinkz

Netlinkz has developed the Virtual Secure Network (VSN) overlay technology platform, a breakthrough in connectivity security, speed, and simplicity.

Calamu

Calamu

Calamu is a software-defined storage security and resiliency platform that keeps your data secure and accessible wherever you choose to store it.

Hartman Executive Advisors

Hartman Executive Advisors

Hartman Executive Advisors is an unbiased IT and cyber advisory firm uniquely designed to help mid-market executives maximize their IT investments.

Toro Solutions

Toro Solutions

Toro provide managed security & consultancy to keep governments, businesses & society resilient in the space where cyber, physical & people security converge.

CASwell

CASwell

Caswell is an industry-leading OEM/ODM specializing in networking, security, SD-WAN, NFV, telecommunication and IoT applications.

Digital & Intelligence Service (DIS)

Digital & Intelligence Service (DIS)

DIS is the fourth Service of the SAF, here to defend and dominate in the digital domain, and achieve peace and security for our land.