A phishing scam is when a hacker pretends to be a trusted person in order to access a user’s account, trick them into giving up sensitive/personal information, or infiltrate their network. Phishing scams have existed for decades, and they’ve persisted (and proliferated) by evolving with the times, and paying off.
Although phishing has come to encompass many different types of scams across different technologies, it remains primarily an email-based attack. Phishing scams are so prevalent over email, in fact, that 1 in 99 emails is a phishing attack and 1 in 25 branded emails is a phishing attack. This translates to a near-constant onslaught potential breaches, with hackers exploiting every vulnerability in system to attack users.
There’s sweeping ways in which the attack is conceived, the specific way in which it is executed, and the diverse ways in which it fraudulently extracts something of value. Attack methods change in tiny ways, and new attacks are discovered constantly. And so, stopping phishing turns into a classic game of cat and mouse.
The Cost of Phishing
Phishing scams have recently overtaken malware as the leading cyberattack threat. Cyberattacks are a billion-dollar-plus global enterprise, and soon will run into the trillions. From 2013-2018, the two most consequential types of phishing scams were Business Email Compromise (BEC) and Email Account Compromise.
Business Email Compromise and Email Account Compromise
Business Email Compromise (BEC) originally targeted high-level employees, like CEOs. The basic goal was to impersonate the executive in order to get an employee to do something incorrect like wire funds. Email Account Compromise (EAC) is a cousin of BEC, where the attack is on an individual operating in their personal capacity.
The FBI tracks them as one category of phishing. Between October 2013 and May 2018 there were 78,617 BEC/EAC incidents globally, with monetary losses totaling $12.5 Billion.
Phishing’s impact on business
Where phishing scams gain an edge over other forms of cybercrime is that they are a form of social engineering. Their schemes and targets are constantly evolving with the economic and cultural landscape.
In the U.K., phishing has soared in the financial services industry, accounting for more than half of all cyber attacks, with many likely unreported. The real estate industry in the U.S. experienced something similar in 2016, when hackers began targeting employees at all levels in title companies, law firms, real estate agents, and buyers and sellers.
How did they do it? In many cases they sent spoof emails with instructions for changing various aspects of a payment to a new — fraudulent — account. As soon the funds were in the account, the hackers withdrew or transferred them to a secondary fraudulent domestic or international account, making recovery all but impossible.
All told, over a two-year period, the number of victims rose 1100%, while monetary losses rose 2200%, totaling nearly $20 Million.
For a mid-sized business, a single phishing attack can result in $1.6 Million in losses. Yet just as damaging is how a phishing scam can ruin reputation. After a company is breached, 1 in 3 consumers will no longer do business with them.
With so much on the line, organizations want to treat phishing as a critical cybersecurity issue. But it’s not always clear what to do. Measures that seem foolproof are often easily exploited by savvy hackers. When one attackline gets discovered, software gets patched, pushing the hacker to adopt new tactics.
Phishing: Trust and Fear
Hackers thrive on secrecy. Not only do they operate in stealth, but they want to keep their victims quiet. They know that because phishing scams can wreck business’ reputations, many phishing reports go unreported — as many as 50 percent, even when reporting is mandatory. This means the attack can’t be studied, and the true cost of the attack can never be known.
There is also a large human element in every phishing scam. Hackers send users emails through their everyday communication mediums, pretending to be trusted brands. Having assumed their disguise, they prey on fears, adopting urgent language that compels users to click on malicious links or disclose sensitive information.
They know that a successful attack only takes one employee who’s not really paying much attention, and they know when employees are most likely to be vulnerable: during major holidays, during natural disasters, health epidemics, and political events — or even just at home on a Saturday morning checking their email.
To mitigate these aspects of the phishing attempt, it’s important for organizations to create a culture of awareness around phishing scams. Employees should be integrated into solutions and be equipped with user-friendly tools to report suspected phishing scams. But an even better way to limit the cost of phishing is to stop a phishing scam before it reaches the inbox.
Phishing Categories and Phishing Types
There are a lot of different categories of phishing scams (and variations on those) making phishing confusing to users. For instance, a phishing scam is not the same as spam email. Spam is a broad, generally unwanted advertisement intended to reach millions of users. Phishing is a personalized email asking the recipient for action.
For the average email user, the two can be hard to distinguish. A phishing email could look like a spam email, and vice-versa. But the spam email could be merely irritating, if not completely harmless, as well as easy to catch — while the phishing email could appear to be perfectly harmless while possessing the ability to corrupt an entire network.
A generic email phishing campaign targets a large number of individuals regardless of their potential worth. If the average phishing campaign targeted a high net-worth individual, or an executive of a valuable company, it would be by happenstance, alongside thousands of other regular people.
Categories of phishing scams are also different from types of phishing attacks. The phishing category describes the broad way in which an email phishing scam is carried out. It explains whom the hacker targets and how. The type of attack refers to the more specific means by which the hacker tricks.
Smishing, Vishing, Angler Phishing
As technology evolves, phishing spawns new categories of communication-based scams. Smishing is phishing over text messages, vishing is phishing through a telephone conversation, and angler phishing is a relatively new attack channel using social media. In each form, the line of attack is the same as email phishing, but the body of water in which to sink the line is different.
Nigerian Prince Scams
One of the most well-known phishing scams is the long-running “Nigerian prince” scam, where a user receives a letter, presumably from a Nigerian prince, requesting a sum of money that will later be paid back in excess. A part of scam culture for decades, this scam ran through the Internet during the early Web 2.0 days and is still raking in hundreds of thousands of dollars per year.
Although it’s been regularly updated for new technologies and methods, the Nigerian prince scam is widely known as a classic example of a general phishing scam. Today’s phishing scams are far more relevent, calculated, and specialized.
Spear phishing is a category of phishing that covers any scam highly customized to individual users often within an organization. Many spear phishing campaigns that can penetrate an organization to get to its employees are sophisticated enough to easily deceive users.
To conceal its fraudulent identity, a spear phishing email will be designed to replicate an actual organization or even a co-worker. Its email address may substitute the number “1” for a lowercase letter “l”, or the number “0” for an uppercase letter “O.”
This may seem simple, but the trick can be untraceable to the fast-moving naked eye. And all it may need to do is convince a single user to click on a link that leads to a credential-stealing website or a malicious document housed on a legitimate cloud-storage space like Google Drive or Office 365’s OneDrive.
Whaling is an even more specialized category of spear phishing. It involves the hacker impersonating an executive or senior manager. Hackers know that employees are likely to do what their bosses say, so try to assume the authoritative person’s identity and get an employee to make a bank transfer or change an invoice.
Whaling requires the hackers to do a lot of research. If they are going to pretend to be a trusted person demanding a drastic action, they need to know a few things in fine detail. Who are the organization’s employees, and what is their reporting hierarchy? What kind of style and dialect does the executive typically use when writing emails? Answering these questions can help the hacker reduce the recipient’s suspicions.
If whaling sounds difficult to pull off, that’s because it is. But it can happen anywhere, from social media companies getting their payroll data hacked to presidential campaigns giving total access to hackers.
Clone phishing is when a hacker creates a virtual replica of an email that a user has already received and replaces or adds links or attachments. These send users to malicious websites, or they are used to obtain usernames and passwords.
Because clone phishing involves virtually no impersonation, it is very difficult to detect and stop. How many employees will inspect the link destinations in an email that they have no reason not to trust?
Phishing Attachment Attacks
Many types of phishing scams today are inherently a form of social engineering, especially when they involve email. Getting an end-user who uses email over 100 times a day to trust a malicious message involves psychological deception. Email is a vital, private communication channel, and infiltrating it can take various forms of attack vectors.
51% of phishing attacks involve malware injections into a network. The purpose of malware is usually to hijack a computer, steal confidential data, launch a DDoS attack, or conduct fraud. What makes malware hard to discern is how many variations it comes in, and how quickly it can spread when one user clicks one malicious link.
Ransomware attacks are when the hacker locks down the user’s computer and refuses to allow access until a ransom is paid. In effect, it turns a user into a hostage. This would be bad enough if it affected just one user. The WannaCry ransomware attack in May 2017 affected 300,000 computers in 150 countries.
Spyware is a long-term attack that slowly affects the user as the hacker monitors the victim and allows for all sorts of other phishing attacks, like spying (hijacking webpages), adware (displaying malicious ads), and keystocks (taking snapshots of key credentials).
A virus is a stand-alone code that inserts itself into another stand alone-code and allows malware to proliferate.
Worms are like viruses, but they spread themselves to other computers.
A Trojan attack is a malware that creates a “backdrop” for a hacker to break into a computer and steal SSN and all sorts of other personal identity information (PII).
These attacks rely specifically on the altering of a legitimate domain or subdomain to make it appear trustworthy. They can involve the simple replacing of a letter with a number. Or they might add a word that seems like it belongs to the domain, and so won’t arouse suspicion, even though it’s bogus.
Another variant of this type involves the email sender’s name. The recipient will receive a message from a name they recognize, like their boss, even though the actual email address is fraudulent. There are two keys to making this attack successful. They first is that the recipient will check their email on their phone, where they will be less likely to see the email. The second is that the hacker will try to quickly build a level of trust that the recipient will likely accept, before doing something on behalf of their alleged boss.
In this type of attack, an individual is targeted based on their presumed familiarity with a brand. If you shop on Amazon or bank with Chase, a hacker may send you a phishing email on behalf of the company. Because you presumably view the brand with some level of credibility, the hacker immediately gains your attention and trust — so long as the email isn’t a hatchet job, with obviously fake logos, fonts, and over-the-top “asks.”
In a brand impersonation phishing attack, the email will usually contain some sort of explicit ask, but will couch it in familiar terms: email verification, password changes, and the like. The language could be hard — “we’ve experienced a breach, reset your password now” — or soft — “we are conducting standard email verification procedures” — but it will always be urgent and demand action, like clicking on a malicious link.
A cross-site scripting (XSS) phishing attack involves a few steps that include a high degree of social engineering — which makes it deeply dangerous. First the hacker identifies a legitimate website the user regularly visits. Then the hacker writes a script that changes the behavior of the URL when visited in a browser. In order to get that script onto the device, the hacker uses email.
Phishing in the Cloud
The cloud has been a boon for businesses. Its pay-for-what-you-use pricing model can reduce capital investment and drive revenue (Gartner). It can make business productivity agile, efficient, and easy to use, especially when employees are already familiar with Microsoft’s Office 365 and Google’s G Suite.
Unfortunately, the cloud exposes businesses to phishing scams. Using the cloud for email opens up new channels for exploits. For instance, Office 365 offers hackers a host of new tools to entrap end-users: fake meeting requests, fake notifications, fake content on shared file storage areas. These are especially dangerous methods because they evade firewalls and secure email gateways.
SalesPharce Invoice Attack
In this attack, hackers took control of an organization’s Salesforce account — the world’s most popular Customer Relationship Management software (CRM) — to coordinate an invoice phishing attack against the company’s partners and customers.
Once they were in, the hackers injected malicious code into the partner’s website to generate two public-facing URLs. Then they used an email tool to send the phishing messages to over one thousand employees. They asked for the employees to click on the links, which pointed to a page with malware.
MetaMorph HTML Obfuscation Attack
This phishing attack is part of a trend of attacks involving an attachment in an email message indicating a voicemail. When the victim receives the spoofed email and clicks on the attachment, they don’t know that the malicious link is hidden in the HTML with a <meta> tag. The link redirects them to a fake WordPress site where it asks for credentials in order to listen to the message — except the credentials go straight to the hacker.
Microsoft Office 365 SharePoint Scam
This represents an evolution in phishing, because hackers were able to completely bypass traditional security measures by inserting a malicious link into a file rather than an email.
But email is still at the heart of this attack. Users got the link to the malicious site through an email that seemingly gave them access to a shared document. The email was only scanned one level deep, so the bad link wasn’t detected — detecting it took an extra layer of security that scanned the email for over 300 indicators of suspicious activity.
Mailsploit is a unique attack that allows hackers to spoof two email addresses in the sender field. One gets presented to the end-user as a trusted sender. The other is to show the email server and the email security layers to pass all security checks in SPF, DKIM, or DMARC.
The main exploit the hackers take advantage of in this scheme is the fact that email security tools only scan the email body for malicious code. That’s because the header fields aren’t designed to contain non-ASCII characters. But in the Mailsploit attack, code can get into the email header through the "From" field, pass security unscanned, and reach the end-user.
NoRelationship Phishing Attack
In this new style of phishing attack, the attack email includes a .docx attachment with a malicious link that leads to a credential harvesting login page. If the email filer doesn’t scan the full document, instead relying on a relationship (xml.rels) file for the list of links included in the attachment, the malicious URL will go undetected.
baseStriker Attack in Office 365
This attack hinges on a malicious link. Ordinarily, it would be blocked by Microsoft. But it gets past their security filters by splitting the URL into two snippets of HTML: a base tag and a regular href tag.
At the time of the attack, the baseStriker attack was probably the largest in Office 365 email history, with 100 Million emails at risk. Microsoft patched it, but it still showed the creativity and innovation of hackers.
How to Prevent Phishing
There is no magic bullet when it comes to preventing phishing attacks. But there are measures that every enterprise should take.
Multi-Factor Authentication (MFA)
MFA is a good start to basic security. Unfortunately, MFA by email and SMS are not secure. Hackers can easily bypass them. Out-of-band (OOB) authentication — a phone call that asks the victim if they’re really trying to log onto their account — is the most secure. But, ultimately, spoofed login pages, impersonation, and embedded links to malware are immune to MFA.
By now, most people have too many accounts to remember a unique password for every one. But the only thing better than a unique password is a unique password that the user doesn’t know, that no one in fact knows, and that’s stored in an end-to-end encrypted box. This keeps them out of the hands of hackers phishing for them.
Secure Email Gateway
An upgraded secure email gateway is a good step toward preventing email impersonation, a Business Email Compromise attack, or really any type of phishing attack.
Phishing cannot ultimately succeed if it does not fool an actual person. As Gartner has recommended, employees should be integrated into anti-phishing solutions. By building an anti-phishing culture among all employees in an enterprise, individuals can be trained to detect suspicious messages and report them to their technology department.
Avanan is a cloud email security platform that pioneered and patented a new approach to prevent sophisticated attacks. We use APIs to block phishing, malware, and data leakage in the line of communications traffic. This means we catch threats missed by Microsoft while adding a transparent layer of security for the entire suite that also protects other collaboration tools like Slack. We’ve been recognized as the top-rated cloud email security solution, and can replace the need for multiple tools that surround email and file-sharing.