Every data breach and online attack seems to involve some kind of phishing attempt to steal password credentials, to launch fraudulent transactions, or to trick someone into downloading malware. In early 2016, 93 percent of phishing emails delivered ransomware, according to statistics from PhishMe.
Enterprises regularly remind users to beware of phishing attacks, but many users don’t really know how to recognize them. One reason for this is the fact that these attacks can take many forms. “Phishing attacks come in all shapes and sizes, targeting specific individuals within an organization who have access to sensitive data,” says Area 1 Security’s Shalabh Mohan.
Users tend to be bad at recognizing scams. According to a Verizon cybersecurity report, an attacker sending out 10 phishing emails has a 90 percent chance that one person will fall for it. This seems absurd at first, but it is reasonable when considered in the context of users outside the tech bubble, such as those in manufacturing and education. Add in the fact that not all phishing scams work the same way — some are generic email blasts while others are carefully crafted to target a very specific type of person — and it gets harder to train users to know when a message seems a little hinky.
Let’s look at the different types of phishing attacks and how to recognize them.
What is phishing? Mass-market emails
The most common form of phishing is the general, mass-mailed type, where someone sends an email pretending to be someone else and tries to trick the recipient in doing something, usually logging into a website or downloading malware. Attacks frequently rely on email spoofing, where the email header — the from field — is forged to make the message appear as if it was sent by a trusted sender.
However, phishing attacks don’t always look like a UPS delivery notification email, a warning message from PayPal about passwords expiring, or an Office 365 email about storage quotas. Some attacks are crafted to specifically target organizations and individuals, and others rely on methods other than email.
What is spear phishing? Going after specific targets
Phishing attacks get their name from the notion that fraudsters are fishing for random victims by using spoofed or fraudulent email as bait. Spear phishing attacks extend the fishing analogy as attackers are specifically targeting high-value victims and organizations. Instead of trying to get banking credentials for 1,000 consumers, the attacker may find it more lucrative to target a handful of businesses. A nation-state attacker may target an employee working for another government agency, or a government official, to steal state secrets.
Spear phishing attacks are extremely successful because the attackers spend a lot of time crafting information specific to the recipient, such as referencing a conference the recipient may have just attended or sending a malicious attachment where the filename references a topic the recipient is interested in.
In a recent phishing campaign, Group 74 (a.k.a. Sofact, APT28, Fancy Bear) targeted cybersecurity professionals with an email pretending to be related to the Cyber Conflict U.S. conference, an event organized by the United States Military Academy’s Army Cyber Institute, the NATO Cooperative Cyber Military Academy, and the NATO Cooperative Cyber Defence Centre of Excellence. While CyCon is a real conference, the attachment was actually a document containing a malicious Visual Basic for Applications (VBA) macro that would download and execute reconnaissance malware called Seduploader.
What is whaling? Going after the big one
Different victims, different paydays. A phishing attack specifically targeting the enterprise’s top executives is called whaling, as the victim is considered to be high-value, and the stolen information will be more valuable than what a regular employee may offer. The account credentials belonging to a CEO will open more doors than an entry-level employee. The goal is to steal data, employee information, and cash.
Whaling also requires additional research because the attacker needs to know who the intended victim communicates with and the kind of discussions they have. Examples include references to customer complaints, legal subpoenas, or even a problem in the executive suite. Attackers typically start with social engineering to gather information about the victim and the company before crafting the phishing message that will be used in the whaling attack.
What is business email compromise (BEC)? Pretending to be the CEO
Aside from mass-distributed general phishing campaigns, criminals target key individuals in finance and accounting departments via business-email compromise (BEC) scams and CEO email fraud. By impersonating financial officers and CEOs, these criminals attempt to trick victims into initiating money transfers into unauthorized accounts.
Typically, attackers compromise the email account of a senior executive or financial officer by exploiting an existing infection or via a spear phishing attack. The attacker lurks and monitors the executive’s email activity for a period of time to learn about processes and procedures within the company. The actual attack takes the form of a false email that looks like it has come from the compromised executive’s account being sent to someone who is a regular recipient. The email appears to be important and urgent, and it requests that the recipient send a wire transfer to an external or unfamiliar bank account. The money ultimately lands in the attacker’s bank account.
According to the FBI’s Internet Crime Complaint Center, BEC scams have generated more than $4.5 billion in actual and attempted losses, and they are a massive global problem.
What is clone phishing? Copies are just as effective
Clone phishing requires the attacker to create a nearly identical replica of a legitimate message to trick the victim into thinking it is real. The email is sent from an address resembling the legitimate sender, and the body of the message looks the same as a previous message. The only difference is that the attachment or the link in the message has been swapped out with a malicious one. The attacker may say something along the lines of having to resend the original, or an updated version, to explain why the victim was receiving the “same” message again.
This attack is based on a previously seen, legitimate message, making it more likely that users will fall for the attack. An attacker who has already infected one user may use this technique against another person who also received the message that is being cloned. In another variation, the attacker may create a cloned website with a spoofed domain to trick the victim.
What is vishing? Phishing over the phone
Vishing stands for “voice phishing” and it entails the use of the phone. Typically, the victim receives a call with a voice message disguised as a communication from a financial institution. For instance, the message might ask the recipient to call a number and enter their account information or PIN for security or other official purposes. However, the phone number rings straight to the attacker via a voice-over-IP service.
Recently, criminals have started calling victims pretending to be Apple tech support and providing users with a number to call to resolve the “security problem.” Like the old Windows tech support scam, these scams take advantage of user fears of their devices getting hacked.
What is snowshoeing? Spreading poisonous messages
Snowshoeing, or “hit-and-run” spam, requires attackers to push out messages via multiple domains and IP addresses. Each IP address sends out a low volume of messages, so reputation- or volume-based spam filtering technologies can’t recognize and block malicious messages right away. Some of the messages make it to the email inboxes before the filters learn to block them.
Hailstorm campaigns work the same as snowshoe, except the messages are sent out over an extremely short time span. Some hailstorm attacks end just as the anti-spam tools catch on and update the filters to block future messages, but the attackers have already moved on to the next campaign.
Learn to recognize different types of phishing
Users aren’t good at understanding the impact of falling for a phishing attack. A reasonably savvy user may be able to assess the risk of clicking on a link in an email, as that could result in a malware download or follow-up scam messages asking for money. However, a naive user may think nothing would happen, or wind up with spam advertisements and pop-ups. Only the most-savvy users can estimate the potential damage from credential theft and account compromise. This risk assessment gap makes it harder for users to grasp the seriousness of recognizing malicious messages. “Despite continued investment, phishing emails continue to bypass perimeter technologies to reach employees’ inboxes every day,” said Rohyt Belani, co-founder and CEO of PhishMe.
Organizations need to consider existing internal awareness campaigns and make sure employees are given the tools to recognize different types of attacks. Organizations also need to beef up security defenses, because some of the traditional email security tools — such as spam filters — are not enough defense against some phishing types. For example, spam filters are not useful against BEC attacks.