In the late 1980s, an email cybercrime technique was first given the name phishing. Since then, phishing has grown into various mixed and matched tactics, many bleeding beyond just one type of method or messaging platform. In addition, a Phish is often not a single event, but a chain of events progressing toward the multifaceted goal of the cyber-criminal. I am not trying to make it complicated; it already is.
Today, people often associate phishing with email cyber-attacks where it was initially identified. However, phishing is a social engineering attack designed to steal sensitive information or user data. It occurs when an attacker masquerades as a trusted entity, tricking a victim into acting against their interest. The action could include; responding to what they believe is a request from a friend, their boss, accounting department, bank, or another call to action; clicking a link, or downloading an attachment.
So, is phishing done only through email?In a word – no. Phishing, while most often conducted across email, exists in all public messaging; email, phone calls or texts, instant messaging, social media, web searches and more.
As technology has evolved, so have cybercriminals. Today they use phishing in so many ways. It’s challenging to list all the ways they might morph in their attacks, as they continue to find new and novel ways to use our many communications channels to exploit us.
Phishing is alive
Even four years ago, in 2017, phishing was already identified in 90% of security incidents, and it hasn’t gotten much better in recent years. Phishing is still alive and well in 2021, even if your email or web connection is secured. That is because phishing is a social engineering attack, and as such, shape-shifting phishers are always on the hunt for a new angle.
Being able to avoid phishing attempts consistently is a critical component of strong cybersecurity. Let’s look at a few types of communications channels, from phishing emails to text, voice, social media, and a few other attack vectors.
If phishing isn’t done solely through email, how else is it done?
While email still delivers most unpersonalised non-target phishing messages, also known as bulk phishing or spam, this simply serves as a jumping-off point to perform other exploits.
Remember, a sender who may appear solely to send emails may be doing what is called snowshoeing, only to learn if someone responds at an email account by taking some sort of action, like opening an email, clicking on a link in email or SMS, or answering a phone; which tells them they have a “live mark.”
Follow-on attacks to the first action by the recipient will include an attempt to steal sensitive information, the installation of malware, or the spear-phishing of the same person or other people within the target’s organization. But don’t believe the victims actions are all bad, because the cybercriminals take tiny steps, each appearing innocuous to reach their end goal of an exploit.
Text Message Phishing
Text message phishing is another communications channel used for phishing attempts. This type of phishing is also known as “smishing,” and it is like email phishing. It is sent via SMS / text messages for the phishing message designed to deceive victims.
Remember, the goal of any phishing scam, regardless of its communications channel(s), is to trick the victim into believing they are interacting with a trusted person or organization they know.
In smishing, confidence is built by delivering fake account service notices, prize notifications, and political messages in as few words as possible. The call to action is usually straightforward, and includes updating your account details, changing passwords, account compromises, prize claims, or politician donations.
In a smish message, all the cybercriminal is trying to do is get the target victim to click a link, call a phone number or contact an email address.
To make things even more complicated, often short URLs are used, making it challenging identifying if the sender is legitimate or not. If the attempt uses a fake website, the cyber attacker may download malware on your mobile device. If a web page is served up, the victim is asked to provide their personal information, update account details, and change passwords or PINs.
Smishing, like so many other phishing techniques, capitalizes on the public’s lower awareness of phishing methods. Smishes violate the inherent trust many people have when a specific entity, like their own bank’s brand, an entity they trust, is used in SMS to gain more information.
It’s simple, consider the text as a channel only used when you drive a request directly, or directly relates to something you expect. Report anything in the text that you did not first initiate or is unrelated to any business you do business with. If something does not add up, do not click on a link in a text message or call back a phone number. If you need to follow up on a strange text, use a second separate communications channel, like a phone number you know and trust outside the text, and call and ask directly.
Voice phishing, also known as vishing, is a phishing attempt delivered through a phone call. Vishing calls often originate from a spoofed or faked phone number made to appear like a legitimate company being impersonated. So just because it looks like your bank, do not trust the caller, let it go to voicemail. If it is important, they will leave a message.
Voice phishing capitalizes on the public’s lower awareness of phishing techniques and the inherent trust many people have in voice calls from a caller they think they know. Criminals robodial enormous numbers of telephone numbers and play a recording purporting to be from tech support, a government agency, or their financial institution.
The phishing scam often involves false claims of fraudulent activity on the victim’s accounts, power, bank, credit card, etc. Then, during a vishing call, the target victim is told to hold a moment while the system connects them to a live operator, a computer, or call back another number. The target victim reacts by waiting to talk to the fake customer service, input their sensitive data into the phony computer system.
DO NOT pick up the phone; if you receive a call from an unidentified caller, let the call go to voicemail. If it is important, the caller will leave a message. Even if you recognize the caller, you might want it to go to voicemail, as phishers spoof phone numbers from organizations and people you know. Never forget, social engineering is a confidence game in which criminals use the information they already know about you, like your bank’s domain or look-alike, or a phone number they gained from a previous exploit, to get you to feel comfortable enough to give them more sensitive data or personal information.
Social Media Phishing
Usually, a social media phishing attack occurs when the criminal posts something on friends’ or colleagues’ pages, trolling for one of their friends who can’t resist clicking on the link. Criminals sometimes assume the identity of a company’s customer service rep in social media when the company lets its social media page languish; the criminal simply jumps in and responds to post the company otherwise ignores. This type of attack, acting as a company rep, is called Angler Phishing. But, this is only one example of many. Phishers pivot constantly, and the way they exploit unsuspecting consumers is dizzying, all to get more information, ultimately for gaining access to the consumer’s personal information.
What Social Media Phishing does is leverage the inherent trust the public has with their circle of friends, and their confidence in companies they connect with across social media. The same happens with industry groups or other social group sites. This similar social group phishing is called a wateringhole attack, and can be far more dangerous since often it takes advantage of the familiarity of business associates with each other.
Other Types of Phishing
Search engine phishing and malvertising
While the core of this article is about phishing communications outreach or push communications, like email, be aware that other types of lures that aren’t pushing communications in the pump cycle also exist. For example, search engine phishing also exists. This type of phishing occurs when web search engines are fed to return results that entice someone to visit a website. While the search engine may be well-intentioned, the website result produced when clicking on its link is fake and only exists to steal the person’s personal information or gain access to a credit card account. Phish sites often show up in trending searches during significant news events like sporting events, politics, wildfires, earthquakes, or other natural disasters. The same is valid with malvertising, which is also a form of phish, and appears in search, rouge news sites, or social media, using online advertisements and pop-ups to lure in “marks” and hide malware behind their links.
Google has shown incredible leadership among the security community in its safe browsing initiative, used by Google Chrome, Safari, Firefox, Vivaldi, and GNOME. This has gone a long way toward addressing phishing, as has the Microsoft Edge browser with its own similar efforts.
Regardless of that work, remember, some fake/fraud sites still leak through, especially with trending news events, and are challenging to catch. Just be aware, every time there is a hurricane or other natural disaster, these scams reappear with a different face, attempting to fraud.
Hijacking legitimate web traffic
The hijacking of legitimate websites and web traffic is also used in phishing, and may not involve email or any other communications channel. These hacks use search engines, malvertising, or watering hole attacks and pages which are hijacked on a legitimate website, the cybercriminal simply inserts code, which redirects visitors to a cloned malicious website using cross-site scripting (XSS). XXS accounted for almost 40 percent of all cyberattacks, so it is not that unusual.
Content injection is another type of attack, where cybercriminals hack a legitimate business’s website and insert code. These types of attacks, called SQL injection, cause sensitive information and personal data, like usernames and passwords, contact information, credit cards, etc., to be altered, stolen, or destroyed. A cross-site request forgery (CSRF), similar, and allows the criminal to do things like making unwanted purchases on behalf of users. Even more, session hijacking (known as cookie hijacking) allows cybercriminals to gain unauthorized access to information or services, and DNS poisoning or Pharming reroutes legitimate traffic without the web user’s knowledge.
Man-in-the-middle (MITM) attacks are eavesdropping monitoring of correspondence between two unsuspecting parties or injecting malware into your computer and network. For example, the “Evil Twin” is where Cyber Criminals carry out Wi-Fi attacks, creating spoofed public Wi-Fi networks at coffee shops, airports, hospitals, shopping malls, public parks, and other public locations. Victims are “phished” to unknowingly log into the wrong Wi-Fi hotspot. Once joined, without a VPN, the man in the middle can phish for information or push malware onto devices.
Staying safe online
Phishing attempts were once characterized as messages that contained misspellings and poor grammar, but cybercriminals have become more refined and cleaned up their act and how and when they target our base instincts. Additionally, phishing plays to a tense social and political climate during the phish pump cycle to evoke a response using various communications channels and tools beyond legitimate email.
So, while improved anti-phishing technology is constantly changing, cybercriminals seek new ways to outsmart even the most sophisticated technologies and channels.
Because phishing attacks come in many forms, differentiating one from a valid email, voice mail, text message, or information request can be problematic.
Here are three basic things that security in any organization should do to actively keep it safe:
- Technically filter all communications channels.
- Monitor all organizational communications channels
- Train and simulate events with all employees, regularly
Likewise, employees need never forget that all it takes to install malware and ransomware on a computer or company network is to click a link or an email attachment disguised as funny cat videos, eBooks, PDFs, or animated GIFs.
Also, all sensitive information and personal information is “gold” that cybercriminals seek to steal. Any information gives them the ability to start their exploit, even just the full name of someone tied to an email address or phone number. A bank account or other account numbers, like credit card numbers, are even better.
So, technology aside, the most effective anti-phishing protection remains employee and user education, encouraging and enforcing best practices, helping them stay ahead of the game and safe across all communications channels. For more information about how to keep your organization safe read our Business Guide to Phishing article or contact us through our contact form.