What is phishing?
Phishing is a type of cyberattack where attackers attempt to deceive individuals into providing sensitive information, such as usernames, passwords, credit card numbers, or other personal data.
In some cases, they also attempt to make their targets open and execute attachments containing malwares.
These attacks often involve masquerading as a trustworthy entity or person in electronic communications.
History and evolution
Phishing evolves just like email marketing: at first, undifferentiated emails were mass sent to email addresses. Then, personalization and segmentation came in and now we’re starting the generative AI era, with a more conversational, multi-stage approach.
Let’s look at the evolution of phishing.
Phishing started in the 1990s with the rise of the Internet. It was usually simple scams tricking people into revealing personal information.
The 2000s saw a more widespread adoption of emails and with it, an increase of email-based phishing attacks.
In the 2010s, phishing techniques evolved with more targeted attacks (spear phishing), on high value targets (whaling) and using different vectors such as SMS (smishing).
At the moment, we’re seeing an evolution with an increased usage of generative AI in attacks.
Types, techniques and tactics used in phishing
Because “phishing” is used very broadly, we’ll talk about different types of phishing attacks.
Email Phishing
“Phishing” is usually used to describe email phishing: ending fraudulent emails that appear to come from legitimate sources, such as banks, social media platforms, or trusted companies.
It uses:
- Links or attachments: designed to compromise the target by stealing information or gaining access to its computer.
- Social engineering tactics: designed to create a reaction and deceive the target.
Spear Phishing
Spear phishing is a targeted phishing attack aimed at a specific individual or organization. The attacker customizes the email content based on information they have gathered about the target.
It uses:
- Personalization: The email often includes the recipient's name, position, and other personal details to make it more convincing.
- Research: Attackers research their targets to craft a more believable message.
- Attachments and Links: Similar to email phishing, these emails may contain malicious attachments or links.
- Social engineering: just like regular phishing
Whaling
Whaling is a type of spear phishing that targets high-profile individuals within an organization, such as executives or senior management.
It uses most of the spear phishing tactics but most often also adds impersonation to the mix, to make it seem like it comes from a person of authority, with an existing relationship with the target.
Smishing
Smishing involves sending fraudulent SMS (text) messages to trick recipients into providing personal information or downloading malware.
Vishing
Vishing (voice phishing) involves making phone calls to deceive individuals into revealing sensitive information.
Pharming
Pharming is closely related to phishing but is quite different from the previous types of attacks.
Pharming redirects users from legitimate websites to fraudulent ones without their knowledge. This is often done by exploiting vulnerabilities in DNS (Domain Name System) servers.
Recognizing phishing attacks
Recognizing phishing attacks involves being aware of the various signs that typically indicate fraudulent activity. Here are some common indicators to look out for.
Suspicious Sender Addresses
There are two types of suspicious sender addresses: misspelled or slightly altered domains are the most suspicious as they are often used to impersonate people or brands, but you should also be wary of generic email addresses from Gmail, Yahoo and Outlook, especially if it doesn’t align with who they pretend to be.
Generic Greetings and Messages
Mass-phishing often uses vague language and lacks personalization.
Spelling and Grammar Errors
While attackers can use generative AI and spelling correctors, we still find phishing emails with spelling and grammatical errors, usually due to the fact that attackers might not natively speak your language.
Pressure mechanisms: Urgency and Threats
Phishing relies on pressure mechanisms to create a quick emotional reaction and deceive people. Train yourself to detect this feeling and see it as a warning sign.
Unexpected Attachments or Links
Emails with unexpected attachments or links can be potential phishing emails, treat them carefully.
Mismatch Between Display Name and Email Address
If the display name might appear legitimate, but the actual email address may not match the claimed sender, this is an impersonation attempt and a big red flag.
Prevention and Protection
Phishing prevention and protection is a combination of human training and technological measures to reduce exposition and the amount of threats actually connecting with their targets.
Awareness Training
Employees should be trained to detect and report phishing attempts.
Effective training should consist of theoretical knowledge and practical training, using phishing simulations.
Because phishing, like all social engineering attacks, relies on deception and creating emotional reactions, it’s important to adopt a learn-by-doing approach to create new behavior, rather than focusing solely on knowledge acquisition.
Training should focus on:
- Detection reflexes and heuristics: be wary when emails use pressure mechanisms to create a reaction
- Reporting procedure to alert relevant parties to potential threats
Technological measures
A succession of tools and configurations should help reduce the amount of phishing directly connecting with employees.
Amongst them:
- Secure Email Gateways should help filter and prevent phishing emails from being delivered
- Multi-Factor Authentication should complexify phishing-based credential harvesting attacks, especially if the authentication factor is based on FIDO2 or similar phishing resistant protocols
- Email Authentication Protocols like SPF, DKIM and DMARC also help prevent phishing attacks
- Deploy Security Awareness Training platforms with strong automation capabilities to provide relevant training on autopilot
Responding to phishing attacks
If you think you received a phishing email, here are steps to follow. You can also share this process with your employees, if you don’t already have a process in place.
- Do not interact with the phishing email: do not answer, click links or execute attachments
- Report the phishing attempt to the relevant parties, using a report button if applicable
- If you’ve interacted with the phishing email and its content, explain what you’ve done to the relevant parties so they can trace and potentially remediate to any leak or vulnerability introduces
Future Trends and Challenges
Phishing keeps evolving. From criminals getting more and more specialized to new technologies and developments, let’s have a quick look at the future of phishing.
Conversational phishing
More and more phishing attacks are now based on conversations, creating rapport and sender reputation, rather than being a one-way email with links or attachments, that constitutes obvious red flags.
With the proliferation of generative AI, these attacks can now scale and will continue to evolve.
Deep fakes
With the recent improvements in synthetic media generation, deep fakes can be used to reinforce impersonation attempts in phishing operations.
Detection is harder with these technologies and the likelihood of success for the attacker is greater.
Emerging communication platforms
New communications platforms are new ways for the attacker to connect with their victims.
New social media platforms, ticketing and support systems, etc. bring new opportunities to deliver malicious content and attack attempts.
One common trait
One interesting thing to note is that despite a lot of developments on the technological side, the key social engineering techniques are still the same, no matter the attack vector.
This is why proper awareness training, based on behavior training, still represents a very adaptable and cost efficient defense system.
