By Frederic Maussion, Senior Solution Architect at Vade Secure
According to Cofense, a successful phishing attack costs a mid-sized organization $1.6 million on average. Moreover, FBI data reveals that losses from spear phishing or business email compromise (BEC) attacks topped $675 million in 2017 in the US alone. These numbers show that just one errant click by an employee can have a significant financial impact to your organization—not to mention the reputational damage to your brand that comes with being the victim of a breach.
Phishing consistently ranks among the top cyberattack vectors because it’s a highly effective means of exploiting the weakest link in the cybersecurity chain: humans. To make matters worse, hackers have become much more sophisticated in their techniques, and no longer rely on typo-ridden spam emails and unclaimed heritage scams. Phishing attacks are now highly targeted and dynamic, making them increasingly difficult for humans to detect.
This article outlines 10 common phishing techniques used by cybercriminals, so you know what to look for, and can avoid falling victim to these scams.
1. Mismatch between the brand and domain (or country)
Often, the domain in the URL does not match the brand represented on the page that the URL leads to. In a recent example detected by Vade Secure, the brand was listed as “Forever Jewellery" (hint: it’s also spelled incorrectly), but the link directed the user to a PayPal login page. One tactic that can be used to identify mismatching is hovering over the URL in an email. If the domain doesn’t match the brand the message is allegedly coming from, you’re likely being scammed.
Mismatching can also occur between the brand and the country domain extension. For instance, a user might receive an email from Citizens Bank with a link to a page with a Russian extension. Since Citizens Bank is an American financial institution, the .RU extension is a clear sign that the page is not valid.
2. Cousin domains
Cousin domains can be used to spoof both the sender and the URL. With this technique, hackers will remove/add letters or use alternate spellings of a domain name, so it looks deceptively similar to the real thing. Here’s an example of a real address versus a spoofed address:
Real address: asmith(at)businessservices.com
Spoofed address: asmith(at)businesservices.com
Can you spot the difference? Since users tend to read domain names quickly, it’s hard to tell that an ‘s’ was removed in the spoofed address.
Hackers love to take advantage of current events and other topical and contextual elements to launch phishing attacks. A recent example of this is the Airbnb phishing attack, which took advantage of brands sending GDPR notices to consumers. Other common examples include IRS scams around tax season, or emails offering fake discounts from retailers during the holidays.
4. Display name spoofing
With display name spoofing, hackers change the visual display name of the “header from” line within the message. This tricks people into thinking the email is from a legitimate sender. For example, hackers could change the “from” in the email to “IRS” using any random email address underneath.
Since the full email address isn’t immediately visible—without several clicks or taps—there’s no way to tell just by looking at the sender if the email is a scam.
5. Strange and/or complicated URLs
With this technique, hackers will create a domain that in appearance looks long, complex and encompasses several known domains. Here is an example from a global phishing attack detected by Vade Secure that incorporates domains from Amazon Web Services and Walmart:
The dead giveaway that this link is invalid is the double listings of both “HTTP” and “.com.”
With homoglyph attacks, hackers leverage the similarities of character scripts to create phony domains that lure users into visiting malicious phishing pages. For example, they might replace the Latin small letter “o” with Cyrillic symbols (e.g. facebοοk.com versus facebook.com). It’s virtually impossible to spot the difference by eye; use Ctrl + F and search for two o’s to see which is real.
7. Emails demanding urgent action
To create urgency, hackers create an artificial time constraint, demanding that users complete the action during a specified period of time. For example, an email might say “Your account has been locked. Please reset your account within 24 hours.” This technique is used to instill fear in users, which is why they often fall for it.
8. Emails coming from someone with authority
Let’s face it: we’re more inclined to respond to people of authority. That’s why hackers will pretend to be the user’s boss, instructing them to complete some type of financial transaction. Or they’ll pose as Facebook’s Security team. To avoid falling victim to this technique, employees can confirm with their boss in-person or via phone before taking any next steps.
9. The use of URL shorteners
It’s easy to review a full URL to check whether it’s legitimate, but URL shorteners mask the link’s true identity. This technique does not always indicate phishing since many brands use honest shortened links in their marketing communications, but it is one common method utilized by hackers. When in doubt, check a phishing URL detection tool, such as IsItPhishing.AI, to see if any link – including shortened ones – are legitimate.
10. A phishing link in a clean attachment
Knowing that many email security tools scan links within messages to determine if they’re malicious, hackers often embed phishing links within clean attachments. Because there’s no malware in the attachment, the message won’t trigger sandboxing technologies; and because there’s no link to scan in the content of the email, it will bypass traditional filters.
Hackers have become so sophisticated, they’re even capable of creating attacks that users cannot detect, including:
- The use of multiple redirections or dynamic redirections that take users down a different path to the destination page each time they click.
- Mobile-specific attacks that display malicious content only when the page is accessed from a mobile device.
- Geo-specific attacks where the malicious content is displayed only when accessed from the target location. Accessing the page from other locations might lead to a blank or \ valid page.
- Attacks that detect when the page is being opened by an automated engine and only displays malicious content when opened by humans.
Don’t think hackers are just limited to these techniques: they are becoming even smarter with each passing day, meaning they’re increasingly capable of fooling most recipients into clicking. A good security strategy relies on end user training and vigilance, combined with predictive email defense technologies, to keep individuals and businesses safe and secure. The organizations that augment human intelligence with artificial intelligence will be the ones least likely to fall victim to these attacks.
To learn more about common phishing techniques and Vade Secure, attend my session “How do they break through fingerprint and reputation? Let´s see a real life phishing attack” at the OX Summit 2018 in Rome.