Imagine you receive an email from FedEx with the subject line: You Missed a Delivery. Because you had, in fact, recently placed an order online and are expecting a delivery, you immediately open the email and follow the link to track your package.
Everything about the email looks exactly as you’d expect it to; you recognize the sender as FedEx, the FedEx logo appears in the signature, the email itself is addressed to you, and it seems to contain information related specifically to you and your delivery.
But, after following the link, your computer begins to slow and, behind the scenes, malware is consuming large chunks of your computer’s information, including personal data like saved credit card information and contact lists.
What happened? You’ve fallen victim to one of the oldest and most prevalent cyber attacks in the book…phishing.
Phishing is a fraudulent attempt to extract money, obtain sensitive information such as phone numbers, login credentials, or credit card details or install malware by pretending to be an entity that is trusted by the target. Occurring predominantly via email or text messaging, phishing is typically bulk in nature and not personalized for an individual target.
Although the technique was first described in a paper by HP back in 1987, the term “phishing” was actually coined in the mid-90s in a Usenet group for AOL by the well-known hacker Khan C Smith. Shortly thereafter, the term appeared for the first time in the AOHell hacking tool, which was used to generate and send fraudulent spam “from” AOL’s customer service team to users, tricking them into revealing passwords, birthdates, social security numbers, and more.
While there are dozens of different “types” of phishing schemes that rely on different methods of obtaining data, the following criterion helps define this type of cyber attack.
While it’s been over two decades since the first phishing attack and today, most of us are attuned to what less sophisticated impersonations look like – for example, fake Nigerian princes asking targets for bank details in return for a share of their fortune – the threat is evolving and the stakes are higher than ever.
Amazon, Apple, Booking.com, PayPal, Target, and Qatar Airways have all made headlines in the last several years because of successful phishing campaigns in which attackers impersonated their brands and targeted their customers. While it’s difficult to quantify the total cost to individuals and the reputational damage inflicted on the spoofed brands, these scams negatively impacted tens of millions of people.
The fact is, we’re spending more time online creating and sharing more data than ever before; in fact, employees now spend 40% of their screen time on email, which is why phishing is just as big of a problem for businesses as it is for consumers.
While the intent and top-level tactics employed by bad actors can be the same for these two types of targets, the brands impersonated often differ. Why? Because employees tend to trust and interact with different types of brands and be motivated by different types of content. For example, while news of a missed delivery from FedEx might motivate a consumer, an employee is more likely to trust an email from Microsoft and will, therefore, be more motivated to follow a link to a login portal for Office 365. Hence why Microsoft is consistently a favorite amongst phishers.
Surprisingly, cybercriminals don’t actually need an arsenal of technical skills to create a successful phishing campaign. Phishing kits are readily available on the dark web and contain everything a “bad guy” needs to hook a phish including source code, images, scripts, spamming software, and sometimes, even lists of email addresses to target.
In short, these kits make it easy for anyone with a bit of IT knowledge to clone a webpage and host their own look-a-like version. From there, attackers can (and do) effectively harvest data that unsuspecting victims enter into mirror versions of legitimate, branded login pages.
Again, Microsoft tends to be a go-to, with 62 phishing kit variants used to target the brand’s users within an observation window of just 262 days.
Of course, even without a phishing kit, it’s not terribly difficult to design a convincing email template that instills a sense of trust and confidence in targets to the point that they click a link, send a reply, or complete a form. What’s more, not all phishing schemes rely on look-a-like pages. Some attackers simply need to buy (or create) malware.
As we’ve mentioned, at the core of every phishing attack is email impersonation. So, how do you successfully impersonate a person or brand?
Let’s use the FedEx example and imagine that the only legitimate email address associated with the brand is [email protected]. While cybercriminals can actually replicate that exact email address by spoofing the fedex.com domain, it’s risky. To start, many major brands have adopted DMARC email authentication, which could prevent someone from directly spoofing their domain.
But, with risk comes reward. Recipients of emails that are sent from spoofed domains have no way of knowing that an email wasn’t actually sent from its apparent sender.
Domain-based Message Authentication, Reporting & Conformance (DMARC) uses Sender Policy Framework (SPF) and DomainKeys identified email (DKIM) to determine the authenticity of an email. Brands publish DMARC records to prevent unauthenticated parties from sending emails directly from their domain. If DMARC isn’t enabled, anyone can spoof a brand’s domain. That means that cybercriminals could send an email with Sender and From fields that appear completely legitimate, even under scrutiny.
Nonetheless, it’s more common for attackers to use domain variations that in some way resemble the authentic email address.
The easiest way is to simply change the display name. Anyone – yes, anyone – can change their display name via their email account settings. That means that someone using an email address that’s in stark contrast to [email protected] can still use the display name FedEx Customer Service.
Likewise, attackers can register domains with the specific purpose of impersonating a legitimate company. There are dozens of phishing domain tactics, which include registering domains with just a one letter difference to the authentic domain and creating convincing sub, top-level or root domains.
Once the email itself has been crafted, it has to be disseminated.
Importantly, time is of the essence. Since phishing by definition relies on a large pool of targets, it’s vital that the email is sent to as many unsuspecting victims as possible before the domain and/or servers used by the attacker are blacklisted.
Phishing campaigns can be identified by the IP address and domain they’ve been sent from, which means that once a domain or IP address is known to be associated with malicious emails, email systems will redirect the email to a junk folder or reject it altogether.
Let’s consider the odds.
Phishing attacks have a 3% click rate. If the email is sent to 100 people, only 3 of them are statistically likely to open a malicious link or a download malicious attachment. If the email is sent to 1,000 people, 30 of them might fall for the scam, and so on.
More targets equal more opportunity for success.
Cybercriminals go to great lengths to deceive their targets, almost always with the intent of extracting data or infecting computers. As we’ve mentioned, data can be “extracted” by way of look-a-like sites that rely on the victims themselves willingly (albeit unknowingly) following a link and entering information. But, the data can also be captured over an extended period of time via an attachment that’s downloaded or installed.
In the world of cyber attacks, these harmful links and attachments are called malicious payloads. When these malicious payloads take the form of an email attachment, they often fall under the larger umbrella of malware.
It’s important to note, though, that not all phishing emails rely on malicious payloads.
Zero-payload attacks simply use coercive language to implore the target to reply to or action a request, whether that be handing over an account number for an invoice or sharing credentials to a security tool.
These types of attacks – often seen in more sophisticated schemes – are especially disquieting because cybercriminals are able to circumvent and evade legacy tools, payload inspection systems, spam filters and secure firewalls.
Needless to say, there’s more than one way for bad actors to get whatever it is they’re after – from money to credentials – and as these payloads become more sophisticated, they’re harder for people and security software solutions to spot.
Today, phishing attacks are the most persistent threat to cybersecurity, with a marked 250% increase in frequency from 2018 to 2019 according to Microsoft’s annual Security Intelligence Report.
That means that this year, you’re almost 3x more likely to have a phishing email land in your inbox than you were last year.
So, what happens if you’re one of the 3% that falls for a phishing attack? The consequences are virtually limitless, ranging from identity theft to a wiped hard drive. Unfortunately for the average person, the phishing business is becoming more and more profitable for cybercriminals as the price tag for personal information continues to increase.
But the consequences for businesses can be even more devastating, especially when you consider that the average cost of a data breach in 2019 was an incredible $3.92 million, a 1.5% increase from 2018.
Needless to say, phishing is the number one cause of these types of breaches. In particular, spear phishing, phishing’s more targeted, personalized, and often more damaging counterpart.
At face value, phishing and spear phishing seem almost impossibly similar. After all, the intent is identical.
But, there are two key differences. While a phishing campaign casts a very wide net and is relatively easy to execute, spear phishing campaigns are targeted at fewer people, and with more personalized correspondence.
Spear phishing requires more thought and time to successfully execute.
In addition to the tactics that we see employed in phishing, bad actors in these more customized attacks will use information from company websites, social media, news articles, and more to engineer an email that’s believable, even to someone who’s been through extensive security awareness training.
Oftentimes, cybercriminals impersonate someone in an authoritative position – for example, the CEO or a line manager – because employees tend to be less likely to question their superiors, are generally keen to help someone in power, and tend to act with a greater sense of urgency.
Zero-payload attacks like the one shown above can be particularly effective because a bad actor is able to build rapport with the victim by posing as a co-worker or superior, sometimes over a series of emails.
Unfortunately, innovation in email hasn’t evolved in tandem with the fast-paced digital transformation, which is one reason why reports of phishing attacks have continued to increase year-on-year.
6.4 billion fake emails will be sent today alone.
Because this number continues to grow, it’s quite clear that spam filters, antivirus software, and other legacy security solutions aren’t able to keep pace with attacks that are becoming more and more complex by the day.
That’s why it’s so important that individuals are scrupulous and inspect attachments and links before they’re downloaded or clicked. In particular, we recommend that you:
But what about businesses? While staff training, blacklists, URL and attachment inspection systems, and legacy rule-based solutions may be enough to block some phishing attacks, they aren’t always capable of stopping the more sophisticated incarnations.
Even Secure Email Gateways (SEGs) – which were designed to stop high-volume spam and keep inboxes safe from malicious emails – can’t always identify more advanced, targeted attacks, in particular zero-day attacks, zero-payload attacks, and spear phishing attacks.
The tactics employed by legacy solutions – namely identifying malicious payloads and flagging blacklisted domains – are simply ineffective against the advanced impersonation tactics used by cybercriminals in spear phishing attacks.