It's time to update your definition of phishing

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo

Phishing has been around since the mid-90s, but we've come a long, long way from AOHell — an AOL hacking program where the word "phishing" was first mentioned. A lot has changed since those days, and because of this a lot of misconceptions have arisen.

Here's some handy info for you so you can keep your definition of phishing up to date!

Mass email campaigns are waning

Mass campaigns are still very popular as they are easy to create cheaply, but their effectiveness is waning and hackers are using them less frequently. The main goal of mass email phishing campaigns is to send a phishing email to as many targets as possible (often in the hundreds of thousands) and hope that at least one person will fall for the attack — as the cost of these attacks is so low, all they need is one person to hand over money and they've made a profit.

These attacks are not that successful in today's world, as most of these types of messages are successfully filtered out by email spam filters; some companies go further than this by limiting bulk email deliveries to their domains entirely. Even though some emails are able to get through all the security filters, everyday recipients are more prepared against these generic emails as these attacks have leaked their way into popular culture. The (broad example here) "I'm a Nigerian member of the royal family and I need to deposit a million dollars" is such a popular example that it's worked its way into Saturday Night Live episodes and sitcoms (Editor's note: Despite being so ubiquitous, the 'Nigerian prince' email still generates $7,000,000 a year).

Spear-phishing is on the rise

Attackers had to invent something that would bypass spam filters and also make recipients feel like the email is worthy to check and open. So, attackers started using more specific "spear-phishing" attacks, which are crafted depending on who or what company is the target. They take notes of company branding, the style of communication inside the company, and also often gather information from social media accounts about these targets and their coworkers. That means that a lot fewer phishing emails are sent out than the mass emails, but the chances of a successful attack when spear-phishing increase significantly. Spear attacks need a lot more preparation time (for reconnaissance and planning) so spear-phishing has become lot more time consuming for hackers, but these targeted attacks often lead to bigger rewards from the targets.

Bigger targets, bigger goals

Without getting too much into the history of phishing itself, it used to be that hackers just wanted access to networks so they could create some minor-league havoc and have some (mostly) harmless fun. Those early days led to phishing's teenagehood: hacking then became about obtaining sensitive files and information and using it to blackmail and extort from people. Nowadays, hacking and phishing have become about getting everything, with some sophisticated hacking groups going as far as holding entire companies for ransoms fetching in the hundreds of millions of dollars.

How they do this is surprisingly easy. The widespread implementation of software-as-a-service applications (such as Slack, Office365, Trello, Hubspot, and more) helps provide hackers with deeper access into organizations than ever before, which helps attackers get as much out of phishing attack as is possible. Just having access to one SaaS platform means that hackers can set up monitoring tools given such as keyloggers (a program that tracks every single key stroke) and other malwares onto a network. It is also possible in some cases to shut down and hack entire networks. Hospitals, healthcare companies, and legal firms are prime examples of the types of prey hackers are choosing more and more lately, as the sensitive information these business have on their networks can be held up for a big ransom. These type of total-control attacks can also shut down entire organizations for long periods of time, which would obviously hurt the organizations economically and in the eyes of the public.

"Whaling" is another type of phishing, often targeting C-suite persons such as CEOs, CFOs, and CTOs. This gives hackers a chance to get their hands into the most secret (and financially lucrative) data. One good example of this is the 2016 phishing of Hilary Clinton's campaign manager, John Podesta, who fell for a simple Gmail phish which gave hackers access to a huge pool of private messages, emails, and more. Hackers then shared this sensitive information with the Trump campaign and with the American press in order to lower public support of Hilary Clinton. There are some that say this phishing attack cost Hilary Clinton the American presidential election.

More technical approaches

Since the early days of the internet, it's been like cat-and-mouse game between the cybersecurity community and cybercriminals. Attackers have invented new ways to bypass security filters, firewalls, and to fool the humans behind them. Email’s header, body, links, images and attachments are all relevant factors in determining if an email is marked as spam or inbox worthy, so how are attackers bypassing them? Attackers do everything to make mail, links and attachments look safe to recipients and to different security tools.

HTTPS-protocol

This has been in popular use in attacks. More than 70% of the malicious landing pages seen in the last 4 years have had some type of SSL-certificate on the website. False HTTPS badge on the side of URL often makes visitors feel more protected, as this used to be a hard thing to falsify to end users.

Email spoofing

By spoofing the sender-field of the email, masking files (using techniques such as right-to-left override), pretexting and also shortened links can make emails look like legitimate sender, these also help at bypassing filters and making recipient feel more secure.

Gift cards and crypto

Attackers can decrease the risk of getting tracked after the attacks have been implemented by using gift cards and cryptocurrencies as a currency of the exchange as these payment methods don’t request personal data for usage.

What does all of this mean for you?

How can you as a recipient reduce the chances given for attackers? The most important thing is to stay calm when opening any suspicious email, because in most phishing emails attackers try to affect your emotions by using social engineering techniques. Calmness is also important because it's then easier to notice any typos in the body text, links, and domains that could reveal that sender is not the person they claim to be. Unfortunately, some phishing emails have been so well crafted that you can’t find any noticeable spelling mistakes to confirm it is a phishing email. In these cases, it’s better to report the suspicious email anyway rather than acting in the way sender wants you to.  

Habitually check the URL address of any links sent to you

If it doesn’t look familiar it is better to simply search for the website they're asking you to click on through a search engine rather than using direct link from the email you received. Another tip is to look out for any websites that tend to appear too "thirsty" for your information, as phishing sites often ask for sensitive information as soon as a user arrives to a page.

Think about any information that you’re sharing publicly

By sharing as little information as possible in public, you can significantly reduce the information that attackers could use in spear-phishing attacks against you. It is much more difficult to make targeted attacks if email accounts are not shared in public, especially in social media services which are the main sources criminals use against targets.

Always use Multi-factor authentication

Commonly referred to as MFA, multi-factor authentication grants access to users after they present at least 2 pieces of evidences of identification (for example, using a password followed by authenticating program such as Microsoft Authenticator or Google Authenticator). This prevents criminals from accessing the accounts before you get to change your password in leaked accounts.

It's important to note that the most effective line of defence against cybercriminals is by training your employees and yourself using phishing simulations. Reach out to us at Hoxhunt, we'd love to show you a demo of the most effective defence against cybercriminals available today.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this