Phishing has many faces. Criminals keep inventing new social engineering techniques to steal money or valuable information from their victims. They come up with new ideas, follow trends, and make use of new technologies to make attacks more efficient. Here are the top 5 phishing techniques in use by criminals today and the dangers associated with them.
1. Classic email phishing
Phishing is not as old as email itself but it is pretty old. Because until the mid-90s the Internet and email were used almost exclusively in academic circles, phishing made little sense at the time. However, once Internet access became widespread, criminals became aware of its potential and discovered ways to make it work for them.
The first-ever time that the term phishing appeared in public was in early 1996 on AOL (America Online). Around that time, AOL customers were receiving fraudulent email messages and instant messages from criminals posing as AOL employees requesting sensitive information, which led to AOL actually having to issue official warnings about that practice. As you can see, the term stuck around and, unfortunately, the phenomenon just got worse in time.
In the old days of email, before the introduction of security controls such as DKIM and SPF in the 2000s, anybody was able to send an email with any sender address. That was heaven for criminals—just forge the right headers and their email appeared 100% legitimate. The introduction of techniques for sender authentication made the situation better but even now, in the case of many email servers and clients, it is possible for a criminal to send an email that appears to come from a real address. And even if it’s not, it is also very easy for a criminal to register a domain that looks suspiciously similar to a real one.
The three keys to successful email phishing are a convincing email address, a convincing template, and a convincing phishing site. The phishing site can be made even more convincing if the criminal uses a cross-site scripting (XSS) vulnerability or an open redirect found at a reliable site, thus making it possible to create a working link that takes the victim to the original site first and then immediately redirects to the phishing site.
Even email phishing has many faces. From attempts to send you to a fake bank site, through ones that promise you high bitcoin winnings, all the way to promises of favours of intimate nature – criminals try every trick in the book to get money and/or sensitive information out of you and millions of others. The basic email phishing is all about numbers: sending as many emails to as many addresses as possible, hoping that some of them fall for the bait.
2. Spear phishing
Spear phishing may even be older than classic email phishing – but it’s impossible to know. This is because spear phishing is highly targeted – at a potent individual. That individual is first researched by the criminal (through general reconnaissance and OSINT) and then included in a carefully crafted campaign aimed at extracting highly valuable sensitive information.
For example, a spear phishing attack may be targeted at a research scientist who has developed a revolutionary industry process. A criminal organization may want to get access to that process to then sell it to the highest bidder amongst industry competitors. In such a case, the criminal organization will first research the victim thoroughly and then prepare a phishing attack posing as a trustworthy person such as a family member, close friend, or a co-worker.
3. Whaling and business email compromise
When spear phishing, why go after the small fish when you can go for the whales? This is where the term whaling comes from – it refers to a spear phishing attack targeted at individuals with very senior positions at major companies – CEOs, CFOs, etc. A typical whaling attack may be, for example, someone attempting to fool the CEO into believing that the company is about to get sued, just to get information of huge value to the competitors.
Business email compromise (BEC) is a type of whaling where the victim is a lower-level employee while the attacker impersonates a CEO, CFO, etc. The first step for the criminal is to gain access to the top-level executive’s email via hacking or other phishing techniques. Then, the compromised account is used to send emails to, for example, financial staff to ask them to pay for a fake invoice or transfer money to an account controlled by the criminal.
4. Smishing and vishing
With almost every person now owning a mobile phone, text messages (SMS) are a very attractive fraud medium for criminals – even more than emails. The technology behind SMS makes SMS phishing (smishing) even easier – anybody can send a message that appears as coming from a company and that message is even sorted into the same thread in the messaging app as the original messages!
Using other instant messaging apps is also considered a type of smishing. Criminals may use Messenger, WhatsApp or other popular platforms to try to fool you into believing they are the real thing. For example, they may create fake social pages to make you believe that they represent the actual company that tries to contact you.
Vishing – voice phishing – appears to be a modern trend but its roots go far back, years before email phishing! Some of the famous 80s black-hat hackers were actually more social engineers than computer hackers and often posed as company employees to gain access to other systems. Modern-day vishing is very similar and may involve either an attempt to gain access to company assets or to extract personal information from an individual.
5. Realtime phishing
Last but not least – realtime phishing is the one you should especially be on the lookout for because it is the only type of phishing attack that can effectively bypass multi-factor authentication (MFA). In a realtime phishing attack, the victim accesses a proxy, which is communicating with the real site.
For example, a realtime phishing victim may be fooled into accessing a bank site that not only looks and feels like the real thing but, behind the scene, is the actual real thing. The address that they access is there only to act as a man-in-the-middle and listen in on all the communication. What the victim sees on the screen is the real site that they wanted to access.
In such a situation, when the victim tries to log into the bank site, they are first asked for an ID and password, which are then collected by the proxy. Then, the bank site sends some kind of an authentication request involving the mobile phone or a physical token and the victim enters the code from the device, which is also captured by the proxy. At this moment, the proxy may even terminate the connection and the criminal may proceed using a fully logged-in session. The only hope for the victim is for any other operations such as transfers to be protected using multi-factor authentication.
The future of phishing?
With the development of technology, we can expect criminal techniques to evolve just as well. Who knows, maybe in the near future we will have machine learning-based phishing or phishing using deepfakes?