Phishing is one of the best known and most common tactics cybercriminals use to trick internet users into sending them sensitive information such as passwords or credit cards.
In short, attacker masquerades as a trusted entity and lures the victim into clicking a malicious link in an email, instant message, or text message. There are plenty of tips on how not to fall for such threats, yet users still somehow get caught. Unfortunately, this is a far broader and more complex issue than just people lacking basic cybersecurity awareness and clicking on a malicious link in an obviously scammy email.
The attackers have evolved their techniques over the years, getting more creative and harder to detect. They mostly rely on social engineering using psychological manipulation to trick victims into making a mistake and giving away their sensitive data. They do this by manipulating, creating a state of panic, fear, urgency, or simply using human weakness. An old-school example is a so-called Nigerian scam, where scammers offer a large sum of money to help victims transfer their fortune out of the country. They ask the victim to give away their bank account details to later steal their funds, or ask them to pay some fees and taxes to help them transfer the „trapped“ money.
The global crises, such as the recent coronavirus pandemic, are another opportunity for the attackers to use their social engineering tricks. Uncertainty and a desperate search for the most recent information have lead people to pay less attention to what they click on. The COVID-19 outbreak has emerged an uptick in phishing email schemes, with attackers posing as the Center for Disease Control and Prevention, or World Health Organization. Working from home has also opened the door to an increased number of cyberattacks.
Types of phishing
The most frequent type of phishing attack is email scam. Hackers register a fake domain that mimics a business or organization (for example, the aforementioned WHO) and send thousands of fraudulent emails. These emails can range from visible scams to legitimate-looking messages cleverly designed to mimic actual emails from a spoofed organization. Links inside messages also look legitimate, but there is often something „off“ about them: a fake/misspelled domain, spelling and grammatical errors, or content with a sense of urgency, where the victim is told to act now (for example to reset your password).
Spear phishing is way harder to detect. Unlike the generic email phishing scams, where malicious emails are sent to a large number of people, spear phishing targets a specific person. The emails here are personalized and are purportedly coming from someone the victim is familiar with (a trusted partner or coworker). According to a CSO article, spear phishing targeted campaigns can involve documents containing malware, or links to credentials stealing sites to steal sensitive information or compromise payment systems. Some of these documents can even be stored on legitimate sites such as Dropbox or OneDrive.
Spear phishing attacks aimed at senior executives within the company are often called whaling. By obtaining all the information about the said person from the company’s website, the press, or social media sites such as LinkedIn, the attackers can create an even more subtle and personalized email. Other forms of phishing similar to email-based attacks are smishing (attacking via text message containing malware), and vishing (scamming via phone conversation). Angler phishing is a relatively new form of phishing attacks that involves social media. In this case, attacks are launched using bogus corporate social media accounts.
Keeping software updated, not revealing financial information, using long and unique passwords for every account, checking website URLs – all of these tips are important to follow, but not enough to keep us safe from cybercriminal activities. Phishers are evolving and finding new ways of evading these protections. Usernames and passwords are far from sufficient to protect our sensitive data such as banking or emails accounts. As mentioned in a Medium post, even the Two-Factor Authentication (2FA) can be easily bypassed by the new reverse proxy tools such as Modlishka. This powerful tool, which can automate the process of a phishing site passing through 2FA checks based on SMS and one-time codes, works as a server between the victim and the target website and acts as a proxy for a victim. It can easily get the credentials such as password, username, or two-factor authentication token.
Adding another layer of security by using passwordless MFA could massively reduce the risk of cyberattacks. Instead of investing huge amounts of money into security support, keeping employees stressed and confused about every email they receive, and still losing battles with the cybercriminals, more and more enterprises are going passwordless by embracing sophisticated methods. Using a passwordless sign-in platform such as Regzen will soon become a safe and easy-to-use replacement for the flawed password-based authentication method. The Regzen anti-phishing platform also includes a unique Sign-in Form Protection feature that automatically blocks signing in on a website sign-in form once users start using the app.