Phishing is an email scam that impersonates a business to trick recipients into divulging account credentials or clicking on a malware-laden link. In most attacks, it involves luring a victim with a link to a fake website or including an email attachment laced with malware.
Phishing vs spear phishing
Phishing attacks impersonate brands to trick users, whereas spear phishing attacks impersonate individuals. Most phishing emails include a subject line that causes either alarm or intrigue, which encourages victims to act quickly. With the exception of highly targeted attacks, phishing is typically a one-off event. Often, hackers will send a single email to multiple recipients—known as a wave—at once to improve the chances of success.
Spear phishing emails do not include links or attachments and are designed to trick a recipient into completing a financial transaction, such as making a wire transfer, purchasing gift cards, or changing direct deposit information.
Spear phishing email
Elements of phishing
All phishing emails include one of two components: a link or an attachment. Getting victims to click the link or open the attachment requires a sophisticated set of tools and techniques. Below are some of the most important elements:
Perhaps the most critical element of a phishing email, the subject line is designed to entice, alarm, or frighten the victim the victim into opening the email. Hackers who have done their research write highly targeted subject lines to entice victims into opening emails.
Hackers impersonate the brands you trust the most. When attacking businesses, hackers impersonate brands that a business has a relationship with, such as a bank or a software vendor. To create the illusion of legitimacy, phishers use real business and product logos and other visual elements of the brand’s identity.
Attachments are included either to conceal the phishing link from an email filter or to deliver malware/ransomware. Often in the form of a Word document, PDF, or .zip file, the attachment appears to be legitimate business correspondence, such as an invoice. The link might lead to a phishing website or result in an automatic download of malware or ransomware.
Email spoofing involves creating an email address that looks like that of a trusted business. With display name spoofing, the hacker adds the desired display name in the sender field of the email. In other cases, a hacker will use an email address resembling a legitimate business email as the display name.
A link is typically placed in the body of the email, but it can also be placed inside an attachment or inside a legitimate hosted file on a service like OneDrive or SharePoint to avoid detection from email filters scanning for known phishing links. Victims are lured into clicking on the link by the email itself, which directs the user to visit a fake website to log into an account.
A phishing page is a fraudulent webpage that impersonates a brand. Unsophisticated pages are easy to spot, but advanced phishers use real CSS from brand webpages to make their webpages identical to the real thing. Phishing pages impersonate login pages where victims enter their username and password to access their account. When they do so, their credentials are stolen.
Urgency is at the essence of phishing. Hackers use a variety of scams to create a sense of concern and even fear to motivate users to click on links and divulge credentials and sensitive information.
- Verify/update account
This email alerts a user that they must verify their account or their password must be reset, whether as a matter of routine or because of an issue with an account.
- Update payment alert
The victim is informed that their current form of payment, typically a credit card, is either not working or must be updated in order to continue receiving a service.
- Invoice attached
This attack includes an attachment posing as an invoice or other piece of business correspondence. The attachment might include a link to a phishing page, or the attachment might unleash malware/ransomware when opened.
- Social media phishing
Social media phishing involves stealing account credentials for a social media platform through one of the above schemes. Hackers sometimes steal the victim’s personal information and sell it on the black market. In other cases, the hacker will use the compromised account to conduct attacks on the victim’s friends and followers.
- Security alert
Phony security alerts alert victims that their passwords have been compromised, that there is suspicious activity on an account, or that they recently signed into an account from an unknown device.
Sextortion scams are designed to trick victims into believing a hacker is in possession of compromising information, such as webcam video of the victim watching online pornography. The victim is instructed to pay the hacker in Bitcoin to avoid the information being leaked to the public and to acquaintances
Free phishing tools
The rise of corporate phishing
Phishing was once considered a consumer problem. But as hackers grew more sophisticated, they began targeting businesses. The growth of cloud computing made businesses an even bigger target, with sensitive files and data suddenly up for grabs. As a result, phishers began impersonating high-profile brands that corporations do business with, including cloud services providers and financial institutions.
Vade for M365
Vade for M365 blocks advanced attacks from the first email thanks to machine learning models that perform real-time behavioral analysis of the entire phishing email, including any URLs and attachments. Leveraging data from more than 1.4 billion inboxes, our AI-based threat detection stops threats before, during, and even after phishing attacks.
Most email security filters use signature-based detection methods, including scanning for blacklisted domains and IPs. This makes it impossible for these types of filters to detect unknown attacks or phishing kits that include built-in protections from being identified by URL scanners.
Hackers use a number of techniques to bypass fingerprint and reputation-based filters. With a simple MX record lookup, hackers can see which email security solution is in use and create scripts to bypass MX rules or develop techniques to bypass the solution itself. Below are some of the most common and advanced techniques:
- Victims are chosen by their job position, experience level, and other factors that indicate their ability to provide access to sensitive data.
- Phishers mine social media and past data breaches for information that could assist in personalizing the email and understanding what would motivate a victim to respond to a phishing email.
- Hackers research the target company to learn which brands they do business with, including their business partners, software providers, and banks or other financial partners.
- Brand logos and images are downloaded from the web and inserted into emails, adding authenticity and authority to the email.
- Legitimate reply-to email addresses from the brand are added to emails to convince the user that the email originates from the brand.
- URLs that lead to fake websites are either inserted into the email or hidden in an attachment, such as a PDF or Word doc, to avoid detection from email filters that cannot parse documents.
- Legitimate URLs that lead to safe webpages are included in the email, along with the link, to fool email filters that may deem the email safe after scanning a number of legitimate URLs.
- Time-bombed URLs are URLs that lead to safe, legitimate webpages and are then redirected to phishing pages once the email has been delivered.
- URL shorteners, such as Bit.ly and TinyURL are used to create aliases of the phishing URL to avoid detection by filters scanning for known phishing links.
Image insertion and distortion
- Slight changes or distortions to images will change their crypotographic hash or “fingerprint.” This can cause a blacklisted phishing email appear like a new, safe email to a filter.
- QR codes are often inserted in place of phishing URLs to evade filters that cannot extract QR codes. Typically used in sextortion scams, QR codes direct victims to Bitcoin sites where they can make the extortion payment.
- Text-based images, such as screenshots of emails, are inserted into the email body in place of text. This avoids content scanning by the email filter, which may deem the email safe if there is no content to scan.
With new attacks being launched every day and even sophisticated filters sometimes missing attacks, prevention is an ongoing effort that requires constant diligence and intelligent anti-phishing software with advanced protection:
- User training
As attacks become more sophisticated, users must be continually trained in the latest attacks and techniques. In addition to recurring phishing awareness training, contextual training delivered at the moment a user clicks on a malicious email provides instant feedback on the behavior.
Training content that is personalized for the user based on the brand used in the attack gives the training context, unlike annual trainings that are typically conducted in a group setting and based on generic emails. Ultimately, the training experience will be more significant, and the attack more memorable than the simulations used in training sessions.
Equally important to phishing prevention is encouraging users to report suspicious emails. This gives IT the opportunity to warn the company about incoming attacks and gives the security operations team the opportunity to use the phishing email to strengthen the email filter.
- Artificial Intelligence
Unlike fingerprint and reputation-based technology, artificial intelligence identifies unknown attacks by scanning the content, context, and origin of emails. Supervised machine learning algorithms are trained by data scientists to recognize various features of phishing emails. Unsupervised algorithms do not require a trainer but learn over time to recognize anomalies in emails, or suspicious events that differ from the majority of data.
- Image detection
Trained to detect images and logos from brands, Computer Vision algorithms can detect slight distortions in images, scan text-based images, and extract QR codes that conceal malicious links. Unlike other machine learning algorithms, Computer Vision algorithms interpret and view images as humans do, recognizing known phishing emails that have been distorted to look like new emails.