Phishing
Phishing is the most common form of social attack carried out by email. Unlike cyberattacks on systems and software, it requires little to no hacking expertise, making it a quick and easy way for cybercriminals to get access to a business’s most sensitive data.
What is phishing?
Phishing is an email scam that impersonates a business to trick recipients into divulging account credentials or clicking on a malware-laden link. In most attacks, phishing involves luring a victim with a link to a fraudulent website or including an email attachment laced with malware.
Phishing vs spear phishing
Phishing attacks impersonate brands to trick users, whereas spear phishing attacks impersonate individuals. Most phishing emails include a
subject line that causes either alarm or intrigue, which encourages victims to act quickly. With the exception of highly targeted attacks, a phishing email is typically a one-off event. Often, hackers will send a single email to multiple recipients—known as a wave—at once to improve the chances of success.
Spear phishing emails do not include links or attachments and are designed to trick a recipient into completing a financial transaction, such as making a wire transfer, purchasing gift cards, or changing direct deposit information.
Phishing Email
Spear Phishing Email
Elements of a phishing email
All phishing emails include one of two components: a link or an attachment. Getting victims to click the link or open the attachment requires a
sophisticated set of tools and techniques. Below are some of the most important elements of a phishing email:
Subject line
Perhaps the most critical element of a phishing email, the subject line is designed to entice, alarm, or frighten the victim the victim into opening the email. Hackers who have done their research write highly targeted subject lines to entice victims into opening emails.
Email spoofing
Email spoofing involves creating an email address that looks like that of a trusted business. With display name spoofing, the hacker adds the desired display name in the sender field of the email. In other cases, a hacker will use an email address resembling a legitimate business email as the display name.
Brand impersonation
Hackers impersonate the brands you trust the most. When attacking businesses, hackers impersonate brands that a business has a relationship with, such as a bank or a software vendor. To create the illusion of legitimacy, phishers use real business and product logos and other visual elements of the brand’s identity.
Phishing link
A link is typically placed in the body of the email, but it can also be placed inside an attachment or inside a legitimate hosted file on a service like OneDrive or SharePoint to avoid detection from email filters scanning for known phishing links. Victims are lured into clicking on the link by the email itself, which directs the user to visit a website to log into an account.
Attachment
Attachments are included either to conceal the phishing link from an email filter or to deliver malware/ransomware. Often in the form of a Word document, PDF, or .zip file, the attachment appears to be legitimate business correspondence, such as an invoice. The link might lead to a phishing website or result in an automatic download of malware or ransomware.
Phishing page
A phishing page is a fraudulent webpage that impersonates a brand. Unsophisticated pages are easy to spot, but advanced phishers use real CSS from brand webpages to make their webpages identical to the real thing. Phishing pages impersonate login pages where victims enter their username and password to access their account. When they do so, their credentials are stolen.
Learn how to detect a phishing email
Can you recognize a phishing email? These are the telltale signs.
Phishing examples
Urgency is at the essence of all phishing emails. Phishers use a variety of scams to create a sense of concern and even fear to motivate users to click on links and divulge sensitive credentials.
Verify/update account
This email alerts a user that they must verify their account or their password must be reset, whether as a matter of routine or because of an issue with an account.
Update payment alert
The victim is informed that their current form of payment, typically a credit card, is either not working or must be updated in order to continue receiving a service.
Invoice attached
This attack includes an attachment posing as an invoice or other piece of business correspondence. The attachment might include a link to a phishing page, or the attachment might unleash malware/ransomware when opened.
Security alert
Phony security alerts include phishing emails alerting a victim that their password has been compromised, that there is suspicious activity on an account, or that they recently signed into an account from an unknown device.
Social media phishing
Social media phishing involves stealing account credentials for a social media platform through one of the above schemes. Hackers sometimes steal the victim’s personal data and sell it on the black market. In other cases, the hacker will use the compromised account to conduct attacks on the victim’s friends and followers.
Sextortion
Sextortion scams are designed to trick victims into believing a hacker is in possession of compromising information, such as webcam video of the victim watching online pornography. The victim is instructed to pay the hacker in Bitcoin to avoid the information being leaked to the public and to acquaintances.
The rise of corporate phishing
Phishing was once considered a consumer problem. But as hackers grew more sophisticated, they began targeting businesses. The growth of cloud computing made businesses an even bigger target, with sensitive files and data suddenly up for grabs. As a result, phishers began impersonating high-profile, reputable brands that corporations do business with, including cloud services providers and financial institutions.
Top five impersonated brands by phishing URLs, 2019
Microsoft phishing
With more than 200 million users, Microsoft 365 is the most used business productivity suite in the world, making it the no. 1 corporate target for hackers. The growth of Microsoft 365 has led to an onslaught of phishing attacks aimed at Microsoft 365 business users whose login credentials prove all a hacker needs to access a business’s data.
Microsoft 365 malware email
Outlook phishing email
Popular Microsoft 365 phishing attacks
Users are alerted that their Microsoft 365 account needs attention, such as validating account credentials or changing a password.
Users are warned that there is an issue with their Microsoft 365 payment method and instructed to update their credit card information.
Users receive an email from an Outlook or Microsoft email address alerting that they have received a voicemail and must log in to Microsoft 365 to listen to the message.
Users receive a notification that a colleague has shared a OneDrive or SharePoint file with them. The file typically includes a phishing link but could also be a ransomware-laden.
Users receive a notification that a colleague or associate has shared a OneNote message. The URL in the email leads to a fake OneNote message with an embedded phishing link, which leads to a Microsoft phishing page. With a compromised SharePoint account, hackers can send legitimate notifications.
A multiphase attack begins with phishing and evolves into spear . Starting with any of the phishing scams above, the initial attack gives a hacker access to a user’s Microsoft 365 credentials. With these in hand, the hacker can then send phishing or spear phishing emails from a compromised Microsoft 365 account.
Vade Secure for Microsoft 365
Vade Secure for Microsoft 365 blocks advanced attacks from the first email thanks to machine learning models that perform real-time
behavioral analysis of the entire email, including any URLs and attachments. Leveraging data from more than 600 million inboxes, our AI-based threat detection stops threats before, during, and even after attacks.
Phishing techniques
Most email filters use fingerprint and reputation-based detection methods, including scanning for blacklisted domains and IPs. This makes it impossible for these types of filters to detect unknown attacks, or malicious emails and pages that have not been previously identified.
Hackers use a number of techniques to bypass fingerprint and reputation-based filters. With a simple MX record lookup, hackers can see which email security solution is in use and create scripts to bypass MX rules or develop techniques to bypass the solution itself. Below are some of the most common and advanced techniques:
- Victims are chosen by their job position, experience level, and other factors that indicate their ability to provide access to sensitive data.
- Phishers mine social media and past data breaches for information that could assist in personalizing the email and understanding what would motivate a victim to respond to a phishing email.
- Hackers research the target company to learn which brands they do business with, including their business partners, software providers, and banks or other financial partners.
- Brand logos and images are downloaded from the web and inserted into emails, adding authenticity and authority to the email.
- CSS and JavaScript are copied from legitimate brand webpages and used to develop phishing pages, making them indecipherable from the real thing.
- Legitimate reply-to email addresses from the brand are added to emails to convince the user that the email originates from the brand.
- URLs that lead to phishing pages are either inserted into the email or hidden in an attachment, such as a PDF or Word doc, to avoid detection from email filters that cannot parse documents.
- Legitimate URLs that lead to safe webpages are included in the email, along with the phishing link, to fool email filters that may deem the email safe after scanning a number of legitimate URLs.
- Time-bombed URLs are URLs that lead to safe, legitimate webpages and are then redirected to phishing pages once the email has been delivered.
- URL shorteners, such as Bit.ly and TinyURL are used to create aliases of the phishing URL to avoid detection from filters scanning for known phishing links.
- Slight changes or distortions to images will change their crypotographic hash or “fingerprint.” This can cause a blacklisted phishing email appear like a new, safe email to a filter.
- QR codes are often inserted in place of phishing URLs to evade filters that cannot extract QR codes. Typically used in sextortion scams, QR codes direct victims to Bitcoin sites where they can make the extortion payment.
- Text-based images, such as screenshots of emails, are inserted into the email body in place of text. This avoids content scanning by the email filter, which may deem the email safe if there is no content to scan.
Phishing prevention
The best phishing prevention combines people and technology. With new attacks being launched every day and even sophisticated filters sometimes missing attacks, prevention is an ongoing effort that requires constant diligence and a set of anti-phishing technologies:
As attacks become more sophisticated, users must be continually trained in the latest phishing attacks and techniques. In addition to recurring awareness training, contextual training delivered at the moment a user clicks on a malicious email provides instant feedback on the behavior.
Training content that is personalized for the user based on the brand used in the phishing attempt gives the training context, unlike annual trainings that are typically conducted in a group setting and based on generic emails. Ultimately, the training experience will be more significant, and the phishing attempt more memorable than the simulations used in training sessions.
Equally important to phishing prevention is encouraging users to report suspicious emails. This gives IT the opportunity to warn the company about incoming attacks and gives the security operations team the opportunity to use the phishing email to strengthen the email filter.
Unlike fingerprint and reputation-based technology, artificial intelligence identifies unknown attacks by scanning the content, context, and origin of emails. Supervised machine learning algorithms are trained by data scientists to recognize various features of phishing emails. Unsupervised algorithms do not require a trainer but learn over time to recognize anomalies in emails, or suspicious events that differ from the majority of data.
Trained to detect images and logos from brands, Computer Vision algorithms can detect slight distortions in images, scan text-based images, and extract QR codes that conceal malicious links. Unlike other machine learning algorithms, Computer Vision algorithms interpret and view images as humans do, recognizing known phishing emails that have been distorted to look like new emails.
Email Security Resources
Get In Touch!
Interested in our product? Contact our team.