Skip to main content

Three kinds of phish: What distinguishes the best phishing campaigns and how to avoid falling for them

phishing
(Image credit: Image Credit: wk1003mike / Shutterstock)

Phishing is a form of social engineering that involves tricking individuals into doing something they shouldn’t, or normally wouldn’t – such as downloading malicious files or sharing passwords. People associate phishing with email, but it can also be conducted via SMS, WhatsApp, Slack or practically any digital communication medium.  

The goal of phishing campaigns is to provoke an emotional reaction by using a lure. Fraudsters might promise something great if their target does X, or instill fear if they don’t do Y, and they will usually pressure the person to act swiftly. A good example is criminals impersonating HMRC to claim recipients are entitled to claim a tax rebate before an imminent deadline. 

The scale of the phishing problem is so significant that it can’t be easily quantified. Google was blocking 18 million Covid-related phishing emails every day at the start of the pandemic. That’s 18,000,000 emails in a single day, related to a single topic, and by a single service provider.  

According to the Verizon Data Breach Investigations Report, roughly a quarter of all data breaches start with a phishing. This is why businesses leaders need to recognize the full extent of the phishing threat and what distinguishes the most sophisticated and most effective campaigns from the rest. 

Types of phishing emails to look out for 

Phishing campaigns broadly fall into one of three categories based upon their level of sophistication, with each category requiring additional security mitigations.     

Level 1: Minimal sophistication 

The most basic phishing emails are designed to establish a relationship with the target. There are no links or malicious attachments to open. The phish is simply a primer for future communications, such as requests for payment. 

Messages are typically plain text and sent via widely used email services such as Gmail, which means they are very likely to bypass mail filters rather than be marked as spam. The sender’s name used is often a senior person within an organization, such as the CEO.  

Mitigation advice 

Defending against phishing campaigns of all types requires a range of technical and non-technical controls. However, user education is especially important to help defend against  

basic phishing attacks since most organizations can’t realistically block all messages from widely used domains.  

Establishing protocols for dealing with internal and external requests, particularly payment requests, also mitigates the risk of rudimentary phishing campaigns from succeeding. For instance, if employees are instructed to verify emailed requests via telephone than fake requests are likely to be identified before they are actioned.  

One of the best technical controls for reducing the success of the most basic of phishing emails is to add an external sender warning. If a cybercriminal sends an incoming email posing as a trusted colleague, an external sender message will instantly alert the recipient that the message has been sent from an external domain and, as a result, encourage them to act with greater vigilance. 

Level 2 – Mid-level phishing 

To conduct mid-level phishing campaigns, attackers use basic hacking tactics, techniques and procedures. A very common technique involves cybercriminals purchasing a private domain and using it to host a landing page that is cloned from a legitimate website. It’s a more sophisticated version of copy and paste, but with the right know-how is quick to perform. With a cloned site set-up, an attacker will email their target, share a link to the fake page and lure them into entering their details.  

Emails used in mid-level phishing campaigns are usually crafted carefully, spoofing well-known brands to appear legitimate. The emails also usually come from a personalized domain and Exchange server, rather than via free email service providers. 

Mitigation advice 

While the main mitigating control against zero-sophistication phishing campaigns is user education, the main defense against mid-level attacks is to implement technical controls to block emails that possess certain characteristics.   

One tell-tale sign that an email could be malicious is that it contains a link to newly registered website. A legitimate website will have a good reputation and be classed in an appropriate category on WHOis, but a cloned version that is known to have been used to send phishing emails in the past will not. 

Level 3 – Professionally crafted 

Highly skilled cybercriminals use similar techniques to mid-level attackers. However, they are more skillful and better-resourced, making their attacks increasingly challenging to safeguard against.    

The professionals that create and leverage advanced phishing campaigns such as Business Email Compromise (BEC) attacks conduct extensive open-source intelligence gathering on their targets. This involves profiling individuals but also the organizations they work for. Job advertisements are often a good source of information, disclosing details about the types of systems, applications and security tools organizations use.  

Armed with accurate information about their targets, professional fraudsters spend time crafting original campaigns, often around topical events. Common strategies include purchasing recently expired company domains that have an already established reputation as well as developing fileless malware to evade detection by signature-based defenses. 

Sophisticated attackers also often attempt to abuse 0Auth, a widely used protocol used by applications to authenticate users. This involves duping targets to authorize the installation of malicious third-party apps that appear legitimate as well as grant them extensive permissions, such as the ability to read files, access calendars and create email inbox rules.  

Mitigation advice 

No matter how robust perimeter defenses are there is always a possibility that a skilled and persistent attacker will reach his or her intended target. To mitigate this risk, it is important to focus not only on phishing prevention but also detection. This involves having capabilities in place to swiftly identify suspicious behaviors, such as users logging in to systems from unknown locations or at unusual times – actions that could suggest a compromise has occurred. 

Endpoint Detection & Response (EDR) tools are particularly valuable control, providing a deeper level of visibility that traditional antivirus tools can miss.  They also contain features to help rapidly contain and disrupt threats, such as isolating infected endpoints. 

To mitigate the risk of sophisticated phishing attacks, organizations also need to ensure that they have a robust incident response plan. Should users receive and mistakenly open a suspicious file, it’s important to ensure that they know who to contact. Equally important is that the people tasked with responding to incidents know how to react in a variety of scenarios. 

Additional mitigations to help safeguard against more advanced phishing campaigns include enforcing multi-factor authentication (MFA) across systems and hardening cloud services to solely authorize trusted third-party applications.  

Final thoughts to safeguard against current and future threats 

From high volume spammers to advanced and persistent actors that carefully choose their targets, the threat posed by phishing attacks to organizations is not going away. However, without even basic mitigations even the most rudimentary of attacks can pose a significant risk.  

To help achieve a multi-layered approach to securing against phishing attacks, it’s recommended that all organizations:  

  • Provide employee awareness training and ensure its content is regularly refreshed 
  • Closely monitor networks and endpoints to detect threats that evade perimeter defenses 
  • Conduct simulated assessments to assess the effectiveness of controls and processes 
  • Leverage and act upon threat intelligence to help improve defenses  
  • Enforce MFA to protect user accounts in the event of passwords being compromised

Jed Kafetz is Head of Penetration Testing at Redscan