Cyberattacks that use software vulnerabilities are very dangerous but often easy to fix — often requiring just a patch. Phishing, however, uses social engineering to target people instead of systems. Phishing attacks can evolve and adapt to new narratives or platforms as necessary, forcing businesses to rethink their strategies.

In this thorough guide, we will cover the most relevant tactics employed by phishing campaigns today so that you can develop the best approach to protect your business from this threat.

What You'll Learn in This Guide:

• The Evolving Nature of Phishing: Discover how phishing attacks go beyond simple emails and now exploit various channels like SMS, social media, and even QR codes.

• The Devastating Impact: Understand the serious consequences of phishing, from ransomware infections and account takeovers to significant financial losses for businesses.

• The Latest Tactics: Uncover the sophisticated techniques attackers use to avoid detection, including hiding brand names and using deceptive ads and gateway pages.

• Types of Phishing Attacks: Learn about the different forms phishing can take, such as smishing, vishing, spear phishing, and whaling, and how to recognize them.

• Effective Defense Strategies: Explore a multi-layered approach to combat phishing, combining technology like spam filters and anti-malware with cybersecurity awareness and vigilance.

What is Phishing?

Phishing is a type of cyberattack that uses social engineering to deceive victims into disclosing sensitive information, such as passwords, installing malicious applications on their devices, or performing other actions that might help the attackers achieve their goals.

The term comes from the idea of "fishing," as the hacker uses a lure to hook the victims into the scam. The traditional phishing lure is an email that asks for the user's password while pretending to be from a trusted institution - usually a bank.

Today, phishing scams are distributed through many channels, including SMS, phone calls, and paid advertisements in ad networks and social media platforms. They can also impersonate businesses of all industries, including online stores, software, and news media.

Phishing does not require software vulnerabilities. Instead, phishing often tries to trick victims by exploiting human traits and emotions, such as curiosity and fear. That said, cybercriminals may hack into servers or use fraudulent payments (such as stolen credit cards) to obtain the infrastructure necessary to send phishing messages or host phishing websites.

In addition, software vulnerabilities and bugs may be used to make the scam more convincing. For example, hackers can insert malicious code inside documents to install malware and forge email headers to misrepresent their origin, especially when this can be done to bypass spam filters or sender verification systems.

What All Businesses Need to Know About Phishing

Ransomware Incidents Often Begin with Phishing

When phishing is used to install malware or steal corporate credentials, it can lead to a ransomware incident. Hackers regularly find ways to leverage any initial access, even with low privileges, to successfully move laterally inside the network, allowing them to exfiltrate data and compromise sensitive systems.

According to the IBM X-Force Threat Intelligence Index, phishing is tied for the first place as the most common vector for initial access, which can lead to ransomware or other disruptions.

Although phishing does not require a high level of technical sophistication, it would be a mistake to believe that the hackers that employ phishing cannot carry out sophisticated operations.

Phishing is Linked to Account Takeover (ATO)

Credentials are a common target for phishing attacks, either directly (with a fake web page that requests the victim's password) or indirectly (by spreading stealer malware that, once installed, will extract this information from the system as it becomes available).

Stolen credentials allow hackers to access customer accounts, creating Account Takeover (ATO) incidents. When criminals place fraudulent orders or make payments that were not authorized by the victim, the business might incur losses due to chargebacks and other legal or technical procedures.

ATO is a key element of the digital fraud ecosystem, generating billions in losses every year.

There are Many Types of Phishing Attacks

Phishing may have different goals:

• Corporate credentials: Phishing can try to steal passwords to access Software-as-a-Service platforms, IT infrastructure, or corporate VPNs.

• Malware and initial access: Links and attachments in phishing messages can deploy stealer malware or remote access trojans (RATs) to obtain initial access to a business network.

• User credentials: Hackers can use end-user credentials in a variety of ways as part of Account Takeover (ATO) incidents.

• Specific actions: Phishing messages can trick users into performing actions that weaken their security or the security of their organization, such as changing a setting, resetting a password, installing a progressive web app, and so on.

Certain attack types also have unique terms:

"Fake ads" and "malvertising are both used to describe malicious advertisements.

• Smishing refers to phishing scams received as SMS messages. They can have a link or a phone number for the victim to call.

• Vishing is related to the use of telephony networks in phishing attacks.

• Quishing is the term used to describe a phishing URL address hidden inside a QR code.

• Pharming is an incident where attackers combine phishing with a hijacked domain name, making the attack more convincing as the victim visits a web address that looks identical or nearly identical to the legitimate URL.

• Spear phishing is used to describe targeted phishing attacks. Spear phishing might be sent to only a few people or even to a single person, allowing for a specially crafted message that can be tailored to be as convincing as possible.

• When a spear phishing attack is sent to key individuals in an organization, this can be called "whaling," although this term isn't as common. Because criminals often move laterally inside the corporate network to escalate their access level, this distinction is also not always relevant. Nevertheless, when organizations don't take the necessary steps to protect privileged credentials, hackers achieve their objectives much more easily.

In general, these distinctions are not as useful today as they once were. Phishing attacks can employ multiple layers of deception and obfuscation. A malicious SMS message can try to trick the user into calling a phone number, or an unexpected phone call can try to get the victim to open a link received by email or SMS.

Furthermore, AI-powered attacks can customize the phishing message for several recipients, closing the gap between standard phishing campaigns and spear phishing.

How Phishing Attacks Try to Remain Invisible

Businesses and cybersecurity experts have been fighting against phishing for years. Today, cybersecurity platforms are constantly attempting to locate phishing web pages even before criminals start their campaigns. In response, hackers changed tactics several times to avoid detection.

Here's how they try to do it

Avoiding keywords and brands

Because phishing attacks usually work by impersonating a brand that is well-known to the victim, hackers regularly register new domain names that include the brand name in them - "specialcredit[impersonated bank].com," or "blackfriday[impersonated store].com," for example. 

The/se fake websites can be detected by monitoring new domains and scanning them. This way, illegitimate websites can be subjected to a takedown even before the campaign is spread. 

Criminals responded by avoiding brand names in their malicious domains: 70% of fraudulent domains do not have a brand-related keyword. Even if you scan the page itself, 18% of phishing websites do not even mention the brand in their source code.

Although this could make the page more suspicious and lead to a less effective scam, that's not always the case. Many users now browse the web on their smartphones, which have short address bars. Since users cannot easily check the complete URL, criminals rely on subdomains and other tricks that work well enough in the mobile environment.

Phishing websites also use images instead of mentioning brands as text, which defeats traditional scanning solutions.

Axur uses a combination of algorithms and artificial intelligence models to inspect 15 million websites every day. This helps us recognize brands and the level of similarity between the page being scanned and the official web presence of each organization.

After identifying a brand, our AI takes into account colors, page layout, and many other factors, such as whether the page asks for sensitive information or has password field.

With this approach, we can find phishing web pages even when they're trying their best to avoid detection. Every signal is recorded to a data lake that can be queried in our Threat Hunting solution.

Ads and 'gateway' pages

While some malicious ads rely on code being executed inside the user's browser, which would make them fall into the "malware" category, criminals have adapted to more standardized formats that are allowed in social media platforms and search engines by relying on phishing tricks: impersonating brands and capturing user's attention.

Criminals can use ad-targeting functionality to focus on potential victims. This makes the campaign more successful and hides the malicious ad from scanning systems, since not everyone will see it. At Axur, we are constantly working to enhance our visibility into ad networks to scan targeted ads.

To sidestep policies that would block their ads, hackers trick the advertising platforms using gateway pages that do not contain any malicious content at first sight. These pages can impersonate news websites or other entities that are not commonly involved in phishing scams to gain the victim's trust as well. At some point, these pages will link to the actual phishing website that requests user data.

Access filters

Hackers actively take measures to block scanning systems from accessing their malicious pages. One of the oldest tricks is "geo-blocking," which only allows the scam website to be accessed by users from specific countries. Since the target of a phishing scam can't be easily determined beforehand, this strategy blocks certain automated systems.

Recent phishing campaigns usually combine multiple filters. At Axur, we've been seeing several scams that are restricted to mobile users - sometimes by checking the technical capabilities of the device, such as touch functionality and screen size. If the device does not report the correct values, the browser is redirected to a different address. 

*Our systems bypass these filters by attempting to access suspicious pages from different regions and simulating several devices, down to how they respond to code in the page. We keep a record of the page's HTML and a screen capture of the scam that can be analyzed by our AI-powered visual inspection technology or by security analysts in our Threat Hunting solution.

A Complete Approach to Fight Phishing

Inside the corporate network, spam filters, anti-malware solutions, and cybersecurity awareness training are the most common lines of defense against phishing. In many cases, however, this is not enough to mitigate the threat.

Because phishing campaigns are external to the corporate network, many businesses are not aware of these incidents, even when they impersonate their brands. This is a problem for organizations that want to provide a safe web experience to their users and avoid any customer dissatisfaction associated with online scams.

While companies may receive reports from users about the scams they receive, this is seldom enough to build an effective response.

The Axur Platform provides a full-fledged solution that combines external detection, reporting, takedown, and a data lake of signals, giving organizations visibility into the threats and campaigns that are run by cybercriminals even when they do not touch their corporate network.

• Our systems inspect 15 million web pages every day.

• This inspection tells us which of these pages are impersonating brands.

• AI models check for elements commonly found in phishing attacks, such as requests for sensitive information, or payments.

• Incidents that match a chosen criteria can be automatically set for takedown and blocking. This involves reporting the phishing URL and related assets to hosting providers and lists of known phishing websites so that browsers and security solutions help users avoid the scam.

Threat Hunting gives cybersecurity analysts the flexibility to dig deep into more complex incidents. This feature also assists companies in investigating situations where users fall victim to phishing scams.

If you want to see how our technology can help your business in this challenging landscape, talk to our experts.

Frequently Asked Questions (FAQ)

Q: What is the difference between phishing and malware?

A: Phishing uses social engineering to trick people, while malware is malicious software that infects devices. Phishing can lead to malware installation, but they are distinct concepts.

Q: How can I tell if an email is a phishing attempt?

A: Look for suspicious sender addresses, grammatical errors, urgent requests for information, and links that don't match the purported sender's website. Be wary of emails asking for personal information or login credentials.

Q: What should I do if I think I've been a victim of phishing?

A: Change your passwords immediately, notify your bank or other affected institutions, and report the phishing attempt to the appropriate authorities. You may also want to consider contacting a cybersecurity professional.

Q: How can businesses protect themselves from phishing attacks?

A: Businesses should implement spam filters, anti-malware software, and provide regular cybersecurity training to employees. They should also consider using external threat detection platforms to identify and takedown phishing sites impersonating their brand.

Q: Is phishing only done through email?

A: No, phishing can occur through various channels, including SMS messages (smishing), phone calls (vishing), social media, and even QR codes (quishing).

Q: How is spear phishing different from regular phishing?

A: Regular phishing is a broad attack, while spear phishing is highly targeted, often personalized to the individual victim to make it more convincing.

Q: What is "whaling" in the context of phishing?

A: Whaling is a type of spear phishing that specifically targets high-profile individuals, such as executives or celebrities.

Q: Are free antivirus programs enough to protect me from phishing?

A: While antivirus software can help, it's not a complete solution. Phishing relies on tricking people, and no software can prevent that entirely. Cybersecurity awareness and caution are crucial.

Q: How often are new phishing techniques developed?

A: Phishing tactics are constantly evolving. Cybercriminals adapt and innovate to bypass security measures, making it an ongoing challenge.