Phishing Attacks

What is a Phishing Attack?

People are commonly considered the weakest link in the cybersecurity chain.

Phishing attacks are social engineering attacks that try to trick people (exploiting a security weakness) into revealing sensitive information, clicking malicious links, or downloading malware. 

"Phishing" draws on the analogy of "fishing," where attackers, like fishermen, cast out bait — emails, messages, websites, etc.- hoping that targets will take the bait and disclose information or compromise their system.

Phishing communication channels include:

• Email (most common attack vector)

• SMS - smashing

• Phone calls - fishing

• Social media platforms

• Messaging apps

Attackers will use one of the following tricks in a phishing attack to achieve the above goals.

• Authority:  Impersonating someone in authority, e.g., IT staff, managers, CEOs, etc.

• Trust: Impersonate a trusted individual or organization, such as friends, relatives, a bank, partners, or vendors.

• Intimidation: Communication designed to instill fear may appear from a person or organization of authority (e.g., a Federal or Government entity) or threaten to disclose sensitive information, e.g., “Your account has been compromised,” “You are under investigation”

• Urgency: Communication creates a sense of expediency due to the limited time the offer expires, e.g., “Immediate action required,” “24 hours left,” “final warning”

• Scarcity: Similar to urgency, but communication pushes the target to act based on limited resources, e.g., “Only the first 50 will get access,” “Limited offer”

• Familiarity: Communication attempts to establish credibility through recognition, e.g., a former classmate or colleague.

Goals of Phishing Attacks

The goals of each attack depend on the motive of the attacker, but the most common goals are:

1. Credential Theft: Attackers harvest usernames, passwords, or multi-factor (MFA) tokens to gain unauthorized access to systems. 

2. Financial Gain: Attackers trick targets into making fraudulent payments, sending funds, or revealing financial information, such as credit card numbers and bank account details. 

3. Information Gathering & Exfiltration: Attackers retrieve/export sensitive organizational data such as intellectual property, personal data, or confidential documents.

4. Malware Delivery: Attackers use phishing emails to deliver malicious attachments or links that install malware — ransomware, spyware, keyloggers, trojans, etc

5. Initial Access for Advanced Attacks: Successful phishing attacks serve as an initial foothold for larger attacks, such as:

   • Ransowmare deployment

   • Business Email Compromise (BEC)

   • Lateral movements across the organization's internal network & systems

   • Data breaches

6. Reputation Damage and Espionage: Attackers use targeted (spear-phishing) attacks for long-term surveillance, competitive advantage, or political/industrial espionage

Phishing Attack Types

Phishing attacks do not employ a single method or communication channel, but employ various tactics, tricks, and channels. Below are the most common techniques that individuals and security defense professionals need to recognize:

1. Deceptive Phishing:

   • Attackers impersonate a legitimate security company and inform the targets that they are already experiencing a cyberattack.

   • They often include urgent messages like "Your account will be suspended" or "Unusual login detected," and the instructions or message contain a malicious link.

2. Spear Phishing:

   • Highly targeted towards a specific individual within an organization.

   • Attackers recon the target via publicly available information (social media, LinkedIn, Company websites) before initiating the attack.

   • Often sophisticated and harder to detect.

3. Whaling:

   • A subset of phishing that targets a high-profile individual within an organization (CEO, CFO, etc).

   • May involve fake invoices, wire transfer requests, or requests for sensitive business data.

   • Usually, the attackers have already compromised another account within the organization or an associated vendor’s or partner’s account.

4. Business Email Compromise (BEC):

   • It is similar to spear phishing and whaling, but it can target anyone within the organization, often impersonating trusted leaders or executives.

   • The goal is to trick employees into making unauthorized payments, transferring funds, or providing sensitive information.

5. Clone Phishing:

   • Attackers make an identical copy of a previously received message and insert a malicious link or attachment. 

   • The email/message appears familiar and trusted; attackers may add something like “resending this” in the message.

6. Smishing (SMS Phishing):

   • Phishing messages are delivered over SMS.

   • Often include malicious links or fake delivery notices.

7. Vishing (Voice Phisihng):

   • Attackers call targets pretending to be someone else (IT support, bank representatives, or government agencies).

   • Often used to bypass MFA or trick targets into revealing credentials, bank/credit card, or other sensitive information.

8. Malicious Attachments:

   • Attackers mainly use emails to deliver documents or executables with embedded malicious code, exploits, or macros.

9. Pharming/Content Injection:

   • An attacker places malicious code on the target’s computer or changes part of a legitimate website’s code to redirect the target to a malicious website.

   • The malicious website looks the same as the original but is used to gather the target’s login credentials.

10. Evil Twin Phishing:

    • Attackers will set up a false Wi-Fi network that looks legitimate.

    • The attackers can then perform a MiTM attack and intercept the information of any person connecting to and using the fake network.

Phishing Attack Techniques

Attackers will often employ the following techniques to hide/obfuscate their methods:

• Pretexting:

  • Attackers use various tactics to gain the trust of their targets and convince them to divulge sensitive information.

  • Pretexting techniques are used in the following attacks: impersonation, tailgating, piggybacking, baiting, phishing, smishing/vishing, and scareware.

• Spoofing and Impersonation:

  • Attackers will attempt to disguise an unknown or unauthorised source of communication as that of a legitimate, known, and trusted entity.

  • Attackers will attempt to spoof or impersonate email addresses, domains, and organization branding/communication.

  • For example, attackers will spoof emails from support@gooogle.com to claim the email came from the official Google support team support@google.com.

• URL Manipulation:

  • Attackers will use various methods and tools to obfuscate malicious URLs.

  • URL shortening (https://bitly.com/), subdomain spoofing, domain homograph (visually similar characters), and typosquatting (slightly mispelled domains) are some of the tools and techniques. 

  • Tools: https://dnstwist.it/, https://dnstwister.report/, https://github.com/elceef/dnstwist. 

• Encoding:

  • Attackers will attempt to Base64, URL, or HTML encode message contents to evade email filters and scanners.

  • Encryption may also be added to hide malicious attachments/payloads.

• Attachments:

  • Attackers will disguise malicious files, payloads, and exploits as legitimate documents within emails.

  • These attachments may install malware that steals information, disable security controls, or grant the attacker remote access.

• Abuse Legitimate Services:

  • Security solutions usually flag known malicious websites and attachments.

  • Attackers may use legitimate services (Google Drive, OneDrive, Dropbox, etc.) to host malicious links or attachments that bypass security solutions.

  • Legitimate service URLs (drive.google.com, onedrive.live.com, etc) are usually whitelisted on security solutions.

• Pharming:

  • It is usually a two-step technique: an attacker will either need to compromise a website (injecting malicious code), a DNS server (amending domain-IP resolution), or the target’s device to redirect them to a malicious website.

  • The end goal is mainly to harvest sensitive information or user credentials.

Phishing Attack Defense & Mitigation

Educating users on quickly and effectively identifying, verifying, and dealing with suspicious communication is the most effective defense against phishing attacks, regardless of the communication channel.

However, a comprehensive phishing defense strategy requires a multi-layered defense-in-depth approach that combines technical controls, user education, policies, and continuous monitoring. Below are the main preventative, detective, and corrective phishing attack defense and mitigation controls.

1. Cybersecurity Awareness Training (Preventative): Reduce human susceptibility to phishing attacks.

2. Email Authentication Protocols (Preventative): Prevent domain spoofing and ensure email integrity.

3. Email Security Gateway and Filtering (Preventative): Block malicious emails before they reach end users.

4. DNS Filtering/Web Proxy Controls (Preventative): Block access to malicious domains even if links are clicked.

5. Multi-Factor Authentication (Preventative): Limits an attacker's ability to compromise accounts if credentials are compromised.

6. Privilege Management & Least Privilege (Preventative): Limit access to resources and information if an attacker successfully compromises an account.

7. Network Segmentation and Zero-Trust Principles (Preventative): If phishing leads to initial compromise, limit an attacker’s lateral movement across the network.

8. Endpoint Protection & EDR/XDR Solutions (Preventative/Detective): Detect and contain malicious payloads in phishing emails that bypass filters.

9. Security Information and Event Management (SIEM) & Monitoring (Detective): Monitor, detect, log, and investigate phishing-related anomalies.

10. Incident Response and Playbooks (Corrective): Ensure rapid containment & remediation of phishing incidents.

Cybersecurity Awareness Training

Organizations should include a simulated phishing attack in regular cybersecurity awareness training to evaluate their effectiveness. Post-simulated attack reviews should be constructive and positive, seeking to help staff improve rather than chastise them for failing. 

Training should teach staff to recognize:

• Unsolicited or unexpected emails or messages,

• Unknown/suspicious email or message sender,

• Generic greetings, e.g., “Dear Customer”

• Urgent or threatening language demanding immediate action

• Requests for sensitive data or login credentials

• Poor grammar, spelling errors, and odd sentence structure

• Mismatched display names and sender addresses

• Hyperlinks that do not match the displayed text

• Suspicious attachments or file extensions

• Emails claiming to come from executives or financial personnel with unusual requests

• Emphasize “Trust but Verify” practices

• Encourage employees to report suspicious emails to the security team immediately.

Regarding the latter, add a “Report Phishing” directly into the email client to simplify user reporting.

Resources

• Phishing Attacks - The Basics

• Norton 10 Real Phishing Email Examples

• Phishing.org Phishing Examples

• MS-ISAC - Phishing Guidance: Stopping the Attack Cycle at Phase One