Don't be phooled: 10 phishing techniques to look out for
In 2016, American businesses suffered half a billion dollars a year in losses from phishing attacks with the average cost at $1.6 million each. These numbers are alarming evidence that just one click can cause significant financial and reputational damage to your brand. And since studies show that a staggering 30 percent of phishing emails get opened, it’s no wonder that they consistently rank as the top cyberattack vector.
Despite being one of the oldest cyberattacks in the book, phishing remains so popular because it’s a highly effective means of exploiting the weakest link in the cybersecurity chain: humans. To make matters worse, hackers have become much more sophisticated in their techniques: no more poorly written, typo-ridden Viagra spam emails and unclaimed heritage scams. Phishing attacks are now highly targeted, dynamic and "hypermorphic," making them increasingly difficult for both humans and machines to detect.
Since it’s no longer easy to spot a phishing scam, this article will share some of the more sophisticated techniques used by hackers, so you know what to look for, and can prevent your company from being 'phooled'.
- Mismatch between the brand and domain (or country)
With mismatching, the domain in the URL does not match the brand represented on the page that URL leads to. Here’s an example:
While the brand is listed as "Forever Jewellery" (hint: it is also spelled incorrectly), the link actually directs the user to a PayPal login page. One tactic that can be used to identify mismatching is hovering over the target URL in an email. If the domain doesn’t match the brand the message is allegedly coming from, there’s a good chance you’re being scammed.
Mismatching can also occur between the brand and the country domain extension. An example of this is a user who receives an email from Citizens Bank with a link to a page with a Russian extension. Since Citizens Bank is an American financial group, the .RU extension is a clear sign that the page is not valid.
- Cousins domains
Cousins domains can be created and used to spoof both the sender and the URL. With this technique, hackers will remove letters or alternate the spellings to a registered domain name, so it looks deceptively similar to a target name. Here’s an example of a real address versus a spoofed address:
Real address: [email protected]
Spoofed address: [email protected]
Can you spot the difference? Since we as users tend to read domain names quickly, it’s hard to tell that an "s" was removed in the spoofed address. Take a closer look -- do you see it now?
- Context
Hackers love to take advantage of current events and other topical and contextual elements to launch phishing attacks. A recent example of this is the Airbnb phishing attack, which took advantage of brands sending GDPR notices to consumers. Other common examples include IRS scams around tax season, or emails offering fake discounts from retailers during the holidays.
- Display name spoofing
With display name spoofing, hackers change the visual display name of the "header from" line within the message. This tricks people into thinking the email is from a legitimate sender. As an example (and keeping the context in mind), hackers could change the "from" in the email to "IRS" using any email address underneath.
Since the full email address isn’t immediately visible -- without several clicks or taps -- there’s no way to tell just by looking at the sender if the email is a scam.
- Strange and/or complicated URLs
With this technique, hackers will create a domain that in appearance looks long, complex and encompasses several known domains. Here is an example from a global phishing attack that incorporates domains from Amazon Web Services and Walmart:
http[:]//wmxemail[.]walmart[.]com/track?type=click&mailingid=94z_6-0-0-0-optcr_201707007&userid=-0225249577&extra=&&&http[:]//ec2-54-212-231-1[.]us-west-2.compute[.]amazonaws[.]com/?NzM1NTk4NzM9NjcwNSY0OTQyNjc9MjUmMzQ9Y2xpY2smMWo3emYzPTEmbGlkPTI1MjQ=
The dead giveaway that this link is invalid is the double listings of both "HTTP" and ".com."
- Homoglyphs
With homoglyph attacks, hackers leverage the similarities of character scripts to create and register phony domains to fool users and lure them into visiting fake sites. For example, they’ll often replace the Latin small letter "o" with Cyrillic symbols. To take advantage of Facebook’s popularity, they might use facebοοk.com instead of facebook.com. It’s virtually impossible to spot the difference; to know for sure, you can use Ctrl + F and search for two o’s.
- Emails demanding urgent action
To create urgency, hackers create an artificial time constraint, demanding the user complete the action during a specified period of time. For example, you might receive an email saying "your account has been locked, so please reset your account within 24 hours." This technique is used to instill fear in the users, which is why they often fall for it.
- Emails coming from someone with authority
Let’s face it: we’re more inclined to respond to people of authority. Hackers will disguise themselves as those who they know have power over their target; for example, they’ll pretend to be the user’s boss, instructing them to complete some type of financial transaction. Or they’ll pose as Facebook’s Security team. To avoid falling victim to this technique, employees can try to confirm the ask with their boss in-person or via phone before taking any next steps.
- The use of URL shorteners
It’s easy to review a full URL to check to see if it’s legitimate, but by using URL shorteners, the link’s true identity is hidden. This technique does not always indicate phishing since many brands use honest shortened links in their marketing communications, but it is one method very commonly utilized by hackers. When in doubt, check a phishing URL detection tool, such as IsItPhishing.AI, to see if any link -- including shortened ones -- are legitimate.
- A phishing link in a clean attachment
Knowing that many security systems scan links within emails to determine if they’re hacking, hackers often embed phishing links within clean attachments. Because there’s no malware in the attachment, the message won’t trigger sandboxing technologies; and because there’s no link to scan in the content of the email, it will bypass traditional filters.
Again, the best approach in these scenarios is to check the URL using a phishing URL detection tool.
Hackers have become so sophisticated, they’re even capable of creating attacks that cannot be seen, including:
- The use of multiple redirections or dynamic redirections with multiple paths. In other words, each time you click on a link, you’ll be taken down a different path to the ultimate destination page.
- Mobile-specific attacks where the content is designed to display only when accessed from mobile devices, meaning if you open the same message on your desktop and your phone, you will see different content.
- Geo-specific attacks where the content is designed to display only when accessed from the target location and attempts to access from other locations might lead to blank pages, or perfectly valid pages. It could also display a specific content from a relevant brand depending on the country.
- Attacks that can identify whether the page is being opened by a browser or automated engine and only displays malicious content when opened by humans.
Don’t think hackers are just limited to these techniques: they are becoming even smarter as each day passes, meaning they’re increasingly capable of bypassing human intelligence. AI and humans can’t get the job done as separate entities. Rather, they need to work together to make sure businesses -- and their employees -- are safe and secure. The organizations that augment human intelligence with artificial intelligence will be the ones least likely to fall victim to these attacks.
What’s the craziest phishing email you’ve ever received?
Photo credit: Slavoljub Pantelic/Shutterstock
Adrien Gendre is Chief Solution Architect, Vade Secure