Beware the Phish!
What’s the big deal about phishing? A lot, it turns out. We’ve all seen—but hopefully ignored—emails that looked a bit off: full of typos, sent from an unrecognized address, or about something we’re not interested in. At its most basic, phishing is a tactic that criminal actors use to get victims to open emails and email attachments, or to click on links which get the threat actor access to the victims’ personal information or computer network, often without the victim realizing what happened. Phishing remains one of the most popular attack vectors for potentially very disruptive ransomware and plenty of other cybercriminal activity.
Criminal organizations know that victims may click on phishing lures only a small percentage of the time, which is why they aim to send out as many lures as possible. On occasions when it does work, phishing can yield access to an individual’s personal data or to an organization’s protected internal network.
The current trend is that the number of phishing attempts made each year continues to grow, as does the damage from successful attacks. According to Proofpoint’s “2020: State of the Phish” investigation, two thirds of organizations around the world experienced a targeted phishing attack in 2020. (1)
Look Beyond the Phish: Smishing and Vishing
Criminals are creative and adapt their techniques and technology to catch people off guard. Enter phishing’s lesser known but equally dangerous cousins ‘smishing’ and ‘vishing.’ Smishing (SMS phishing) is any kind of phishing that uses a text message to deliver the lure. Vishing (or voice phishing) happens when a fraudster calls the victim posing as a reputable person or company, luring the victim into sharing confidential information such as banking credentials or personal identification data.
While the delivery format for each of these phishing types is different, the aim of the threat actors in each case is the same: they want to get access to devices, and to get ahold of personal data. The unique point about phishing, smishing and vishing is each of these tactics preys on human behavior to respond to the lure; without this victim participation, the attack will be unsuccessful. Criminals will try every way possible to get the data they’re after—while smishing and vishing may be slightly lesser known, they are lucrative and popular. According to the same Proofpoint study mentioned above, 61 and 54 percent of organizations surveyed faced smishing and vishing attacks in 2020.
EclecticIQ analysts tracked a smishing campaign targeting the U.K. and Ireland at the start of the year. The threat group impersonated Her Majesty’s Revenue and Customs (HMRC), U.K. delivery companies, and well-known U.K. and Irish banking and telecommunication organizations with the goal of stealing the victim’s banking details for financial gain. Below is one example of a smishing text received by an EclecticIQ researcher which impersonates a legitimate organization.
Countering Phishing at Every Step: Educate. Verify. Report.
Despite being cloaked in technology, phishing is all about people. On one end, there are threat actors behind the phishing lures, and on the other end are victims who unknowingly take the bait. The good news is that protecting oneself and one’s organization is relatively easy.
- Educate: Phishing attempts are all about human nature: the social and psychological drives that tempt users to open emails, click on links, or answer questions when asked. Organizations must take steps to educate their staff about this threat—and most do. The best education, however, will be cyclic and repetitive. Iterative education programs keep the nature of the threat in the forefront of the mind—and will adapt along with threat actors’ TTPs. Cofense has a good list of phishing indicators here. (2)
- Verify: Any legitimate inquiry should be able to be validated another way or through a second source. For example, if an email arrives to a work account, the IT department should be able to verify whether or not it is legitimate. If an email appears to come from within your organization, a conversation with a colleague can help determine if it is legitimate. The old adage “trust but verify” won’t work with this threat—now it’s “don’t trust, verify first.”
- Report: In the unfortunate event of a successful scam, report the event to the authorities. Netherlands based victims are encouraged to report scams to the Dutch National Anti-Fraud Hotline. (3) In the U.S., complaints should be filed with the FBI’s Internet Crime Complaint Center (IC3). (4) U.S. citizens who are victims of international crimes should report them to the Federal Trade Commission. (5)