Phishing is a fraudulent scheme to misappropriate information or assets. Cybercriminals constantly attempt phishing attacks to acquire personal information from unsuspecting individuals. The end goal is to gain their trust so they willingly provide their credit card or private information. This is used for fraudulent transactions or to extort victims for monetary gain. Digital security is compromised as phishing techniques continually evolve with technology.
This article will break down the critical elements of a phishing attack and then identify different phishing modalities. Ultimately, the best phishing defense is knowledge and awareness.
Common Phishing Techniques
There are many different phishing attack manifestations. Individuals and groups running phishing attacks are very sophisticated and constantly coming up with new attack modalities to stay ahead of security awareness training and more effectively prey on individuals. Here are some of the overarching types of phishing.
Email Phishing
This is the most common phishing modality. Threat actors send emails, typically but not necessarily, in bulk to unsuspecting victims. Bulk mailing is preferred because phishing is a threat that benefits from volume. If, for example, only five percent of people succumb to phishing attacks, then five percent of 500,000 is significantly larger than five percent of 5,000. 
Email phishing is an email that encourages urgency to open an attachment, click a link or provide information. These emails can be independently created, or they can spoof the look and feel of otherwise legitimate emails. If a link is opened, it will do one of two things:
- Steal the user's login credentials.
- Install malicious malware onto their device.
The virus is embedded in files like PDFs that require opening to action the installation. The impact of these attacks on organizations is often severe. In some cases, the attacker may request money for the malware removal and system restoration. For individuals, they could do the same to return personal information.
Spear Phishing
Email phishing is sometimes designed to target an organization's specific individual. This kind of phishing is called spear phishing. Typically, spear phishing targets prominent individuals in an organization who control assets (financial or intellectual) and/or organizational leadership. Those emails leverage the individual’s position to exfiltrate important information, steal large sums of money or gain sensitive information about those individuals.
Spear phishing can be identified by some of the following indicators:
- Request to share sensitive information
- Emotion-evoking language that prompts action
- Suspicious attachments with strange file names
- Misspelled links that don't match the destination address
- Subtle or obvious grammatical errors that should not be evident in communications from large corporations
Business Email Compromise (BEC)
Another form of email phishing that has risen in popularity over the past couple of years is business email compromise or BEC. BEC is a practice whereby a threat actor gains access to the email systems of a company’s downstream vendor and then masquerades as the vendor to defraud the company of information or money.
BEC is effective due to the apparent legitimacy of the attack and the ability to circumvent secure email gateways. However, it is difficult to implement because of the necessity of actual compromise of that downstream vendor.
Smishing
Smishing, or SMS phishing, refers to the use of text messages to ensnare victims. Threat actors send legitimate-looking texts, posing as authentic businesses. The call to action is usually a link asking to authorize or verify their details. Once the link is clicked, the phone may be compromised. Malware obtains personal information and may corrupt the device, causing it to function slowly, overheat or randomly restart.
Common smashing attempts include:
- Lottery scams
- Tech assistance scams
- Bank fraud notifications
- Account verification requests
- Service cancellation notifications
All these are masked to appear real but you may notice grammatical errors or suspicious link URLs that can hint at its illegitimacy. Never open links in text messages if you haven't had prior communication with the entity or are asked to provide personal details.
Vishing
Voice phishing, sometimes called vishing, is where criminals use landlines and mobile phones to contact victims. They claim to be calling from reputable businesses or banks, advising of new promotions, competitions or account updates that require the victim's personal details. In many instances, targets are not tech-savvy and gullible. They are led to believe the perpetrator and innocently divulge their information on the phone.
Once they acquire their details, they'll use it fraudulently for online transactions. If you experience a vishing attempt, remember to avoid sharing any information telephonically. Ask pressing questions, but more importantly, note the suspicious number and report it to the police or cyber security unit as a preventative measure.
Whaling
Whaling targets senior executives, managers and CEOs through manipulation. This entails obtaining company-sensitive information or funds by sending fraudulent requests for credentials or transaction authorization. Impersonation is the most common tactic as the criminals claim to be colleagues or business partners of higher rankings. It's easier to persuade those in lower positions when posing as an authoritative figure.
The emails are convincing and match the company's tone of voice and branding. This makes it hard to distinguish its legitimacy. Attacks may include:
- Fund transfer requests.
- A link that downloads malware when clicked on.
- Requests for proprietary or confidential business details to do more damage.
Search Engine Phishing
Search engine phishing is also called SEO poisoning. Bad actors will spoof or create fake websites so they rank on top of search engine results pages (SERPs). They are designed to imitate authentic sites with the intention of luring visitors to the fake ones instead.
Users are more likely to access the top-listed sites on the first page when seeking information. Cybercriminals have realized the opportunities this presents and devised ways to use it to their advantage.
Users enter their logins on these illegitimate websites as they normally would. The criminals steal their logins and use them to access their accounts. They often try to access other sites with the same logins since users tend to recycle login information.
Calendar Phishing
Calendar phishing occurs when someone sends a calendar invite to a recipient. Depending on the recipient’s calendar settings or active management of their own calendar, they may go into a meeting designed to defraud them of information, money, or other assets.
Calendar phishing is similar to vishing with a different lure. The success of calendar phishing depends on the recipient’s attentiveness to and management of their calendar. Someone who isn’t as attentive as they should be, has the potential to wander into a tricky situation. Since we collectively trust that meeting invites on our calendar should be on our calendar, this attack modality can be moderately successful.
Page Hijacking
This is one of the more controversial forms of phishing in that it only very technically meets the definition posed above; many definitions exclude it. Page hijacking is typically excluded because of its modality of communication. Instead of active outreach, which is typical for other forms of phishing outlined here, page hijacking relies on passive outreach via compromising an otherwise legitimate website.
While the modality of communication is different, the end result is the same: the compromise sends the browsing individual to a different website requesting money or information or deploys malicious content on the user’s computer.
Page hijacking is also used to conduct man-in-the-middle attacks. Instead of relying on an active phishing lure, those kinds of attacks allow the user to appropriately pass credentials and information on the site but also obtain those credentials for later use.
That example highlights why page hijacking is so controversially considered phishing: it includes activities that are traditionally defined as a different attack modality. It also highlights why classification isn’t as important as training. Whether page hijacking is identified as phishing or not, the threat is very real and potentially damaging to an organization.
The Importance of Understanding Different Phishing Techniques
Phishing may come in various forms, but they all attempt to obtain sensitive personal or account information unlawfully. Psychological manipulation is always involved, sometimes with in-depth target knowledge.
Phishing is a quickly developing space. It has to be for threat actors to stay ahead of administrative and technical safeguards designed to thwart phishing attacks. Attacks can be prevented through effective training and aversion techniques. Awareness and vigilance is imperative in reducing attacks. Knowing what to look for and treating every interaction as suspicious helps.
Some individuals are predisposed to scams because they may lack the knowledge and information to identify attacks. Factors like age, technological inclination and emotional vulnerability contribute to successful attacks. Training combats this by covering different phishing techniques and sharing live templates for realistic scenarios.
Choose Phin Security for MSP Phishing Training
Stringent cyber security measures protect businesses from potential attacks. Phishing and social engineering prevention are key to securing your MSP and protecting your employees. Phin Security offers extensive phishing training tailored for various business applications. We drive automated campaigns, provide engaging and relevant training and offer insightful library content for trainees to gain maximum exposure.
If you're interested in learning more or have questions, let us know how we can help. We are eager and ready to assist.
