Phishing

What is phishing?

Phishing is a type of cyber attack where attackers attempt to deceive individuals into providing sensitive information or installing malicious software. They usually impersonate a trustworthy entity or person in electronic communications, such as emails, text messages, or even phone calls. The goal is to steal personal data, such as login credentials, credit card numbers, or other financial information, which can then be used for fraudulent activities.

Common methods of phishing

Email phishing

Attackers send emails that appear to be from legitimate sources, like banks, social media sites, or other trusted organizations. These emails often contain urgent messages or threats, prompting the recipient to click on a malicious link or download an attachment.

Common indicators of an email phishing attempt

Phishing attempts are fraudulent attempts to obtain sensitive information by disguising as a trustworthy entity. Common indicators of phishing attempts include:

1. Suspicious sender address

The sender's email address might look similar to a legitimate one but with slight alterations.

Example: While at work, you receive an email from what appears to be your company's IT department, asking you to reset your password. The sender's email looks almost right, but upon closer inspection, you notice it's from "it-support[@]cmpany[.]com" instead of "it-support[@]company[.]com". This slight alteration is a common phishing tactic.

2. Generic greetings

Phishing emails often use generic greetings like "Dear Customer" instead of addressing you by name.

Example: One morning, you find an email in your inbox that reads, "Dear Customer, Your account has been compromised. Please verify your information immediately." Since you often receive personalized emails from your bank, this generic greeting raises a red flag.

3. Urgent or threatening language

Phishing emails often create a sense of urgency or fear, claiming that immediate action is required to avoid negative consequences.

Example: Just before a big project deadline, you receive an email from "admin[@]hrdepartment[.]com" stating, "Your job is at risk! Confirm your details within 24 hours or face termination." The urgent and threatening tone is designed to panic you into responding without thinking.

4. Request for personal information

Legitimate companies rarely ask for sensitive information (like passwords, Social Security numbers, or credit card details) via email.

Example: An email from "payroll[@]companyfinance[.]com" arrives, asking you to confirm your Social Security number and bank account details to process your salary. Knowing that legitimate requests from HR would never ask for such sensitive information via email, you suspect it's a phishing attempt.

5. Links to fake websites

The email may contain links that lead to websites mimicking legitimate ones. Always check the URL for slight variations or misspellings.

Example: You get an email from what seems to be your favorite online store, claiming there's a problem with your recent order. The email contains a link to "www[.]amaz0n-support[.]com" (note the zero instead of an "o"). By hovering over the link, you see the URL is not the official Amazon site.

6. Poor grammar and spelling

Many phishing emails contain noticeable spelling and grammatical errors.

Example: After a team meeting, you receive an email from "ceo[@]companyy[.]com" stating, "Pleese review the attachemnet for important info regarding your perfomance review." The poor grammar and spelling mistakes indicate it’s not from your actual CEO.

7. Unexpected attachments

Unsolicited emails with attachments can be a red flag. These attachments can contain malware.

Example: Just after submitting a report, you receive an email from "support[@]techservices[.]com" with an attachment named "invoice_12345[.]zip". Since you didn’t request any services, this unsolicited attachment raises suspicion.

8. Too good to be true offers

Be wary of offers that seem too good to be true, such as winning a lottery you never entered.

Example: You receive an email from "reward[@]employeeappreciation[.]com" claiming you've won a $1000 gift card for outstanding performance. The catch? You need to provide your credit card information to claim the prize. The offer seems too good to be true and is likely a phishing scam.

9. Inconsistent email formatting

Look out for unusual formatting, including inconsistent fonts, logos, or colors.

Example: An email arrives from "info[@]bankingservice[.]com" with inconsistent fonts, mismatched logos, and colors that don’t align with the official branding you’re used to. These inconsistencies are a telltale sign of a phishing attempt.

10. Spoofed URLs

Hover over links to see the actual URL. Phishing attempts often use URLs that appear legitimate but have minor deviations.

Example: While checking emails, you receive one from "support[@]softwareupdate[.]com" urging you to download the latest update. The link looks like "www[.]update-software[.]com", but when you hover over it, you see the actual URL is "www[.]malicious-site[.]com/update". This spoofed URL is a clear sign of phishing.

11. Unusual requests

Emails requesting unusual actions, like wiring money or purchasing gift cards, are often phishing attempts.

Example: After a long day, you find an email from "manager[@]companyprojects[.]com" asking you to purchase several gift cards for a client meeting and send the codes back. This unusual request, especially coming through email, is a classic phishing scenario.

Being aware of these indicators can help you identify and avoid phishing attempts.

Spear phishing

This is a more targeted form of phishing where the attacker customizes the email based on the recipient’s specific information, making it appear more legitimate. For instance, they might use the recipient's name, position, or other details to create a more convincing message.

Common indicators of a spear phishing attempt

1. Personalization

‍The email is highly personalized, using your name, job title, or specific details about your role or recent activities.

Example: "Hi [Your Name], I noticed you attended the recent marketing conference. Could you please review this attached presentation for our next meeting?"

2. Contextual relevance

The message is contextually relevant, often referencing recent events, projects, or communications.

Example: "Following up on our meeting last week, please review the attached document."

3. Believable sender

‍The email appears to come from a colleague, superior, or someone you frequently interact with.

Example: An email that seems to come from your direct manager or a team member you work with regularly.

4. Urgency

‍The message creates a sense of urgency or importance to prompt quick action without thorough scrutiny.

Example: "Please complete the attached task by the end of the day."

Whaling

A type of spear phishing that targets high-profile individuals within an organization, such as executives or senior managers. The messages are tailored to appeal to their specific roles and responsibilities.

Common indicators of a whaling attempt

1. Targeted at executives

The message is directed at high-profile individuals within the organization, such as executives or senior managers.

Example: An email addressed to the CEO requesting sensitive company information.

2. High-level language

The tone and language are professional, matching the seniority of the target.

Example: "Dear CEO, please review this confidential financial report."

3. Authority appeal

‍The email often appeals to authority or urgency, leveraging the executive’s decision-making power.

Example: "Immediate action required on the attached executive order."

4. Impersonation of trusted entities

‍The sender is usually someone within the organization or a trusted partner.

Example: An email that appears to be from a board member or high-profile client.

Smishing and Vishing

Smishing involves phishing through SMS text messages, while vishing involves voice calls. Both methods aim to trick the recipient into providing personal information or transferring funds.

Common indicators of a smishing attempt

1. Unexpected messages

‍Receiving unsolicited text messages from unknown numbers.

Example: A message from a number you don’t recognize claiming to be your bank.

2. Shortened URLs

‍The message contains shortened URLs that obscure the true destination.

Example: "Click here to verify your account: bit[.]ly/12345."

3. Urgent language

‍The message creates a sense of urgency or threat.

Example: "Your account has been compromised. Act now to secure it."

4. Request for personal information

‍The text asks for personal information like passwords, PINs, or credit card details.

Example: "Verify your identity by providing your Social Security number."

Common indicators of a vishing attempt

1. Unsolicited calls

Receiving unexpected calls from unknown or spoofed numbers.

Example: A call from a number claiming to be your bank but the caller ID shows a local number.

2. Urgent requests

The caller creates a sense of urgency, often threatening negative consequences.

Example: "Your account will be locked if you do not verify your identity now."

3. Request for sensitive information

The caller asks for sensitive information such as passwords, account numbers, or social security numbers.

Example: "Please provide your PIN to confirm your identity."

4. Impersonation of trusted entities

The caller impersonates a trusted institution or person.

Example: Someone claiming to be from your bank’s fraud department asking for verification details.

Clone Phishing

Attackers create a near-identical replica of a legitimate email previously sent by a trusted entity. They change the attachment or link to a malicious one, hoping the recipient will click on it, believing it to be the original message.

Common indicators of a clone phishing attempt

1. Similar but slightly altered sender address

The email appears to come from a trusted source but the sender’s address is slightly different.

Example: "support[@]paypa1[.]com" instead of "support[@]paypal[.]com."

2. Duplicate email content

‍The email content is almost identical to a legitimate message you received before but with a malicious link or attachment.

Example: An email that looks exactly like a previous one from your HR department but with a different attachment.

3. Changed links or attachments

The cloned email has links or attachments that lead to malicious websites or files.

Example: An email that previously had a PDF attachment now has a ZIP file.

4. Unexpected follow-up

Receiving a follow-up email for an action you have already completed, prompting you to click on a new link.

Example: "We noticed you didn’t complete the form in our previous email. Please find the updated link here."

Why do hackers use phishing techniques?

Hackers use phishing techniques because they exploit human vulnerabilities rather than technological weaknesses. Phishing relies on social engineering, manipulating individuals into divulging sensitive information or performing actions that compromise security. Unlike traditional hacking, which often requires significant technical skill to breach systems directly, phishing can be executed with relatively low effort. By creating deceptive messages that appear legitimate, hackers can trick individuals into providing passwords, credit card numbers, or other personal information. This method is highly effective because it bypasses many technical security measures, targeting the human element instead.

Moreover, phishing is scalable and adaptable, making it a versatile tool for hackers. They can easily send out thousands of phishing emails or messages with minimal cost and effort, significantly increasing the chances of success. As cyber defenses improve, hackers continuously evolve their phishing tactics to appear more credible and sophisticated. They tailor their attacks to specific individuals or organizations (spear phishing and whaling), increasing the likelihood of success. The widespread availability of personal information on social media and other platforms aids hackers in crafting convincing, personalized phishing attempts. This adaptability and reach make phishing a persistent and dangerous threat in the cybersecurity landscape.

Example of an attack that started with phishing

The image below illustrates a simulated spear phishing attack where the attacker initially targets an employee on LinkedIn to gather information and uses WhatsApp to bypass security, compromising a corporate laptop.

The attacker then navigates through Zero Trust Network Architecture (ZTNA), pivoting to the data center using a remote command service, and installs Command and Control (C2) for persistent access to conduct reconnaissance.

The attacker steals admin credentials from the server and uses them to move laterally, gaining access to other servers.

Throughout this process, Vectra AI detects various suspicious activities, including hidden HTTPS tunnels, file share enumeration, port sweeps, and privileged access anomalies. Analyst guidance suggests leveraging aggregated data from investigations, examining log data for deeper insights, and locking down infected accounts to stop the attack.