Attackers have been “phishing” for over two decades, but they have evolved their techniques to continue tricking individuals and organizations alike
Whenever you see the word “cyber-attack,” there’s a strong possibility the word “phishing” follows. Social engineering attacks can take on a variety of forms, but phishing, or a form of fraud in which a cybercriminal pretends to be a real entity or person in order to target a victim, is one of the most common and well-known cybercrimes. The first phishing attempts can be traced back to the early days of AOL, but this form of attack has evolved and it is more sophisticated—and trickier—than ever.
There are a variety of phishing tactics, but these are some of the key methods attackers have utilized in the past few years:
You’ve heard of hackers targeting users and companies with malicious email attachments, but malicious links are on the rise. This past February, a security researcher at content delivery network Akamai was met with a new kind of phishing approach: one that attempted to use Google Translate links to hide its own shady links.
According to ZDNet, one in 61 emails delivered to corporate inboxes contains a malicious link. These emails can be difficult to spot, however, as many of them appear to be legitimate and come from colleagues or reputable companies. As a result, a victim might enter sensitive information into a fake version of a real service and give up their passwords and other data in the process.
Malicious browser extensions
Another way cybercriminals are sneakily targeting their victims is through seemingly legitimate browser extensions. Browser extensions are “enhancements” to the browsers created, when done by reputable companies, to make your browsing experience with them easier and more pleasant. For example, Adobe’s PDF reader browser extension lets you view PDF files on a website right in your browser.
While many malicious browser extensions are found on third-party sites, they also show up in official stores as well. Last year, attackers infected over 100,000 computers with browser extensions within a few months. Login credentials were stolen, and cryptocurrencies were mined without authorization. The attackers also engaged in click fraud, or the act of repeatedly clicking on a website to gain revenue.
While anti-phishing solutions are capable of detecting suspicious domains, attackers are avoiding security efforts by hosting their malicious phishing pages on compromised websites. Once a visitor visits what they believe to be a legitimate site, they are tricked into downloading malicious browser extensions or clicking on links that install “snoopware” in the browser’s memory. These attacks are well-known among security teams—but because bad actors often shut down their phishing pages within hours, the sites are difficult to detect.
Spear phishing: enterprise edition
Anyone anywhere can be the victim of a phishing attack, but more attackers are taking aim at particular individuals and organizations rather than a wide range of users. This technique is commonly referred to as “spear phishing.”
Like other phishing emails, spear phishing messages appear to be from a trusted source. Rather than manipulate the messages to necessarily appear like they come from a widely known company, however, hackers disguise them as messages from trusted individuals within the recipient’s company or its network of vendors, customers, or other close relationships. In other words, the victim will open the message believing it’s from a friend or colleague.
Here are some of the spear phishing tactics cybercriminals are using to target enterprises:
Enterprise Credential Phishing. Employees are sent to a phishing site that mimics their corporate webmail. They enter their login credentials and the bad actors then carry out phishing and other social engineering attacks using the compromised accounts.
Business Email Compromise. In this method, hackers spoof an email from a CEO or other high-level executive. The ask is usually related to login credentials or money. To deter employees from checking to see if the message is legitimate, it will appear to come from a mobile device and might include a request to not be disturbed.
Clone Phishing. As its name suggests, a legitimate email is “cloned” and revised to include a malicious link or attachment.
Whaling. This tactic takes spear phishing a step further by targeting the top executives at a company. Typically, the attacker’s goal is to manipulate the victim into authorizing high-value wire transfers to the attacker.
Combating phishing attacks through AI
Phishing and other social engineering attacks rely on the fact that humans are a vulnerable variable in security. That’s why more cybersecurity experts are looking to artificial intelligence—and specifically machine learning—to help stop future cyber-attacks.
Machine learning is not one particular kind of technology or technique, but rather a powerful tool for analyzing data to iteratively identify patterns and anomalies. Once a machine learning-enabled platform “learns” what a phishing attempt looks like, it can detect these kinds of attempts much faster than a human can. A number of companies, including Google, have used machine learning technology to block phishing messages to great success.
While AI is incredibly powerful, no one technology is capable of preventing phishing altogether. That’s why it’s vital that company owners and executives also inform their employees about the signs of phishing and other cyber-attacks, as well as teach strategies to avoid them.