Battling with the Grifters–phishing insights that you need to know

phishing-insights-you-need-to-know

Phishing insights can be obtained by viewing the widespread and costly phenomenon of phishing as a field of battle. After all, if we look at the language used when talking about phishing — attackers, invaders, adversaries, weapons, intelligence — we know we are in a war of some sort. From our day-to-day experience and the stories we read in the technology and popular press, we sense that the battle is intensifying and the enemy is becoming more skilled and sinister.

Research data confirms our observations as three-quarters of companies report experiencing a phishing attack over the recent 12-month period. This figure comes from studies released in 2021 by two leading security solutions companies: Proofpoint’s State of the Phish and Ivanti’s 9 Must Know Phishing Attack Trends. The results from the Proofpoint study showed that 57% of these attacks were successful and 80% of IT professionals responding to the Avanti survey reported an increase in the number of phishing attempts in the last year. Another indicator of the extent of the problem is detailed in Verizon’s 2021 Data Breach Investigations Report which revealed that phishing was present in 36% of data breaches in its dataset, up from 25% last year.

The other lens through which we can gain phishing insights is that of the confidence game. Within the world of phishers, as with con artists, there are marks, plays, and tales along with short cons and long cons, each with their particular tactics and techniques.

This post will examine the following:

  • How do we define phishing and what are the categories of phishing?
  • What types of cyberattacks are predicated upon phishing attacks?
  • What is the psychology of the confidence game and how it relates to phishing?
  • What are the human factor defenses companies should develop?
  • What technology defenses should a company deploy?

To begin, a definition of phishing and its varieties is provided.

Phishing Insights – Defining Phishing

Phishing is a type of attack that uses social engineering tactics. The information security services provider Social-Engineer defines social engineering, as “Any act that influences a person to take an action that may or may not be in their best interest.” The threat actor poses as a trusted individual and uses a blend of science, psychology, and art to entice the target into taking the desired action. The action can take many forms including:

  • opening a malicious link or attachment containing malware
  • sharing personal data such as user names and passwords, credit card information
  • divulging information about a company or its computer systems
  • authorizing the transfer of funds

Phishing

Phishing generally refers to malicious email campaigns that cast a wide net. These bulk email campaigns appear to originate from recognizable organizations such as social media web sites, financial services companies, auction sites, or IT organizations to bait the unsuspecting target. Often, a sense of urgency will be created by revealing that an account has been compromised, which requires an immediate response. This is the most prevalent form of cyberattack as sophisticated tools or expertise are not needed.

Sometimes the information divulged by the recipient is used to impersonate the victim and apply for credit cards or loans, open bank accounts, and other fraudulent activities. In the business setting, adversaries will often use the information collected to start a more targeted and complex intrusion called spear phishing.

Spear Phishing

Spear phishing is a more sophisticated form of phishing targeting a specific individual, group, or organization. Cybercriminals use intelligence collected from earlier phishing campaigns along with information mined through online research of corporate web sites and social media and purchased from the Dark Web to develop tailored messages. These messages can appear to come from individuals or entities known to the recipient and show some level of knowledge of organizational structure to enhance the credibility and trustworthiness of the message. This level of detail also serves to fool spam detection defenses into allowing these messages through.

Pretexting is an important term related to the process of inventing or creating a convincing story or scenario that will achieve the social engineering goal of getting the target to take an action that is not in the person’s best interest. The adversary’s objective is to develop your trust. To tap into our natural inclination to respect authority, scammers frequently build their pretext scenarios using authoritative personas such as banking officials, tax authorities, legal representatives and law enforcement, to prompt quick action without proper consideration.

Spear phishing campaigns play an integral role in many types of cyberattacks including ransomware, business email compromise (BEC), advanced persistent threats (APT), and cryptojacking.

Whaling is the term used to describe a spear phishing attack designed to snare high-profile employees such as c-suite executives. These attacks take the deception to a higher level by also including the use of the ordinary business language and terminology of the target’s industry. To play on the concerns of business leadership, cybercriminals will often portray a risk to business reputation due to a legal matter if the target does not act quickly.

Vishing and Smishing

Vishing, or voice phishing, uses phishing tactics through robocalling and voice mail to prompt a response to restore an account or update software by supplying social security or credit card numbers. Smishing, or SMS phishing, takes advantage of the higher read and reply rates of text messages.

Clone Phishing

With clone phishing, the attacker will use an actual email that has been sent by an organization, but will spoof the address field and change the link so that the recipient is directed to a fraudulent website.

Types of Cyberattacks Relying on Spear Phishing

A description of the popular attack types that use spear phishing as an attack vector follows.

Business Email Compromise (BEC)

The goal of most BEC attacks is to get a target to wire money to a fraudulent account. To accomplish this objective, the adversary must find targets that have the authority to make such transactions as well as acquire knowledge of how company payment processes work. This intelligence gathering process is initiated through a spear phishing campaign and is often combined with malware programs to penetrate a company’s network.

Spoofing is one of the schemes deployed in a BEC attack. Spoofing uses fraudulent email address tactics that most commonly involve display name or domain name techniques. With display name spoofing, the message comes from someone who is known to the user even though the sender is not the person shown in the display. With domain name spoofing, the attacker slightly alters a legitimate domain name in the email that will be easily missed by casual readers.

BEC schemes go by many names, including CEO Fraud (the impersonation of a CEO to get an employee to wire transfer funds), Vendor Email Compromise (the use of a vendor’s email to submit a fraudulent invoice), and Email Account Compromise (use of an employee’s email account to request funds transfers from vendors).

The most recent FBI report on Business Email Compromise puts the price tag of business email compromise at $26 billion. These figures understate the true cost as these numbers reflect only self-reported occurrences. BEC incidents can be reported to the FBI at the Internet Computer Crime Center (IC3) web site.

Advanced Persistent Threats (APT)

While the payoff for most BEC incursions is money, the yield from an APT scheme is sensitive information. Because it is transaction oriented, the BEC attack is of limited duration. With an APT attack, however, the intruders are looking to enable a long-term foothold in a network, flying under the radar for as long as possible and clandestinely looting a variety of classes of information including:

  • Intellectual property (trade secrets, patents, and industrial designs)
  • Customer, vendor, and employee information
  • Financial data
  • State secrets and classified information

Because of the nature of the attacks and significant investment needed to plan, execute, and sustain a successful BEC attack, the APT threat actors usually select larger enterprises and government agencies for their marks. However, small and medium business partners who are suppliers to larger companies are sometimes targeted for phishing campaigns to develop background intelligence including network access processes of the larger entities.

Cryptojacking

Cryptojacking occurs when a phishing email contains a malicious link that allows attackers to steal computer resources from their victim’s computers. These resources are used by the attackers to mine cryptocurrencies without the user knowing it is occurring and negatively impacting computer and server performance.

Confidence Game Psychology

Phishing insights from psychology are derived from the fact that we are hardwired to fall for scams. To understand the high success rates of phishing swindles year after year, you must begin with the psychology behind any con. Anna Konnikova outlines these principles in her book, “The Confidence Game: Why We Fall for It…Every Time.” There are three topics in her book that are particularly relevant to the success of phishing scams:

  • The Trust Factor
  • Intense Attentional Focus
  • The Whirlwind of Technology

These three elements largely explain why, despite all the investment in training and technology, we continue to fall victim to phishing exploits.

The Trust Factor

Konnikova explains in the chapter titled The Grifter and the Mark, “The simple truth is that most people aren’t out to get you. We are so bad a spotting deception because it’s better for us to be more trusting. Trust, and not adeptness at spotting deception, is the more evolutionary beneficial path. People are trusting by nature. We have to be.” Trust is the cornerstone of any successful business and, more broadly, any economic system. Here you can see why attackers invest in pretexting, spoofing, and developing intelligence on companies to tap the trusting inclination of the phishing email recipient.

Commenting on trust, Konnikova writes, “The same thing that can underlie success can also make you all the more vulnerable to the grifter’s ware.” Here we see that the ongoing success of adversaries with Whaling swindles stems from the fact that the same trusting instincts that have contributed to the success of c-suite executives also makes them among the most vulnerable of targets.

Intense Attentional Focus

Emotion is the next core element of the scam artists’ tool kit to cause us to think less clearly in the moment. She writes, “In one sense, it matters little what we’re actually feeling: any emotional arousal will cloud our judgement to some extent. It makes us unthinking and it makes us malleable…Arousal can compel us to act against our long-term interests – because, in the immediate term, we suddenly can’t tell the difference.”

This factor explains why phishing campaigns often involve reputational issues. The emotional arousal related to our self-defense mechanism when a matter of public perception, such as a legal or financial impropriety related to oneself or one’s company is threatened, is all that is needed to prompt the intense attentional focus response needed for a company leader to momentarily suspend critical judgement. In the current environment, the fears and anxiety related to Covid-19 make the use of this topic so prevalent as a means of momentarily clouding an email recipient’s judgement.

The Whirlwind of Technology

In our technological age, one might think that we would be smarter about these matters and technology could squelch these campaigns. But the opposite is true. Konnikova explains, “If anything, the whirlwind advance of technology heralds a new golden age of grift…Transition is the confidence game’s great ally, because transition breeds uncertainty. There’s nothing a con artist likes better than exploiting the sense of unease we feel when it appears that the world we know is about to change.”

Konnikova includes a revealing quote in her book from the real-life con Frank Abagnale, who was portrayed in the popular movie, “Catch Me If You Can”: “What I did fifty years ago as a teenage boy is four thousand times easier to do today because of technology. Technology breeds crime. It always has and always will.”

Human Factor Defenses

Businesses can combat phishing scams through employee education by employing security awareness training companies. These programs focus on strategies and tactics used by threat actors, the potential costs of successful attacks and case studies, threat intelligence giving users insights into the latest ploys of attackers, and techniques for handling email messages. Security experts stress the importance of not giving the executive team a pass on these sessions with their known vulnerability to attacks. Security professionals also recommend making awareness training a mandatory element of the new hire onboarding processes.

Most of these programs include phishing simulation software that will better prepare end users for future phishing attacks. Deceptive emails are sent to your employees to measure their likely response to a phishing campaign.

Microsoft has developed some telltale signs to look for that indicate a phishing effort including:

  • An urgent call to action or threats
  • First time or infrequent senders
  • Spelling and Bad Grammar
  • Generic greetings
  • Suspicious links or unexpected attachments
  • Mismatched email domains

Some other human element rules that should be observed are:

  • If you can’t verify the sender, don’t click on links.
  • Companies will not ask you to share personal information by email, so never do it.
  • Only open attachments if you are expecting it and know the sender.
  • Create complex passwords and rotate them regularly.
  • Immediately report phishing incidents according to company policy.

Technology Defenses

Since we know that phishing scams will succeed no matter the level of employee, company size, or industry segment, failure to take all reasonable precautions is inviting monetary, data, operational and reputation setbacks. Steps your company can take from a technology perspective to increase the likelihood of repelling phishing attacks before they reach your employees and contain the impact when they do include:

  • Deploy a secure email gateway, which scan all incoming and outgoing email for malicious attachments, URLs and domain names and provides email traffic reporting to spot threats.
  • Implement the Domain-based Message Authentication and Conformance (DMARC) email authentication protocol to ensure that messages have been sent by the domain appearing in the message.
  • Communicate a clear incident response policy to mitigate damage from successful attacks.
  • Keep your operating systems, applications, and anti-virus software updated and patched to minimize your company’s vulnerability to malware.
  • Use a rapid and reliable data back-up system

Phishing Insights – Conclusion

With the costs being so high and the foe so formidable, companies looking to protect their people, reputation, bottom line, and long-term business resiliency are obligated to develop the human factor skills in their organization, continuously update existing IT systems, and deploy new technologies that are being developed to foil these scams.

Through training, simulations, and updates on new threat tactics, companies have the best chance of changing user behavior by continuously reinforcing the necessary skepticism about email and causing users to pause in the moment rather than acting. By investing in the latest technologies that employ AI and machine learning and data backup systems and services, companies will be best prepared to anticipate threats and contain the damage from the breaches that are bound to occur.

Get the Ultimate Employee Cybersecurity Handbook
Invenio it logo

Join 23,000+ readers in the Data Protection Forum

Related Articles