Phishing refers to fraudulent emails that operate by establishing trust between the sender and recipient in order to obtain funds, access to restricted environments, or sensitive data including login credentials and company details. Phishing can take a number of forms, with various objectives depending on the attacker’s motivations and the specific target. However the phishing attack is executed, the common thread is that of a message attempting to trick the victim into taking the bait.
Phishing continues to rank as the most prevalent email threat faced by organisations, constituting 71 per cent of attacks in 2022. The FBI’s Internet Crime Complaint Center (IC3) registered a staggering 300,497 incidents of phishing attacks in 2022, five times more than the next most common cyber crime.
It is essential for organisations to understand the threat posed by phishing attacks and what to look for in order to guard against them.
The Three Most Common Email Phishing Attacks
Credential Phishing
This is the most simplistic and widespread method of phishing. By posing as a legitimate sender in communications, threat actors trick unsuspecting users into providing their login credentials and personal information to access an account such as their online banking, email client, employer network, social media, or ecommerce profiles.
Within a corporate setting, a phishing email aimed at intercepting and accessing Microsoft 365 credentials might feature an apparently legitimate but fraudulent link leading to a malicious website that mimics the Outlook login portal. Once attack victims input their credentials, the threat actor captures them in plain text, compromising the user’s security.
Spear Phishing
Rather than sending mass emails to random recipients hoping to capture any and all sensitive data or credentials possible, threat actors utilising spear phishing conduct research ahead of their attack and target specific individuals within an organisation, primarily those handling payroll and accounting.
A spear phishing email will typically masquerade as a fellow employee requesting the transfer of funds to a new account or an established vendor seeking access to a user’s account. Such emails usually contain substantial information or instructions on how to execute the threat actor’s request, and because they may appear to originate from legitimate email addresses (the case may be that the sender in question is an internal member of staff whose account has been compromised), they are exceptionally challenging to detect.
Whaling
A whaling attack is one targeted at a high-ranking, senior member of an organisation. Much like spear phishing attacks, in a whaling attack threat actors research their target in order to craft a plausible request (again, for funds, access, or similar) before sending their malicious email.
While a spear phishing attack may narrow its target to members of a particular department or team, a whaling attack will focus its attention on a specific person, one with much greater seniority such as a CEO, who unlike more junior employees, will typically have sufficient clearance to action the threat actor’s request without approval. This level of authority is often behind the disastrous outcomes of whaling attacks, which while effectively simple, can allow threat actors access to highly classified and potentially costly data and environments.
How Phishing Attacks Work
Phishing attacks rely on social engineering to operate. A blend of identity deception, manipulation and abuse of trust, and potential urgency or deadline pressures, social engineering is adept at pushing email recipients to take actions they would know not to consider if a stranger made the request.
Impersonation of Trusted People and Organisations
The initial malicious email will appear to originate from someone the victim knows and can trust, such as a manager, a senior colleague or an established vendor or brand. Sophisticated attackers are able to gain access to company email domains, and so the sender address may even align with what the recipient expects, making the threat all the more difficult to identify.
Abuse of Trusted Relationships
Phishing attackers also make use of trusted personas to make requests of victims that would otherwise arouse suspicion. A common technique is to masquerade as a user’s CFO or Head of Finance and request an immediate, urgent payment be made. In the absence of anything which sets off obvious red flags (after all, the sender address, signature, and URL to which the user is being directed may look legitimate) the victim is likely to perform the requested action.
Pressure and Urgency
When under time pressures, victims are the least likely to thoroughly vet their inbound emails, and if posed with a request without the time to escalate it for review, people may skip typical steps of evaluation. Phishing attackers are aware of this and keep the pressure on victims accordingly. In this context, requests from “senior management” made for urgent payment, and for immediate, urgent access to secure environments, when sent from domains that look familiar, are easily missed.
The Impact of Phishing Attacks
There were a reported 300,497 successful phishing attacks throughout 2022, and since 2019 phishing has been the most prevalent type of cyber attack, with victim losses of more than $52 million in 2022 alone. Abnormal Security notes that, of all the email attacks it intercepts and stops, 71 per cent are classified as credential phishing, often the initial attack that precedes further criminality via compromised email accounts. And concerningly, while credential phishing is not a necessarily sophisticated attack, once threat actors gain access to a secure digital environment, their access is as broad as the user that fell victim to the attack. This is particularly troublesome if the user’s same credentials can be utilised across multiple sites and environments, as is often the case.
Why Are Phishing Attacks Successful?
Since 2018 the number of successfully executed phishing attacks has exploded by 1039 per cent. This evidences just how successful phishing attackers are becoming at convincing their victim to perform their request, and because the majority of phishing attacks rely primarily on social engineering, rather than specific cyber criminal technologies, legacy security solutions are increasingly ineffective at guarding against them.
Contemporary Phishing Attacks Are Created with SEGs in Mind
A SEG, or a secure email gateway, is a traditional form of email security that operates by identifying known bad characteristics of incoming emails and flagging or blocking them accordingly. Suspicious links, a bad sender or domain reputation, and malicious attachments are likely to be blocked by a SEG, however in the case of socially engineered attacks, in the absence of these clear indicators, SEGs are often unable to identify the threat.
Security Awareness Training Considers Only One Aspect of Email Threats
While security awareness training is vital within a corporate environment, the guidance given to users to guard against email attacks is, in the case of phishing, becoming increasingly outdated. Although an employee may know not to download suspicious attachments from unknown senders or click on links which look potentially malicious, it is becoming more difficult than ever to advise users that they must remain vigilant of communications coming from colleagues or long-standing trusted vendors.
In light of this, more and more organisations are opting to deploy email security solutions with built-in machine learning which, rather than attempting to identify known bad factors within incoming communications in the way that a SEG might, instead categorise emails as safe by looking for known good factors to validate that a sender (regardless of how legitimate they might appear to a user) is exactly who they say they are, through a mixture of location data, established linguistic patterns, and device intelligence.
Abnormal Security profiles known good behaviour and analyses over 45,000 signals to detect anomalies that deviate from these baselines. Only Abnormal precisely blocks all socially-engineered and unwanted emails—both internal and external—and detects and remediates compromised accounts.
Find out more about how Abnormal Security uses behavioural AI to profile known good behaviour to detect anomalies and identify socially engineered threats, delivering maximum protection for global enterprises, or request your complimentary Abnormal Security audit.
