Because of better phishing awareness training and the general worry surrounding the threat of a successful phishing campaign, many employees have become aware of the anatomy of a phishing attack. This ensures businesses are in a better position to avoid phishing lures and keep their sensitive information secure. However, it cannot be understated how frequently malicious actors will try to change their strategies for these attacks and send a user a phishing email they weren’t expecting, so we want to highlight the four key ways malicious actors craft their phishing lures.
They Don’t
The phishing attacks most people are already aware of are the low-effort, high volume variety. These campaigns focus on sending out an extremely high number of emails to play the numbers game. Even though their email is riddled with spelling errors and poor grammar, all it takes is one person to click their link for the attack to be successful. More often than not, these attacks are not a threat to businesses because employees can easily identify and address the threat, but this kind of phishing email could slip through if coupled with another attacks strategy.
An Urgent Need
In general, malicious actors don’t want users to look at their email very long. The goal is for the email to arrive in the victim’s inbox and have them click it immediately. To achieve this, malicious actors will make their emails look as urgent as possible, so a small business employee will get caught in the moment and click before they think. Hackers will craft their malicious attachments to look like invoices, purchase orders, files from company executives, security alerts, and password reset requests in order to alarm the user. This trick is at its most dangerous when paired with other attack strategies because a convincing enough email with the right level of urgency means a successful attack.
Phishing Attacks Imitate Trusted Sites
An extremely common phishing attack strategy used by malicious actors is to spoof, or imitate, a service that their target is likely familiar with. This takes advantage of workflows for employees that involve Google, Microsoft, and any other service that they would regularly receive emails from. Hackers will craft their email to look just like an email from a trusted source, hoping their targets don’t inspect the email. Often, a malicious email will be disguised as a security threat from Gmail or Microsoft in order to capitalize on both mimicry and urgency to get a user to click a malicious link.
Novel and Complex Phishing Tricks
The most dangerous phishing attack strategies are the ones business have the least amount of time to prepare for. Hackers will sometimes find novel and interesting ways to mask their phishing attack that employees may not be prepared for. A prime example of this is the browser-in-the-browser attack, which creates a fake sign-in browser inside of a malicious webpage. This fake window is crafted to look identical to an actual login screen, and it is extremely difficult to identify it as a phishing attack. Businesses need to stay on top of cybersecurity news or consult with security experts in order to know what novel threats may be out there because sometimes they are just that convincing.
Summary
Phishing awareness is rising, but employees and business owners should never become complacent with their phishing training because anything you know, the malicious actors know too. Hackers will always try to catch users off guard and subvert expectations so that they can get an attack through. These four attack strategies will be mixed and matched to craft a convincing phishing campaign, and it only takes one successful attack to infect a network. In this ever changing cybersecurity landscape, we here at Robinett Consulting want to help keep you informed and prepared to combat cyberthreats, so we encourage you to read more of our blog and reach out to us for more cybersecurity information.
