According to CISCO’s 2021 Report on Cybersecurity Threats, 90% of data leaks have a phishing attack for origin. Similarly, studies have found that phishing is the initial attack vector in 80% of ransomware attacks.
In order to teach your teams about these threats, you probably run a cybersecurity awareness program. Yet your teams get confused between phishing, spear-phishing, whaling, vishing…? We’re here to help!
This article will present each of the types of phishing that can be found in the wild 😉
Principle: Basic phishing is a classic attack vector in a great number of cyberattacks. It consists of a message received by email, often sent to a wide number of accounts and without (or with limited) personalization elements and social engineering techniques
Goal: The hackers’ goal is to convince the target to accomplish an action that serves their goals: downloading a file and opening it, filling in credentials, opening an attachment… all with the purpose of launching a cyberattack (data leak, ransomware, BEC…). Phishing is used in the initial access phase of a cyberattack:
Example: It’s a fraud vector that’s as old as the internet (phishing techniques are described as early as 1987) and for which one can highlight an attack against online payments systems in 2001 in the wake of the 9/11 attacks, under the pretext of a “security check”.
That attack is characteristic of basic phishing: using an even (9/11), hackers sent the same mail to a very wide number of accounts hoping some would fall for it.
Banking fraud phishing (where hackers try to obtain banking credentials) is still massively committed today.
Another example to illustrate? A simple (fake) Amazon gift card:
Principle: Spear-phishing is a more sophisticated form of phishing, one that is more targeted and personalized. Thanks to its higher degree of personalization and targeting, it can more easily bypass anti-spam filters.
Personalization and targeting are based on information collected during the reconnaissance phase and thanks to OSINT, ie. publicly available information.
Hackers are going to:
Example: The degree of personalization can vary but these attacks often combien multiple social engineering tricks in order to increase their effectiveness. As an example, this spear-phishing spoofing the company’s password management tool and using the company’s IT Director’s name illustrates what spear-phishing can look like
Spear-phishing is becoming the main attack vector because its targeting greatly increases its effectiveness compared to phishing.
Principle: Whaling is a type of spear-phishing attack that is even more personalized. It targets specific individuals in a company, often those with significant responsibilities such as C-level executives.
Some groups of Initial Access Brokers, whose focus is on obtaining credentials and access to IT systems in order to sell them to other groups who will conduct cyberattacks, will progressively engage conversation with specific targets using fake LinkedIn profiles in order to succeed in their attacks.
Example: The Business Email Compromise attack that targeted Pathe (a French movie producer) in 2018: the CEO and CFO of the Netherlands branch were targeted in a whaling attack that faked communication from the company’s CEO.
Principle: SMiSishing (SMS + phishing) is a type of phishing deployed via text-message
Goal: This kind of attack has advantages for hackers because it can free them from having to bypass antispam filters. It can also increase deliverability (SMS are often more read than emails) and some verification elements (such as the destination URL of links) can be harder to read and analyze on a mobile screen.
Example: Smishing can be used to obtain one-time codes sent via text message for connections requiring multi-factor authentication. In this scenario, hackers initiate a connection attempt and then send a smishing text in order to convince the target to reply with the code received following the attempt:
Researchers who tested multiple types of smishing messages for this purpose reached a success rate (code sent by the target allowing the hackers to connect) of close to 50%.
Principle: Vishing (Voice + phishing) is a phishing operated via a phone call.
Goal: In this format, the target will speak to a hacker (potentially using voice-modifying tools). This kind of attack can have two goals: either it’s the initial attack vector, serving the same goals as any phishing attack (securing credentials or payment of a fake invoice for example).
Or it can be used in parallel with a spear-phishing or whaling attack in order to lend credibility to it: for example, a fake email from the CEO with a document to review as soon as possible (in fact, a malware attachment) can be accompanied by a vishing attack that will underscore the urgency of the situation in order to increase the likelihood the target will open the file.
Example: In a 2020 vishing attack, hackers passed for Twitter’s “IT teams”. By calling Twitter employees about issues with their computers, they were able to obtain credentials that then enabled them to contact targets with higher privileges (privilege escalation).
Once they had admin access, they were able to access customers accounts and post a crypto-currency fraud message like this one on ex-president Barack Obama’s Twitter:
“I am giving back to my community due to Covid-19! All Bitcoin sent to my address below will be sent back doubled. If you send $1,000, I will send back $2,000! Only doing this for the next 30 minutes! Enjoy”
Principle: Angler phishing is a new kind of phishing targeting users’ social media accounts. Hackers impersonate customer support agents working on those networks in order to obtain information and credentials from their targets.
Goal: The majority of angler phishing attacks target banking firm by noticing the public messages of customers complaining on Twitter or Facebook and using those messages as a pretext to contact the targets.
If the targets do not realize that the person they’re speaking to isn’t a legitimate customers service rep, they are likely to follow the instructions they’re given like for example clicking a link to access a so-called video chat (in fact, downloading malware).
This kind of attack isn’t to be disregarded in a professional environment because the line between personal and professional use of IT equipment is increasingly blurred, a tendency that has accelerated with the increase in remote work.
Want to know more about Mantra’s best practices regarding teaching and training your teams in order to detect and protect against these attacks? Click here to contact us
What are the differences between the ISO 2007 and SOC2 standards? And which one is right for your company?
What are SPF, DKIM and DMARC? How do they contribute to setting up protection against phishing attacks and how can you set them up for your company domain?