Be aware of these 20 new phishing techniques
Most of us have received a malicious email at some point in time, but phishing is no longer restricted to only a few platforms. The evolution of technology has given cybercriminals the opportunity to expand their criminal array and orchestrate more sophisticated attacks through various channels. Here are 20 new phishing techniques to be aware of.
Strengthen security awareness with human risk management
Infosec HRM, powered by Right-Hand Cybersecurity, provides alert-based training nudges to minimize human risk at your organization.
20 new phishing techniques
1. Pharming
Pharming involves the altering of an IP address so that it redirects to a fake, malicious website rather than the intended website. By entering your login credentials on this site, you are unknowingly giving hackers access to this sensitive information.
2. Smishing
Smishing involves sending text messages that appear to originate from reputable sources. These messages will contain malicious links or urge users to provide sensitive information. To avoid falling victim to this method of phishing, always investigate unfamiliar numbers or the companies mentioned in such messages.
3. Vishing
Vishing is a phishing method wherein phishers attempt to gain access to users’ personal information through phone calls. Phishers can set up Voice over Internet Protocol (VoIP) servers to impersonate credible organizations. The caller might ask users to provide information such as passwords or credit card details. Legitimate institutions such as banks usually urge their clients to never give out sensitive information over the phone.
4. Session hijacking
A session token is a string of data that is used to identify a session in network communications. Hackers use various methods to embezzle or predict valid session tokens. These tokens can then be used to gain unauthorized access to a specific web server.
5. Content injection
This method of phishing involves changing a portion of the page content on a reliable website. When users click on this misleading content, they are redirected to a malicious page and asked to enter personal information.
6. Web-based delivery
This method is often referred to as a man-in-the-middle attack. During such an attack, the phisher secretly gathers information that is shared between a reliable website and a user during a transaction. This information can then be used by the phisher for personal gain.
7. Low-cost products and services
Some phishers use search engines to direct users to sites that allegedly offer products or services at very low costs. When visiting these sites, users will be urged to enter their credit card details to purchase a product or service. An example of this type of phishing is a fraudulent bank website that offers personal loans at exceptionally low interest rates.
8. Loyalty points phishing scams
More merchants are implementing loyalty programs to gain customers. Unfortunately, the lack of security surrounding loyalty accounts makes them very appealing to fraudsters.
The consumer’s account information is usually obtained through a phishing attack. The phisher is then able to access and drain the account and can also gain access to sensitive data stored in the program, such as credit card details.
9. The Inception bar
Developer James Fisher recently discovered a new exploit in Chrome for mobile that scammers can potentially use to display fake address bars and even include interactive elements. It’s only a proof-of-concept for now, but Fisher explains that this should be seen as a serious security flaw that Chrome users should be made aware of.
10. Contextual scams
Phishers often take advantage of current events to plot contextual scams. Antuit, a data-analysis firm based in Tokyo, discovered a cyberattack that was planned to take advantage of the 2020 Tokyo Olympics. This attack involved fraudulent emails being sent to users and offering free tickets for the 2020 Tokyo Olympics.
11. Display name spoofing
In past years, phishing emails could be quite easily spotted. Though they attempted to impersonate legitimate senders and organizations, their use of incorrect spelling and grammar often gave them away.
Phishers have now evolved and are using more sophisticated methods of tricking the user into mistaking a phishing email for a legitimate one. One of the tactics used to accomplish this is changing the visual display name of an email so it appears to be coming from a legitimate source.
12. Homoglyphs
Some phishers take advantage of the likeness of character scripts to register counterfeit domains using Cyrillic characters. The domain will appear correct to the naked eye and users will be led to believe that it is legitimate.
13. SaaS phishing
This type of phishing involves stealing login credentials to SaaS sites. Hackers can then gain access to sensitive data that can be used for spearphishing campaigns. According to the APWG Q1 Phishing Activity Trends Report, this category accounted for 36 percent of all phishing attacks recorded in the first quarter, making it the biggest problem.
14. Money mule scams
In this phishing method, targets are mostly lured in through social media and promised money if they allow the fraudster to pass money through their bank account.
15. File-hosting applications
Hackers can take advantage of file-hosting and sharing applications, such as Dropbox and Google Drive, by uploading files that contain malicious content or URLs. When these files are shared with the target user, the user will receive a legitimate email via the app’s notification system. The unsuspecting user then opens the file and might unknowingly fall victim to the installation of malware.
16. Sextortion
This form of phishing has a blackmail element to it. Targeted users receive an email wherein the sender claims to possess proof of them engaging in intimate acts. The sender then often demands payment in some form of cryptocurrency to ensure that the alleged evidence doesn’t get released to the target’s friends and family.
17. Romance scams
Scammers take advantage of dating sites and social media to lure unsuspecting targets. They form an online relationship with the target and eventually request some sort of incentive.
18. Immigration scams
This is a vishing scam where the target is telephonically contacted by the phisher. The phisher pretends to be an official from the department of immigration and will lead the target to believe that they need to pay an immediate fee to avoid deportation.
19. Prize scams
These scams are executed by informing the target that they have won some sort of prize and need to pay a fee in order to get their prize. The fee will usually be described as a “processing fee” or “delivery charges.”
20. Whaling
This phishing method targets high-profile employees in order to obtain sensitive information about the company’s employees or clients. This phishing technique is exceptionally harmful to organizations. Not only does it cause huge financial loss, but it also damages the targeted brand’s reputation.
Conclusion
The development of phishing attack methods shows no signs of slowing down, and the abovementioned tactics will become more common and more sophisticated with the passage of time.
Fortunately, you can always invest in or undergo user simulation and training as a means to protect your personal credentials from these attacks. In corporations, personnel are often the weakest link when it comes to threats. Simulation will help them get an in-depth perspective on the risks and how to mitigate them.
Phishing simulations & training
Sources
- How VoIP Works, HowStuffWorks
- The inception bar: a new phishing method, James H. Fisher
- #1234145: Alert raised over Olympic email scam, brica.de
- Phishing Activity Trends Report, 1st Quarter 2019, APWG