Phishing delivery methods
Phishing comes in all shapes and sizes. As technology evolves, so too do the strategies and tactics of attackers. A threat actor’s methods change to meet their objectives and opportunities.
In this section, we’ll explore the various types of phishing attacks and how they work. Let’s start with understanding all the ways in which an attacker can send a phishing attack. The overall technology or communication system that is leveraged to deliver the malicious message matters – both in terms of its effectiveness, but also who it reaches.
The term “email phishing” encompasses a broad range of phishing tactics. These vary, not merely in how they work, but who they target.
For consumers, perhaps the most easily recognizable type is “clone phishing.” This is where an attacker impersonates an existing business in order to extract sensitive information, user account details, or money.
Clone phishing emails are often sent in huge volumes to vast lists of email addresses. While this approach isn’t particularly sophisticated, the emails themselves often are, faithfully replicating the style and language of the brand being impersonated. According to 2022 research from Tessian, the five most commonly impersonated brands in phishing emails are: Microsoft, ADP, Amazon, Adobe Sign, and Zoom.
In the case of high-value targets, an attacker will take a more refined approach. One approach, which we’ll explore later, is “spear phishing,” where an attacker will craft phishing messages intended for small and highly-specific audiences. These audiences can be a single person, or they may include every employee at a given company.
Vishing is a portmanteau of “voice” and “phishing.” This tactic sees an attacker try to social engineer a victim using the phone or another comparable VOIP service, like FaceTime or Skype. The goal is to
persuade victims to provide sensitive information, or to perform a specific action, like transfer money or download malware.
An attacker may, for example, choose to masquerade as a representative of a well-known company. Or they may impersonate someone known to the victim. This doesn’t merely increase their credibility with the victim — it also allows them to create a sense of urgency.
In one recent case, an attacker impersonated a Newfoundland man and convinced his parents to wire almost $10,000 CAD for bail fees following a fictitious road traffic incident. In this case, authorities suspect the attacker used an AI-generated “deepfake” of the son’s voice.
In a separate 2019 case, an attacker convinced the CEO of a UK-based energy firm to transfer €243,000 to a bank account under their control after impersonating the head of its German parent company. Again, authorities believe the attacker used an AI-generated deepfake to accomplish their goals.
The term “smishing” is a portmanteau of “SMS” and “phishing.” But don’t be fooled. Smishing can occur on other non-SMS messaging platforms like iMessage, WhatsApp, Viber, and others.
As with the other tactics we mentioned, the goal of a smishing campaign is to trick the recipient into sharing information they otherwise wouldn’t, or to perform any other secondary action, like share their credit card or banking details, or download a piece of malware.
Smishing affects both individual consumers and businesses alike. As with email-based phishing, there are examples of large-scale “spray-and-pray” smishing campaigns, and those intended for smaller audiences.
As Kaspersky notes, smishing can prove highly effective because, while many people are aware of the risk of email-based scams, they may mistakenly believe that SMS and messaging apps are comparatively safe and let their guard down.
Additionally, because text messages are simpler than emails, the attacker doesn’t need to work as hard to mimic the style and appearance of an established brand.
As with email phishing, smishing campaigns can be automated, with messages sent at an incredible velocity. In 2021, UK police arrested an individual responsible for a phishing campaign that sent 26,000 SMS texts in a single day. The messages purported to be from Hermes (now Evri), a European parcel delivery company, and attempted to solicit bank details from the recipients.
According to the Pew Research Center, around 70% of Americans use social media to connect with friends, relatives, and businesses. This makes it an enticing target for threat actors, who seek to exploit a person’s connections for their own purposes.
As the LA Times notes, a common tactic on professional networking site LinkedIn sees attackers publish fake job advertisements. Candidates who respond are then bombarded with an escalating series of requests for personal and financial information.
On platforms that are centered around person-to-person interactions, particularly Facebook, an attacker may create a replica of an individual’s profile and send friend or message requests to their contacts. Under this assumed identity, they will often direct the recipient to external sites, where the attacker will attempt to obtain their login credentials or credit card information.
Another approach used by attackers exploits our innate senses of curiosity and shame. Impersonating a trusted individual, the attacker will send messages that ask: “Is this you?” The message will include a link with a thumbnail that, although small and blurry, obviously depicts an explicit or salacious act.
The recipient, after clicking the link, is taken to a webpage that accurately mimics the homepage of a given social network. If they attempt to log-in, the attacker will obtain their username and password.
Social media phishing takes many forms. It would be impossible to exhaustively list them here. While platforms strive to protect their users, blocking the accounts of malicious users as soon as they’re detected, the best defense is a constant state of vigilance.
QR codes are a type of barcode used to encode information, like website links, contact information, or text. They provide a convenient way of accessing information or websites without the need to type anything.
But they can be abused in phishing scams. In 2022, the FBI warned consumers to be wary when scanning QR codes following a series of high-profile security incidents. The Bureau highlighted incidents of fake codes on physical restaurant menus and within emails that, when scanned, led to malicious websites.
Across several cities in Texas, including Houston and Austin, scammers placed QR code stickers on parking meters. The codes, when scanned, directed the victim to a website under their control that captured their payment information. It’s not known how many fell victim before the stickers were removed.
Since QR codes don’t include any visible text, it’s impossible to identify whether they link to a legitimate or malicious website. Email security technologies are often unable to check the images to identify potentially harmful links. The only way for an individual to know for certain is by scanning the code with their device – which, obviously, presents an element of risk.
The only real safeguard is to exercise extreme vigilance, both when choosing what codes to scan, and when the page eventually loads on their phone.
An “evil twin” attack takes advantage of a person’s trusting nature when connecting to a public Wi-Fi hotspot. The attacker creates a fake hotspot that, while appearing to be legitimate, is designed to harm the user by monitoring their traffic and redirecting them to websites under the attacker’s control.
The attacker could, for example, create a fake sign-in portal designed to capture a person’s private information or credentials. Or they could intercept requests for legitimate websites and send the victim to a facsimile that, although appearing genuine, is actually a fake designed to steal their information or login details.
