Phishing tactics
Malicious actors have multiple ways to deliver a malicious message whether it is through an email, a phone call, or even Wi-Fi. But depending on their motivations and targets, they will follow different tactics when leveraging these technologies.
While the tactics described above often involve a direct person-to-person interaction between the attacker and the victim, a significant percentage of phishing attacks are fundamentally undirected. The attacker doesn’t have a target in mind, but simply chooses to send a large volume of malicious texts, emails, or phone calls in the hope that a small percentage takes the bait.
While undirected phishing attacks lack precision, they’re easy to operate at scale. The attacker simply needs a list of targets — often obtained from previous data breaches — and the technology to bulk-distribute their malicious messages.
Angler phishing attacks typically — but not always — occur on social networking pages and see an attacker impersonate a customer service representative in order to extract information or money from a victim.
Unlike other types of phishing, the attacker doesn’t need to know anything about their victim. Whereas smishing/vishing and email phishing require valid phone numbers and email addresses, someone perpetrating an angler phishing attack only needs to search for a complaint about a business, or a request for support.
The attacker will then direct the victim to a private channel, where they will then use social engineering tactics to extract information from the victim, or try to trick them into performing an action.
The businesses impersonated vary, but banks and credit card companies are more likely to be spoofed. According to one study from ProofPoint, over half (55%) of angler phishing attacks involve financial institutions.
A business email compromise (BEC) attack describes a broad array of methods used to trick a high-ranking company executive or official into performing an action, transferring funds to an account under the attacker’s control, or revealing potentially sensitive information.
There are many manifestations of BEC attacks. A malicious actor could, for example, create a superficially legitimate email address to pose as a company CEO (or, having previously compromised their email account, use their actual email address) and request that an employee makes a transfer to an offshore bank account.
Alternatively, they could pose as a foreign supplier and issue a bogus invoice, hoping that the company pays it before they properly scrutinize it. While the methods and motivations may vary, they all rely on email to work, and often involve senior company personnel, who are either the targets of an attack or the subject being impersonated by an attacker.
It’s no surprise that the FBI describes BEC phishing — also known as email account compromise (EAC) — as “one of the most financially damaging online crimes.” According to the Bureau, losses from BEC scams reached $2.4 billion in 2021, up from $300 million in 2016.
AitM (adversary-in-the-middle, sometimes referred to as “man-in-the-middle” or “meddler-in-the-middle”) phishing sees an attacker intercept a victim’s network traffic with the aim of altering the appearance of websites, or redirecting the victim to a website under their control. This often involves a sophisticated piece of malware being deployed on the victim’s computer.
One common approach, as noted by Palo Alto Networks, sees the victim presented with a facsimile of a login page. This facsimile is the “adversary” or “meddler.” It captures the person’s login details and relays them to a computer under their control.
If the site uses MFA (multi-factor authentication), the spoofed webpage will continue impersonating the targeted website and ask the user for a one-time passcode. When the user successfully logs in, the AitM server receives a real session cookie, allowing the attacker to access the victim’s account. The server may also continue to act as a proxy, allowing the victim to use the website, albeit with their traffic relayed through the attacker’s computer.
This approach is particularly pernicious, not merely because it can bypass many of today’s MFA systems, but also because it’s completely invisible to the victim.
Whereas email phishing attempts often include some discrepancies that can arouse suspicion, like clunky syntax or visual discrepancies, this approach has no tell-tale signs. Nothing to indicate that anything is amiss.
The term “spear phishing” broadly describes a type of targeted phishing attack. Its victims can include private individuals, employees of a specific organization or business, or even its senior leadership.
The goal of a spear phishing attack is to obtain information that will be useful for the attacker — such as account credentials, proprietary company information, or access to the company’s system — or to induce the target into performing a specific action. This might include transferring funds, clicking a compromised link, or opening a malicious email attachment.
Because spear phishing attacks are customized for each victim or target organization, they’re often harder to detect through technological means. Whereas a spam filter can identify phishing emails sent to millions of addresses, they may struggle to identify a phishing email intended for an audience of one.
Email is a common channel for spear phishing attacks, but it isn’t the only one. Attackers will use any channel that helps them accomplish their goals, including SMS, instant messaging, and even phone calls.
