The craftiest phishing techniques and how to defend against them
Phishing is evolving using AI for mass customisation, but the fundamentals remain the same
Phishing is most successful when it catches us off balance, when time pressure is applied, and when the malicious message appears authoritative, familiar, expected or even welcome. The right combination of these factors will have even the most vigilant clicking on a link that could set off a very nasty chain of events.
Catching people off balance is the trickiest of these factors to engineer, although it’s not impossible. For example, an attacker monitoring the victim's social media may be able to take advantage of the fact that the plane due to carry them to an important meeting has been delayed. But it's in communicating a demand for urgent action without arousing suspicion that most advantage is to be had, together with tools that disseminate these messages at scale.
"One of the most convincing phishing attempts I’ve seen was when an attacker registered a near-identical domain, swapping one letter (e.g. an “I” for a “1”), and sent a fake statement of accounts from a supplier they regularly worked with," said Ben Rowe, director of BD Rowe Consulting.
"The email looked legitimate, the bank was the same provider, and the details were just subtly different. The user was about to process the payment, but noticed the saved bank info didn’t match, which triggered further checks. It was a clever and deeply researched attempt, a real reminder that attackers do their homework."
Spearphishing at scale
This was an example of spearphishing. The attacker had taken the time to find out what “normal” looks like at the organisation, who the company’s suppliers are and the identity of the person who authorises payments.
In recent Computing research, 59% of 70 UK IT leaders questioned said they, or someone close to them, had been spearphished.
Targets were generally believed to have been selected based on their role or relationship with senior executives, information readily discoverable on sites like LinkedIn. Social media profiles can also be used to infer business relationships, partnerships and suppliers, and such datapoints may also be gleaned from corporate websites, press releases, industry reports, public records, lists of conference attendees, domain and email reconnaissance, dark web leak sites, and so on.
Increasingly this reconnaissance is being handed over to automated tools that can scrape and collate the information into a usable format very quickly.
The more information attackers have on the target, the more convincing the messages are likely to be. They could include details of recent transactions, fake email chains, and these days even be backed up by voice or video deepfakes purporting to be from a senior director.
The most effective spear-phishing attacks are thoroughly researched, multi-stage and multimodal. Now AI tools are beginning to offer such personalisation at scale. Hits per attempt may be lower, the volumes achievable by automation more than make up for it. One study found an increase in phishing volumes were of 17% over 6 months, and that the fingerprints of AI were discernible in 82.6% of phishing emails analysed. Only 8% of respondents to Computing's survey estimated that AI is used in 80% or more phishing email, suggesting its role in changing the face of phishing may be underestimated.
AI-based tools are also used to clone or create plausible branded landing pages, to evade detection by security software and to automatically exfiltrate data. It’s a fast-moving field and there’s a burgeoning market for phishing-as-a-service.
In terms of lures, things aren't changing so fast, with fake invoices, DocuSign messages and parcel deliveries (particularly around Christmas) among the most widely seen.
Microsoft's login page is the most frequently spoofed, with LinkedIn and Gmail also featuring. Only 14% had come across fake Teams/Zoom calls but this is likely to rise as convincing deepfakes become more easily available. There have been reports of cybergangs acting as Microsoft support staff and making use of Teams as part of the deception.
Defending against phishing
The attackers aren’t having everything their own way. AI/ML is featuring more and more in defensive technology too, helping to automate detection and mitigation tasks which would otherwise leave IT and security teams completely overwhelmed.
And the best defence against attempts to throw us off balance and pressurise us to do what the attackers want is to stop the messages getting through in the first place.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol designed to protect against email spoofing, phishing and fraud. It checks if the domain in the "From" header aligns with the authenticated domains. It's implemented by Microsoft Defender, Proofpoint, Mimecast and others - but it needs to be set up properly.
"An employee received an email from the CEO instructing the purchase of Amazon vouchers. The CEO email was spoofed due to DMARC not being configured to p=reject," CEO, Technology
Unfortunately there is no direct DMARC equivalent for SMS and RCS, which operate on a fundamentally different infrastructure to email's open protocol and vary according to the mobile operator. However, there are emerging standards and practices aimed at addressing SMS fraud, spoofing, and phishing, such as SMS Originator Address Validation, STIR/SHAKEN to combat caller ID spoofing, verified SMS programmes and carrier-level filtering.
"Staff awareness training is essential, plus inbound email protection beyond MS DMARC & SPF..." CEO, Technology
According to Rowe, filters and gateways can stop a lot of phishing attempts in their tracks.
"From a technical standpoint, the two best items I've seen are anomaly detection, which scans for uncommon events that a user might undertake, and application control software, where an agent monitors a user machine and blocks any attempts to run code or executables that are not on the allow list," he suggested.
"Ultimately though, building a culture where people feel safe reporting mistakes or suspicions without fear of blame is the combination that offers the best resilience."
Creating a security culture
Creating such a culture requires a widespread understanding of the risks, what to look out for, and what to do in the event of a breach. And that of course means training.
74% of survey respondents in the Computing study use an online portal for phishing awareness training, 57% include it in the onboarding process while just under half offer regular refreshers. A quarter avail themselves of free training offered by NCSC and other bodies, with 19% conducting "mystery shopper" phishing tests to see who bites.
The latter can be certainly effective in keeping employees abreast of the latest tactics used by threat actors, said Rowe, but they need to be handled with sensitivity and as part of a wider intervention.
"On the mitigation side, some organisations are getting it right with engaging, scenario-based phishing simulations that reflect how their people actually work. However, these are few and far between and results are just used as ‘gotcha’ tests, and not as teaching moments with feedback loops. The best mitigations I've seen are when the users are made aware of the test post-exercise and then a training 'loop' is put in place to keep that cycle of awareness happening."
The largest proportion of respondents (48%) conduct phishing awareness training and refreshers on an annual basis, with 17% doing so twice a year. A diligent 5% said they do so every month. While some doubts were expressed about the effectiveness of training as they've experienced it (only 21% said it was definitely effective), there was broad agreement as to its importance.
"User training is the biggest single difference. We coach a healthy scepticism and reward folks for reporting concerns..." CTO , Business services
But staying ahead of threat actors requires the right combination of culture and tools, and keeping up to date on the latest tricks and techniques they’re deploying.