Phishing

Phishing attacks continue to play a dominant role in the digital threat landscape. In its 2023 Data Breach Investigations Report, for instance, Verizon Enterprise found that phishing was the one of the top three primary ways cybercriminals access organizations. In addition, 44% of phishing incidents focused on scamming users into changing passwords through social engineering.

The rise of phishing attacks poses a significant threat to all organizations. All companies must know how to spot some of the most common phishing scams if they are to protect their corporate information. It is also crucial that they are familiar with some of the most common types of techniques that malicious actors use to pull off these scams.

Deceptive Phishing

Deceptive phishing is by far the most common type of phishing scam. In this ploy, fraudsters impersonate a legitimate company to steal people’s, personal or business data or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing what the attackers want.

Vade Secure highlighted some of the most common techniques used in deceptive phishing attacks:

Legitimate links: Many attackers attempt to evade detection from email filters by incorporating legitimate links into their deceptive phishing emails. They could do this by including legitimate contact information for an organization that they might be spoofing.

Blend malicious and benign code: Those responsible for creating phishing landing pages commonly blend malicious and benign code to fool Exchange Online Protection (EOP). This might take the form of replicating the CSS and JavaScript of a tech giant’s login page in a bid to steal users’ account credentials.

Redirects and shortened links: Malicious actors do not want to raise any red flags with their victims. They, therefore, craft their phishing campaigns to use shortened URLs as a means of fooling Secure Email Gateways (SEGs), “time bombing” to redirect users to a phishing landing page only after the email has been delivered and redirects to legitimate web pages after victims have forfeited their credentials.

Modify brand logos: Some email filters can spot when malicious actors steal organizations’ logos and incorporate them into their attack emails or onto their phishing landing pages. They do so by looking out for the logos’ HTML attributes. To fool these detection tools, malicious actors alter an HTML attribute of the logo such as its color.

Minimal email content: Digital attackers attempt to evade detection by including minimal content in their attack emails. They might elect to do this by including an image instead of text, for instance.

• Recent Examples of Deceptive Phishing Attacks

As an example, PayPal scammers could send out an attack email that instructs recipients to click on a link to rectify a discrepancy with their account. In actuality, the link redirects to a website designed to impersonate PayPal’s login page. That website collects login credentials from the victim when they try to authenticate themselves and sends that data to the attackers.

How to Defend Against Deceptive Phishing

The success of a deceptive phishing hinges on how closely the attack email resembles a piece of official correspondence from the abused company. As a result, users should inspect all URLs carefully to see if they redirect to an unknown and/or suspicious website. They should also look out for generic salutations, grammar mistakes, and spelling errors scattered throughout the email. Remember, you should login to accounts by navigating to the website, do not click on links from emails. Do not open attachments from unknown users. Call colleagues to validate information, do not use act based on an email. Especially, if it does not follow the corporate policy.