• Phishing attacks are increasingly more targeted and customized than in the past.
  • The proliferation of additional communications channels such as mobile devices and social media provides attackers with new avenues to phish users.
  • The technology behind phishing attacks evolves as necessary for cybercriminals to bypass content filters and successfully transmit and display the phishing content to the victims.
  • Artificial Intelligence (AI) apps provide attackers with the means to generate highly customized content that makes phishing lures even more convincing.

Cybercriminals often find it easier to trick users into compromising their own security rather than utilizing exploits or highly technical attacks to break into networks. Deceiving users to convince them into divulging sensitive information or take inappropriate actions is known as “social engineering” and this tactic can be extremely effective, regardless of whatever technological defenses have been deployed. As a result, social engineering has become a mainstay in cybercriminals’ arsenals.

Social engineering can take many forms. However, by far the most popular type of contemporary social engineering is phishing. Phishing is the practice of sending victims fraudulent communications that appear to come from a reputable source. It is most often performed through email though other communications platforms such as phone calls and text messages on mobile devices, social media, or chat rooms can also play host to phishing attacks.

The goal of a phishing attack is to steal sensitive data like credit card and/or login information or to install malware on the victim's machine. Phishing has evolved considerably over the past dozen-or-so years. We now have many different subtypes of phishing, including spear phishing (targeting specific users in phishing attacks), whaling (phishing specific high-profile users who have considerable resources or access privileges), smishing (phishing users via SMS messages), quishing (phishing using QR codes) and vishing (telephone-based phishing).

Phishing attacks have become more targeted

The earliest phishing attacks, such as those conducted via instant messaging applications like AOHell, intentionally cast a broad net, aiming to snare as many victims as possible. However, phishing in this way has become less effective over time. In order for a phishing attack to succeed, an attacker must first deliver their phishing messages to the victims, and sending a large volume of similar-looking phishing messages to a large number of recipients attracts a considerable amount of attention from security devices and personnel.

On the other hand, only sending a handful of phishing emails is orders of magnitude more difficult for network defenders to prevent. This is the idea behind spear phishing: Attackers narrow the phishing target pool down to a smaller desired group of victims who can be sent a more customized phishing attack. The smaller volume of email increases the odds the message will be successfully delivered to the users and will not be filtered out or flagged by network security devices, and customization raises the likelihood the recipient will view the email as legitimate.

More locations for phishing

The proliferation of mobile devices and social media applications has provided phishers with multiple vehicles besides email in which to conduct their attacks. Phishers have been known to use applications such as LinkedIn, Instagram, Facebook, Telegram, Discord, Twitter and other social media apps to transmit phishing messages to victims. We also now regularly receive phishing messages transmitted over SMS and even using QR codes.

A phishing link to “metamask.lc” is tweeted in reply to a tweet from the real @MetaMask Twitter account.‌ ‌

An example of an SMS phish using a link shortener to hide the true destination URL.

Not all phishing happens online. Some phishers now take a hybrid approach where phishing emails are transmitted, but rather than containing a link to a phishing website or malware, the email contains a phone number that the victim is meant to call where the victim can then be further socially engineered over the telephone.

Evasion tactics help bypass security devices and fool users

Security devices are constantly monitoring the network for signs of phishing content and then marking the content as fraudulent or even discarding phishing messages altogether. Today, a successful cybercriminal must find ways around the anti-phishing security technology in place. There are several ways today’s cybercriminals attempt this:

  • Placing text information or links inside images.
  • Using large attachments that cannot be scanned due to their size.
  • HTML smuggling.
  • Using various attachment file types (.doc, .one, .lnk, password-protected .zip).
  • Hiding phishing links behind link-shortening services.
  • Varying the phishing message content by including hidden garbage text pulled from books.
  • Using links to lookalike domain names, known as typosquatting, or domain names that have specially crafted subdomains, ex. www.office.com.login.evilbadguy.com.
  • Transmitting messages from compromised legitimate accounts.
  • Using the browser-in-the-browser technique.

More convincing phishing lures

Contemporary phishing lures tend to fall into two basic categories. Many phishing messages attempt to replicate transactional messages, for example, an invoice or receipt for a purchase. Other phishing messages tend to target victims who are eager for news about specific topics, such as current events, natural disasters or the latest celebrity gossip.

With readily accessible open-source information and publicly available breach data, there can be a substantial trove of sensitive information concerning individuals/groups that is freely available online to attackers who are motivated enough to search. This information can be used to customize phishing emails and make phishing content even more relevant to the victims.

To aid in customizing phishing content, attackers are increasingly turning to AI apps such as ChatGPT that can be used to generate phishing content that sounds quite convincing. Fortunately, the designers of ChatGPT have built some guardrails so that attackers cannot simply ask ChatGPT to generate a phishing lure.

However, by phrasing the question a little differently, ChatGPT will help generate convincing content for use in phishing attacks.

Over the past few years, we have seen how some attackers, such as those behind Emotet, have leveraged existing email threads to compel targets to open attachments or click links. Using AI applications similar to ChatGPT, those malicious emails could be customized based on the context of those prior threads.

Voice cloning is another piece of AI technology that is expected to play a role in future phishing attacks. Deepfake technology has already progressed to the point that users can be fooled by a familiar voice over the telephone and once deepfake tools become more widely available, we expect attackers to deploy this as an additional mechanism to phish users.

Protecting users from today’s phishing attacks

Of course, as phishing content becomes easier to generate and customize to a specific victim, it becomes increasingly harder to defend. Educating users about how to recognize a phishing attack can be helpful. Additionally, deploying multi-factor authentication such as Cisco Duo is a solid defense that can thwart phishing attacks. Understanding regular network traffic patterns using products like Cisco Secure Network Analytics can help your network security personnel recognize unusual activity that could be related to a successful phishing attack. It is also a good idea to have your email delivered through a secure gateway such as Cisco Secure Email that can scan the email contents for phishing, malware and other email-based attacks. DNS security products such as Cisco Umbrella can help prevent users from navigating to or downloading content from phishing domains.