Most of us have first-hand experience with phishing. It is the most common form of cyber attack and over 3.4 billion phishing emails are sent every day. If you look in your junk folder right now, you may be able to find a few examples.
With phishing attacks happening at such scale, it shouldn’t be surprising that attacks are moving beyond email to other types of communication. This is where vishing and smishing come in. While they aren’t strictly new, they are alternate types of phishing that leverage different forms of communication.
Understanding Phishing, Vishing and Smishing
Phishing is an umbrella term and encompasses any social engineering where an attacker manipulates a victim into revealing sensitive information or installing malware.
Smishing (also known as SMS phishing) is phishing conducted via SMS
Vishing (also known as voice phishing) is phishing conducted over the phone
In this blog, you can find an overview of the various different types of phishing and how you can defend against them. We’ll also touch on how new technologies such as deepfakes and phishing-as-a-service are creating new threats you should be aware of.
What is Phishing?
If you aren’t familiar, phishing is a type of cyber attack where an attacker manipulates a victim into providing them with sensitive information or downloading malware. Attackers are often seeking personal information, such as your account passwords, or financial information.
These attacks are predominantly attempted over email and involve an attacker impersonating a trusted organisation, such as a bank or government body. Common examples of phishing scams include fake invoices, requesting ‘advance fees’ or telling you that ‘your account has been compromised’.
Is Phishing Becoming More Sophisticated?
Initially, phishing only involved sending out a generic email with a warning or alert enticing a user to click the link and enter their credentials. Sending these emails to a large audience creates a high chance someone will open it and fall victim. However, more recent attacks utilise a lot more than just a single email.
One example is spear phishing, where an attacker attempts to phish an individual user or small group of users. In this case, attackers may use open-source intelligence gathering and other social engineering methods to craft an email with specific information that the victim may be expecting and, therefore, more likely to trust.
With organisations enforcing defences and user education as standard practice, attackers are also becoming more inventive. Overcoming multi-factor authentication (MFA), for example, requires attackers to gain more information than a simple username and password. To address this, attackers are utilising new technologies such as Evilginx which can help them gather MFA tokens.
Other examples of major developments in this space are:
Phishing-as-a-service
Smishing
Vishing
Exploiting zero day vulnerabilities
What is Phishing-as-a-Service?
Phishing-as-a-service is like any other software-as-a-service (SaaS) model. A cyber criminal sells other attackers a phishing kit (phishkits) via a subscription model, which they can use to carry out their own attacks. Phish kits or phishing kits are a similar service which attackers can purchase for a one-time fee.
Back in 2021, Bridewell predicated that phishing-as-a-service would become commonplace on dark web forums and lead to increased attack volumes. The last few years appear to have confirmed this. Although difficult to obtain, phishkits are often the top sellers on underground forums that distribute illegal or malicious software.
Additionally, tools such as Evilginx utilise “phishlets” which are specific YAML files that describe how to capture sensitive data from other domains. Developers and contributors of phishing frameworks are receiving more inquiries on how to make these files. Trusted white-hat hacking groups are being set up to prevent the disclosure of this information to cyber criminals.
What is Smishing?
Smishing is phishing conducted via SMS/ text and works much the same way that standard phishing does. The difference is that instead of a link being sent to you via email, it is sent to you via text. Common smishing attempts include enticing texts such as “congratulations, you have won” with an accompanying link.
Cyber criminals can get phone numbers with relative ease. Practices such as signing up to public WiFi or completing online forms that request your details can expose your details to an attacker. This enables attackers to curate a huge list of numbers which they can then smish. Compared to email, having a phone number also allows attackers to identify the country and network provider you are using to further tailor their attack.
What is Vishing?
Vishing is phishing conducted over the phone or voice over IP (VOIP) services. It’s a phishing method which has developed in recent years with the advent of deepfake technology. Using deepfakes, cyber criminals can convincingly impersonate people of authority and use this to make their vishing attempts far more convincing.
In 2020, a bank manager in Hong Kong got a call purportedly from the director of a company he had previously worked with. The caller asked the manager to authorise some transfers amounting to $35 million. Checking the request against emails in his inbox, the request appeared legitimate and he transferred the funds. However, the voice on the phone had been faked using “deep voice” technology and was part of an elaborate fraud scheme.
What Happens if I Get Phished?
Fortunately, there are easy ways to defend against phishing. As soon as you identify that you’ve been phished it is important you follow these steps:
Disconnect your device from the network. There’s a chance you could have inadvertently installed malware on your device, which makes it accessible to attackers. This step will attempt to halt them from going further within the network.
Alert your IT department or SOC immediately. If you are an employee and you are using a company-owned device, give them all the details you have and what steps you have taken so far. They will most likely guide you from here.
Change your password(s). Assume the attacker now has your email address and password which they can use to access your account with. Change this to prevent them from accessing the particular service going forward. If you have reused this password elsewhere ensure it is changed there too.
Alert your bank or affected party. If the attacker has gained access to credentials that can be used to manage money, your personal identity, sensitive information, there is a high chance the attacker will be searching for these.
Scan your device with anti-virus and anti-malware. Beyond scanning for malware or viruses, performing a rollback of your device is good practice.
Report the phishing activity to your email provider. This allows them to block the domain and prevent the attacker from phishing anyone else using the same technique.
Perform an IT health check on your services. Check if you have the following covered:
Enable MFA wherever possible
Ensure you use unique passwords for each account you use
Be vigilant of any suspicious activity or similar emails you receive
Monitor your accounts for unexpected activity
Take note of dates and times this occurred for future reference
Ensure you regularly backup your data.
Phishing and CNI
In our 2023 Critical National Infrastructure (CNI) research, phishing ranked as the third biggest risk to CNI organisations (after malware and data theft). Phishing is a major concern for CNI organisations, as a compromise carries far more devastating consequences.
Attackers may see CNI organisations as high priority targets and, if they are a state-sponsored actor, be acting on behalf of another country’s interest. By successfully phishing a CNI organisation, attackers could potentially disrupt services or control of operations. For organisations that control infrastructure, such as power grids, water treatment facilities, and transportation systems, this would disrupt essential services and greatly benefit the nation they’re acting on behalf of.
State-sponsored attackers will have no initial access to their target network. This makes it likely they will use phishing in an attempt to gain a foothold and advance their attack. Because state-sponsored attackers are generally looking to do more than just reveal passwords or steal account information, they have far more resources at their disposal.
How to Recognise Phishing
Awareness is the best defence against phishing. If you know how to recognise a phishing attempt, and what to do when you discover phishing, you reduce the risk of falling victim. Some common ways to detect phishing are:
Check the email or phone number. If it is public domain – such as Gmail or Outlook – then it is unlikely to be from a legitimate business. Likewise, if you receive a suspicious call, check the phone number against the one listed by the company on their website.
Check for typos. If the email is poorly written or badly formatted, this can be a sign it isn’t legitimate. Would-be scammers may not be native English speakers, which can lead to a number of mistakes which give away their phishing attempts.
Check any hyperlinks. Before clicking on any links you receive via email, read them carefully. If they have any misspellings, be careful. It is common practice for attackers to buy domains that are similar to legitimate ones, with only one or two characters different. You should also mouse over hyperlinks before clicking them as this will show where the link directs to, rather than showing the text the scammer wants you to see.
Trust your instincts. If an email seems suspicious, then take extra care. Phishing attempts often create an artificial sense of urgency to rush you into giving away their information. If you receive an email like this, or with other red flags, you should trust your instinct and report it.
What is the Best Defence Against Phishing?
The best way to defend against any type of phishing is by completing a social engineering test or phishing assessment. There are types of penetration testing that assess how susceptible your organisation would be to a real attack.
Typically, they involve our penetration testing team sending phishing emails to your organisation to see how people respond to them. Based on how many people open them or report them, we can then provide targeted awareness training to help your employees recognise phishing. Our team will also review your information security policies and controls to better defend against phishing before it reaches your employees.
If you’d like to learn more about how Bridewell can help you defend against phishing, learn more about our social engineering testing and phishing assessments.
Author
Jack Jarvis
Penetration Tester
Blogs