Phishing is and remains one of the most effective and therefore most frequently used cyber attack methods. So for both Microsoft and Verizon, the phenomenon of using a simple attack vector to trick you and bypass important security mechanisms remains a major risk. However, phishing today is not what it was yesterday: although attackers still use the same sophisticated emotional “tricks”, the methods and goals are changing.

1. Methods

While phishing has traditionally taken place mainly via email, SMS, iMessage and WhatsApp are now also popular. The explanation is simple: most phones have no filtering capacity, giving fraud and attacks every chance to get through. Text messages are also much shorter by default, without much context, making it much harder to know what’s real and what’s not. So employees should be aware that every messaging service is a possible entry point for phishing.

2nd goal

The goals of the attackers are also changing. In the past, phishers have often attempted to install malware on your PC, but these attempts are becoming easier to spot, leading cybercriminals to turn their guns. Currently we mainly see these three strategies:

receive passwords

This encourages you to click on a link that will take you to a website that will steal your login credentials. This can be done, for example, via fake emails in the name of your bank or your Microsoft 365 professional account, asking you to log in online to an equally fake website or online platform. In this case, attackers can do great damage with your passwords without being noticed.

get people on the phone

More and more phishing attacks don’t work with a link or attachment, but simply target a phone number in the hopes that people will call. Once humans do, cyber attackers use storytelling and emotional tricks to coerce people into specific actions (sharing passwords, transferring money, making specific purchases, and so on). Although these types of attacks are not automated and therefore require a lot more work, they are often more successful and profitable: attackers manage to steal significant sums of money from people, sometimes even their entire savings account. You can see how a phone attack works in this fantastic three-minute video.

Fraud

Finally, there are the scams where attackers pose as someone they know in a very short and impersonal message: your boss, a good colleague, or a regular partner or supplier. Business Email Compromise (BEC) or CEO fraud attacks, where someone in the finance or accounting department receives a misleading email from a senior executive with an urgent payment request are classic examples.

Diploma? Phishing is no longer about infecting your computer: Attackers mainly target your credentials so they can log into your bank or other services on your behalf, or try to trick you into making payments or making purchases using phone or impersonation .

The most common phishing indicators

How can you best arm your employees against these new tactics? Attackers are always coming up with new tactics and ways to fool you, some smarter than others, so it’s impossible to know them all. It’s more helpful to focus on the common elements and the most recurring cues, regardless of the channel. Below are the factors that almost always recur and are therefore a strong indication that it is phishing:

• urgency: Messages that create a sense of urgency that intends to make you act rashly – for example, an email claiming to be from the government saying that you urgently need to pay off an outstanding debt to avoid problems;
• Occupied: Messages that pressure employees to ignore or circumvent company policies and procedures (such as BEC and CEO fraud);
• curiosity: communications that arouse curiosity or too good to be true (e.g. about a refund from the tax authorities);
• Show: Messages that appear to be from a colleague, but the spelling, tone, and signature are incorrect or appear unusual;
• General News: Messages that come from “trusted” organizations but use generic phrases or salutations such as “Dear Customer” – if a delivery person has a package for you, they should know your name;
• Personal email address: Any email that appears to be from a legitimate organization, supplier, or colleague but uses a private email address, e.g. B. @gmail.com.

Caution: Some items that may have indicated phishing in the past are no longer usable today. Misspelling or poorly written messages, for example, are rare as attackers become more professional. Also, “hovering” where you move your mouse over a link without clicking to see the full URL is no longer very useful as this is difficult to do on a smartphone or tablet and URLs are much more complex and therefore difficult to navigate are decipherable .

This is a contribution from Lance Spitzner, Director of SANS Security Awareness. You can find more information and tips in AUTSCH! company newsletter.