A Tale of the Three *ishings: Part 1 – What is Phishing?

Phishing remains and will remain one of the foremost methods used by cyber attackers today.

Over the past two decades, the cybersecurity industry has focused extensively on using technology to secure itself, achieving significant advancements in this regard. Unfortunately, organizations have often overlooked the human factor, which cyber attackers have exploited. These attackers have shifted their focus to targeting humans directly, utilizing what many refer to as the “three *ishings”: phishing, smishing, and vishing. In this series of blog posts, we will delve into these methods, explore how attackers are adapting their strategies, and discuss effective countermeasures.

Let’s begin by defining phishing:

Phishing is a form of social engineering attack where cyber attackers deceive victims into performing actions that compromise security, such as sharing passwords or granting access to sensitive information. It primarily operates via email, though smishing (messaging-based) and vishing (voice/phone-based) variants exist and will be covered in subsequent posts. What makes phishing so effective is its widespread use of email, a ubiquitous communication tool in every organization. Attackers exploit this by crafting deceptive emails that manipulate recipients into unwittingly complying with their demands. Moreover, email provides a cost-effective means to reach a global audience swiftly.

The evolution of phishing tactics includes traditional methods like malicious links and attachments, which aim to either infect devices with malware or harvest login credentials. However, cyber attackers are now employing more sophisticated approaches:

1. Business Email Compromise (BEC): These targeted attacks, also known as CEO fraud, do not include links or attachments. Instead, they rely on convincing language to deceive finance personnel into authorizing fraudulent transactions, often posing as trusted executives or vendors.

2. Call Back: This method prompts victims to call a provided phone number, where attackers use persuasive tactics to extract sensitive information or initiate unauthorized transactions under false pretenses.

3. QR Codes: Instead of traditional links, attackers include QR codes in emails. These codes redirect users to malicious websites, exploiting vulnerabilities that traditional phishing filters may overlook, particularly on mobile devices.

Furthermore, phishing attacks can be highly tailored through techniques like spear phishing (targeted at specific individuals) and whaling (targeted at high-profile individuals or executives). Moreover, cybercriminals are increasingly outsourcing their phishing operations through Phishing-as-a-Service (PaaS) platforms, which offer sophisticated attack templates and infrastructure for a subscription fee.

To combat phishing effectively, organizations employ a dual approach of enhancing technical controls and providing comprehensive workforce training. While technological defenses continue to evolve, some phishing attempts evade detection due to attackers’ evolving tactics. Therefore, training programs should focus on recognizing common phishing indicators rather than attempting to cover every possible lure. These indicators include urgency, pressure to bypass protocols, curiosity-inducing messages, discrepancies in tone or salutation, and emails from personal addresses disguised as legitimate contacts.

It’s crucial to adapt phishing prevention strategies continually as attackers refine their methods. For more insights into protecting your workforce against evolving cyber threats, consider joining SANS Institute’s LDR433 Managing Human Risk course.