Phishing is a form of fraud that involves impersonating a trusted institution or person (e.g., a bank, courier company or public figure) to persuade a victim to take action in order to benefit the attacker, such as providing login credentials. According to the 2021 annual report, CERT Poland handled as many as 22,575 phishig-related incidents, classifying this cyber threat as one of the most popular in 2021.
When talking about phishing, we often deal with mass mailing. However, there are several types of popular phishing out there, which are worth distinguishing:
Phishing attacks have evolved significantly over the past few years. They are no longer inane messages which are very different from genuine emails, while fraudulent website looks similar to the original one. What’s more, phishing messages are more and more often being used to send malware that can lead to ransomware attacks.
Currently, attackers use various techniques to hide their true intentions while creating phishing campaigns. These include browser-in-the-browser, homography attack or using trusted web pages to embed malware. Phishing also owes its popularity mainly to a large number of automated tools which can set up entire phishing campaigns – so you don’t need to be a developer or technology expert to create such a campaign. At the same time, in the so-called darknet, it is more and more common to find “Phishing as a Service”, that is websites where, for a subscription fee, we have access to many templates of popular sites or fake payment gateways, allowing us to phish for e.g., BLIK codes. With a subscription, we also get domains on which the entire infrastructure required is automatically set up.
‘I believe in the next few years the popularity of phishing will increase even more. Looking at today’s techniques, I can say that unless we regularly educate our employees and keep our systems secure, we may reach a situation which makes us very vulnerable to all sorts of attacks.’
Michał Błaszczak, Pentester EmailLabs
What needs to be remembered, however, is that phishing is not limited to email messages only. There is also Vishing or Voice Phishing, in which scammer call us (often impersonating bank operators) to trick us into revealing personal information, and Smishing or phishing via text message.
Apart from traditional phishing, criminals are often using smishing, the above-mentioned phishing via SMS. Since it’s not a problem to impersonate a particular service provider, cyber attackers are using it as another way to spread fake websites or malware. The rules behind this attack are the same as for classic phishing. The offender tries to influence us with certain emotions and thus force us to enter a given website address. There are cases in which this cybercriminals are so confident they don’t even impersonate specific service providers and send messages from ‘normal’ phone numbers. One would think that nobody would read such a message, however, the reality is far from that.
As I mentioned earlier, phishing has evolved strongly in recent years and attackers no longer limit themselves to creating a similar email address. So in this part of the article, we’ll have a closer look at some of the tactics used in ‘today’s’ phishing:
This technique displays an allegedly new window within a visited browser website, which simulates a fake login panel. In fact, that window is actually a page element, so the visible address of the new window is a plain text controlled 100% by the attacker. As a result, users may believe they are logging from a real website, especially since nowadays signing-in via third party services, e.g. Facebook, Twitter, Github, is nothing new (for such logins, we may see a ‘pop-up’ window asking to sign-in). The easiest way to recognize such attacks is to try to ‘pull’ the new window out of the web page we are on. If we fail to do so, we can be sure a Browser in the Browser technique has been used to attack us.
It’ an attack which takes advantage to create and display URLs that include characters from non-Latin alphabet. Since different alphabets can have very similar characters, it can be used to build a nearly identical URL for a phishing attack.
Well-known link shorteners work in a rather simple and familiar way, however, it’s worth noting that there are shorteners much more sophisticated than the ones we know. That’s because some of them are able to trick websites which ‘expand’ links, letting us know if a particular shortened URL really leads to, e.g. a bank web page. Besides, such shorteners are able to redirect users to different pages based on a device which the link is opened on, so the attack can be more targeted and harder to detect.
Cybercriminals are increasingly using popular and thus, trusted websites for conducting i.a., phishing attacks. By taking advantage of such pages, attackers effectively lull victims into a false sense of security. As part of this technique, they embed malicious files in familiar sites or create fake login pages. A full list of such websites can be found at Lots Project.
We are proud to announce that Vercom S.A., the company behind the EmailLabs project, successfully passed an audit for compliance with the latest ISO/IEC 27001:2022 and ISO/IEC 27018:2019 standards....
Gmail has announced significant changes in the requirements for email senders to maintain a good reputation and proper classification of messages in user inboxes starting from February 1, 2024....
The increasing number of phishing attacks each year, and the projection that this trend will continue to escalate, aren’t likely to astonish anyone. This can be attributed, in part,...
Out of all the things that can go wrong when sending out marketing emails, having your emails end up in the recipient’s spam folder is arguably the most dreaded...
Email Authentication, Security
DMARC is an email authentication protocol that is designed to give domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. Spoofing occurs...
With the emergence of the Covid-19 pandemic, many brands have been challenged to adapt in a short period to the changed reality and new consumer attitudes. That meant reorganizing...
Are you frustrated with the constant struggle of your emails getting blocked by Gmail? Have you ever wondered about the reasons behind this issue and, more importantly, how to...
In the ever-evolving landscape of email management, Google has announced an exciting upgrade to Gmail’s summary cards, aimed at improving user experience and streamlining inbox navigation. The latest enhancements,...
Antispam, Best practices, Dobre praktyki
Entering the world of email communication, you’ll encounter many terms that initially seem straightforward and intuitive. However, some of these can be pretty challenging. Accurately distinguishing between them is...
Are you frustrated with the constant struggle of your emails getting blocked by Gmail? Have you ever wondered about the reasons behind this issue and, more importantly, how to...
In the ever-evolving landscape of email management, Google has announced an exciting upgrade to Gmail’s summary cards, aimed at improving user experience and streamlining inbox navigation. The latest enhancements,...
Antispam, Best practices, Dobre praktyki
Entering the world of email communication, you’ll encounter many terms that initially seem straightforward and intuitive. However, some of these can be pretty challenging. Accurately distinguishing between them is...
Attaching a folder to an email may seem complicated at first glance, especially if you’re trying to send multiple files or an entire project’s documents to a colleague or...
Best practices, Deliverability
In today’s digital age, email has become an integral part of our personal and professional communication. We rely heavily on emails to send important messages, documents, and updates. But...
We are proud to announce that Vercom S.A., the company behind the EmailLabs project, successfully passed an audit for compliance with the latest ISO/IEC 27001:2022 and ISO/IEC 27018:2019 standards....
Best practices, Deliverability
Are you struggling to improve the deliverability and engagement of your email marketing campaigns? Look no further than email subdomains. You can protect your root domain and effectively manage...
What is the darknet? Shrouded in mystery for many years and often associated with ominous connotations, the darknet is a part of the internet that evokes curiosity, fascination, and...
A few weeks ago, at Vercom, we began the process of implementing the NIS2 Directive and preparing to meet the requirements of the Digital Operational Resilience Act (DORA). What...