Phishing is a form of fraud that involves impersonating a trusted institution or person (e.g., a bank, courier company or public figure) to persuade a victim to take action in order to benefit the attacker, such as providing login credentials. According to the 2021 annual report, CERT Poland handled as many as 22,575 phishig-related incidents, classifying this cyber threat as one of the most popular in 2021.
When talking about phishing, we often deal with mass mailing. However, there are several types of popular phishing out there, which are worth distinguishing:
Phishing attacks have evolved significantly over the past few years. They are no longer inane messages which are very different from genuine emails, while fraudulent website looks similar to the original one. What’s more, phishing messages are more and more often being used to send malware that can lead to ransomware attacks.
Currently, attackers use various techniques to hide their true intentions while creating phishing campaigns. These include browser-in-the-browser, homography attack or using trusted web pages to embed malware. Phishing also owes its popularity mainly to a large number of automated tools which can set up entire phishing campaigns – so you don’t need to be a developer or technology expert to create such a campaign. At the same time, in the so-called darknet, it is more and more common to find “Phishing as a Service”, that is websites where, for a subscription fee, we have access to many templates of popular sites or fake payment gateways, allowing us to phish for e.g., BLIK codes. With a subscription, we also get domains on which the entire infrastructure required is automatically set up.
‘I believe in the next few years the popularity of phishing will increase even more. Looking at today’s techniques, I can say that unless we regularly educate our employees and keep our systems secure, we may reach a situation which makes us very vulnerable to all sorts of attacks.’
Michał Błaszczak, Pentester EmailLabs
What needs to be remembered, however, is that phishing is not limited to email messages only. There is also Vishing or Voice Phishing, in which scammer call us (often impersonating bank operators) to trick us into revealing personal information, and Smishing or phishing via text message.
Apart from traditional phishing, criminals are often using smishing, the above-mentioned phishing via SMS. Since it’s not a problem to impersonate a particular service provider, cyber attackers are using it as another way to spread fake websites or malware. The rules behind this attack are the same as for classic phishing. The offender tries to influence us with certain emotions and thus force us to enter a given website address. There are cases in which this cybercriminals are so confident they don’t even impersonate specific service providers and send messages from ‘normal’ phone numbers. One would think that nobody would read such a message, however, the reality is far from that.
As I mentioned earlier, phishing has evolved strongly in recent years and attackers no longer limit themselves to creating a similar email address. So in this part of the article, we’ll have a closer look at some of the tactics used in ‘today’s’ phishing:
This technique displays an allegedly new window within a visited browser website, which simulates a fake login panel. In fact, that window is actually a page element, so the visible address of the new window is a plain text controlled 100% by the attacker. As a result, users may believe they are logging from a real website, especially since nowadays signing-in via third party services, e.g. Facebook, Twitter, Github, is nothing new (for such logins, we may see a ‘pop-up’ window asking to sign-in). The easiest way to recognize such attacks is to try to ‘pull’ the new window out of the web page we are on. If we fail to do so, we can be sure a Browser in the Browser technique has been used to attack us.
source: https://github.com/mrd0x
It’ an attack which takes advantage to create and display URLs that include characters from non-Latin alphabet. Since different alphabets can have very similar characters, it can be used to build a nearly identical URL for a phishing attack.
Well-known link shorteners work in a rather simple and familiar way, however, it’s worth noting that there are shorteners much more sophisticated than the ones we know. That’s because some of them are able to trick websites which ‘expand’ links, letting us know if a particular shortened URL really leads to, e.g. a bank web page. Besides, such shorteners are able to redirect users to different pages based on a device which the link is opened on, so the attack can be more targeted and harder to detect.
Cybercriminals are increasingly using popular and thus, trusted websites for conducting i.a., phishing attacks. By taking advantage of such pages, attackers effectively lull victims into a false sense of security. As part of this technique, they embed malicious files in familiar sites or create fake login pages. A full list of such websites can be found at Lots Project.
How Apple Mail privacy updates affect email open rates? Although the new privacy policy for Apple users was already introduced in September 2021 (with the launch of iOS 15...
Best practices, Dobre praktyki, Transactional Emails
mBank was the first bank in our country to declare war on cybercriminals’ activities and implement sender authentication in the most popular mailboxes used by their customers. These solutions...
Sociotechnic, or in other words social engineering, is any action that influences another individual in order to persuade him to take certain actions, which may not be in his...
Best practices, Converion Rate, Dobre praktyki
Promotional emails usually contain a significant amount of information – we are talking here not only about the content, but also graphics presenting the products covered by the promotion,...
Ignoring the mistakes made in previous years and failing to learn the right lessons are the main ‘sins’ of marketers preparing campaigns for Black Friday – a day considered...
Vercom S.A. public company, to which the EmailLabs project belongs, has successfully completed the ISO 27001 Surveillance Audit and ISO 27018 Certification. Both audits confirm that organization’s information security...
We’re launching our CyberLabs series on the latest news from the cybersecurity world. Based on practical examples, our pentester will give tips on how to prepare for potential threats...
Antispam, Best practices, BIMI
The AuthIndicators Working Group (BIMI Group) recently announced that Apple systems such as iOS 16, iPadOS 16, and macOS Ventura will support BIMI starting this fall. Thus, the infographic showing...
Email marketing communication needs to be properly handled to be effective. Apart from technical matters, building positive subscriber engagement with email communication is very crucial. Nowadays, consumers feel overwhelmed...
An ESP (Email Service Provider) is a software-based service for email distribution, often based on its servers, optimized for high (mass) traffic. Many of them enable integration with CRM...
Best practices, Deliverability
What is email deliverability? While talking to eCommerce store owners, marketing specialists, or reading various reports on email communication, you may often get the impression that the main criteria...
Vercom, to which EmailLabs belongs, is a European company, fully compliant with the provisions of GDPR and based solely on its own servers located in CEE. We provide our...
With the emergence of the Covid-19 pandemic, many brands have been challenged to adapt in a short period to the changed reality and new consumer attitudes. That meant reorganizing...
How to avoid having my messages stopped by the spam filter? Your customers’ inbox certainly has protection set up to prevent unwanted emails. However, to pass their validation, you...
Converion Rate, Dobre praktyki, Open Rate
For many years, one of the most frequently monitored metrics of the effectiveness of email campaigns has been the open rate, i.e. the ratio of messages opened to messages...
Email security is an essential element that every company needs to ensure during the era of evolving cybercrime. Attacks by hackers on business entities very often target precisely email...