Phishing is a form of fraud that involves impersonating a trusted institution or person (e.g., a bank, courier company or public figure) to persuade a victim to take action in order to benefit the attacker, such as providing login credentials. According to the 2021 annual report, CERT Poland handled as many as 22,575 phishig-related incidents, classifying this cyber threat as one of the most popular in 2021.
When talking about phishing, we often deal with mass mailing. However, there are several types of popular phishing out there, which are worth distinguishing:
Phishing attacks have evolved significantly over the past few years. They are no longer inane messages which are very different from genuine emails, while fraudulent website looks similar to the original one. What’s more, phishing messages are more and more often being used to send malware that can lead to ransomware attacks.
Currently, attackers use various techniques to hide their true intentions while creating phishing campaigns. These include browser-in-the-browser, homography attack or using trusted web pages to embed malware. Phishing also owes its popularity mainly to a large number of automated tools which can set up entire phishing campaigns – so you don’t need to be a developer or technology expert to create such a campaign. At the same time, in the so-called darknet, it is more and more common to find “Phishing as a Service”, that is websites where, for a subscription fee, we have access to many templates of popular sites or fake payment gateways, allowing us to phish for e.g., BLIK codes. With a subscription, we also get domains on which the entire infrastructure required is automatically set up.
‘I believe in the next few years the popularity of phishing will increase even more. Looking at today’s techniques, I can say that unless we regularly educate our employees and keep our systems secure, we may reach a situation which makes us very vulnerable to all sorts of attacks.’
Michał Błaszczak, Pentester EmailLabs
What needs to be remembered, however, is that phishing is not limited to email messages only. There is also Vishing or Voice Phishing, in which scammer call us (often impersonating bank operators) to trick us into revealing personal information, and Smishing or phishing via text message.
Apart from traditional phishing, criminals are often using smishing, the above-mentioned phishing via SMS. Since it’s not a problem to impersonate a particular service provider, cyber attackers are using it as another way to spread fake websites or malware. The rules behind this attack are the same as for classic phishing. The offender tries to influence us with certain emotions and thus force us to enter a given website address. There are cases in which this cybercriminals are so confident they don’t even impersonate specific service providers and send messages from ‘normal’ phone numbers. One would think that nobody would read such a message, however, the reality is far from that.
As I mentioned earlier, phishing has evolved strongly in recent years and attackers no longer limit themselves to creating a similar email address. So in this part of the article, we’ll have a closer look at some of the tactics used in ‘today’s’ phishing:
This technique displays an allegedly new window within a visited browser website, which simulates a fake login panel. In fact, that window is actually a page element, so the visible address of the new window is a plain text controlled 100% by the attacker. As a result, users may believe they are logging from a real website, especially since nowadays signing-in via third party services, e.g. Facebook, Twitter, Github, is nothing new (for such logins, we may see a ‘pop-up’ window asking to sign-in). The easiest way to recognize such attacks is to try to ‘pull’ the new window out of the web page we are on. If we fail to do so, we can be sure a Browser in the Browser technique has been used to attack us.
It’ an attack which takes advantage to create and display URLs that include characters from non-Latin alphabet. Since different alphabets can have very similar characters, it can be used to build a nearly identical URL for a phishing attack.
Well-known link shorteners work in a rather simple and familiar way, however, it’s worth noting that there are shorteners much more sophisticated than the ones we know. That’s because some of them are able to trick websites which ‘expand’ links, letting us know if a particular shortened URL really leads to, e.g. a bank web page. Besides, such shorteners are able to redirect users to different pages based on a device which the link is opened on, so the attack can be more targeted and harder to detect.
Cybercriminals are increasingly using popular and thus, trusted websites for conducting i.a., phishing attacks. By taking advantage of such pages, attackers effectively lull victims into a false sense of security. As part of this technique, they embed malicious files in familiar sites or create fake login pages. A full list of such websites can be found at Lots Project.
Gmail has announced significant changes in the requirements for email senders to maintain a good reputation and proper classification of messages in user inboxes starting from February 1, 2024....
Vercom S.A. public joint-stock company to which the EmailLabs project belongs, has been assessed and certified to be compliant with the ISO/IEC 27001 and ISO/IEC 27018 standards. The Vercoms’...
The increasing number of phishing attacks each year, and the projection that this trend will continue to escalate, aren’t likely to astonish anyone. This can be attributed, in part,...
Out of all the things that can go wrong when sending out marketing emails, having your emails end up in the recipient’s spam folder is arguably the most dreaded...
Email Authentication, Security
DMARC is an email authentication protocol that is designed to give domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. Spoofing occurs...
With the emergence of the Covid-19 pandemic, many brands have been challenged to adapt in a short period to the changed reality and new consumer attitudes. That meant reorganizing...
Google and Yahoo's Requirements
2024 marks a turning point in the fast-paced world of email deliverability, as this is the year when Google and Yahoo updated their sender requirements. With the enforcement period...
Best practices, Email Marketing
B2B email marketing – it’s a term you’ve likely heard before, but what does it really entail? And, more importantly, how can it be done effectively? In this article,...
Deliverability, Sending Reputation
Email sender reputation is one of the most important factors that can determine whether your emails reach the intended recipient or not. So, what is the email sender reputation,...
Google and Yahoo's Requirements
2024 marks a turning point in the fast-paced world of email deliverability, as this is the year when Google and Yahoo updated their sender requirements. With the enforcement period...
Best practices, Email Marketing
B2B email marketing – it’s a term you’ve likely heard before, but what does it really entail? And, more importantly, how can it be done effectively? In this article,...
Deliverability, Sending Reputation
Email sender reputation is one of the most important factors that can determine whether your emails reach the intended recipient or not. So, what is the email sender reputation,...
Email Authentication, Sending Reputation
In the realm of email, sender authorization is a powerful tool wielded by local and global providers like Gmail, Yahoo, and AOL to combat spam. Additionally, as an authenticated...
As an integral part of your email infrastructure, SMTP and SMTP port numbers are not just for tech whizzes – they’re important for anyone using email. You’ve likely heard...
Ever wondered why you can’t attach a movie to an email? Or why won’t that PowerPoint presentation just send? It all comes down to the maximum size of email...
One of the most dire situations a business can face is unauthorized access to its company network. This breach can lead to the theft of valuable intellectual property and...
The Simple Mail Transfer Protocol (SMTP) holds significant importance in the realm of email communication. As a vital component of mail servers, SMTP takes charge of sending, receiving, and...
The significance of email protection and data security is growing exponentially in today’s digital world, with StartTLS emerging as a key player in this arena. As an encryption protocol...