Phishing is getting smarter. A type of social engineering attack in which the attacker uses fraudulent messages that are designed to fool the would-be victim into sharing sensitive information or clicking a particular link, phishing has long been part of life on the internet.
The term was first coined a quarter-century ago, using a purposeful misspelling of the word “fishing” to describe the way attackers send out email-based lures to try and bait victims from the sea of online users.
While phishing attacks have been a perennial part of the cyber security landscape, they’ve also been traditionally mocked by more tech-savvy users. Whether it’s weak grammar or comically bad misspellings (sometimes there to get around spam filters), phishing messages didn’t pose much of a threat to those who knew what to look out for.
Things are changing, however. Today’s phishing attacks are far more sophisticated than those of 1996, 2006, or even 2016. Particularly as attackers have moved on (in some cases) from going after individuals to targeting businesses and organizations, social engineering attacks have had to adapt to have the slightest chance of finding their target.
The bad news? In many cases, they’ve managed to do exactly that. Few cybersecurity researchers or professionals today would declare themselves totally free from risk when it comes to phishing messages. With enough attention and personalization, any phishing attacker could likely get through users’ defenses.
Move over, fishing! Meet spear phishing
Recently it was reported that a year-long phishing campaign by an unknown group has targeted businesses in the gas and oil, energy, media, IT, and electronics industries across the world. The incoming emails sent to these businesses used techniques like spoofing and typosquatting to appear like they were being sent from genuine, established companies.
Typosquatting refers to the registering or use of domain names so that, at first glance, it appears to come from a source other than the one that it does — for example, Goggle instead of Google or Facebock instead of Facebook.
They also eschewed the scattergun, generalized approach of “traditional” phishing messages by crafting specific text referencing company executives by name and including genuine business addresses and company logos.
On top of this, they included industry-specific jargon and referenced real projects that the impersonated company was actually working on at that time in an attempt to make the messages seem real. They came with attachments that appeared to be harmless PDF files but were, in fact, malware applications capable of gathering browsing data, capturing keystrokes, and even stealing financial information.
These messages, which target a specific individual or business, are called “spear phishing.” Unlike regular phishing messages, which aim to capture whoever makes the proverbial bite, spear phishing is highly customized to go after a particular target. This takes a lot more effort than a regular phishing message, which could be sent out to thousands of users at once.
However, if the potential reward is sufficient, hackers will happily put in the time to pull off their fraud.
Defending against spear-phishing social engineering attacks is difficult. They are so heavily customized as attacks that they can be tough to detect. Furthermore, you only need one employee within an organization to make a mistake and it could be extremely costly for the business or entity in question.
The results could be anything from the leaking of commercially sensitive data to acts of espionage or vandalism. Put simply, phishing can open the door to almost every other type of cyber attack going on by exposing a way into the network and internal systems.
Protecting against phishing and other social engineering attacks
As with any social engineering attack, education is key. Making employees aware of the risk and the possible vectors through which attacks might come can help catch a certain number of would-be attacks.
So too is coming up with a robust cybersecurity strategy that will be understood and followed by everyone in an organization. This starts with performing an inventory of computing assets and how best to safeguard them, prioritizing risks, and building a team and strategy for dealing with would-be attacks.
To guarantee security, however, you may want to consider investing in the latest, state-of-the-art cybersecurity tools. This includes new machine learning-aided email protection systems able to spot phishing attempts, data loss prevention (DLP), advanced bot protection, API security, Runtime Application Self-Protection tools, and more.
Phishing attempts are getting smarter all the time — and even the smartest human is prone to making human errors. But by deploying cutting-edge technology to help protect against phishing and other cybersecurity threats, organizations can do the best they can to mitigate attempted attacks. And, thanks to technological advances in recent years, “the best they can” is pretty darn good.