Over seven million suspicious emails or web links were reported in 2022 to the UK’s Suspicious Email Reporting Service. It’s clear that users remain a key target for threat actors looking to gain a foothold in corporate systems. In the past, businesses have placed the onus on users – expecting them to know what to look out for and identify phishing attacks – but with techniques becoming more convincing, a new approach is needed.
Security must become more holistic, and something everyone takes responsibility for. This is especially important for phishing, as there is no silver bullet. Despite advances in technologies which can recognize malicious emails, enterprises remain vulnerable.
Attackers keep innovating to circumvent defenses, campaigns are becoming more sophisticated, and lures look more credible. At the same time, threat actors are becoming more precise. They study their targets and use social engineering techniques to prey on users. This makes malicious phishing emails almost impossible to distinguish from the real thing.
What’s more, successful techniques become prevalent fast, with increased commodification and collaboration on the dark web encouraging threat actors to share successful techniques for a profit. For example, many malware variants and exploits used in cyberattacks sell for less than $10.
Here are five different phishing techniques attackers are using to work around defenses and trick users:
1. QR codes
Since the COVID-19 pandemic, scanning QR codes to access menus, register for events, and even pay for parking has become part of daily life. As QR codes become more ubiquitous, attackers have taken notice and looked at how to exploit their increased use. QR phishing attempts or “scan scams” have been on the rise since November 2022, aiming to circumvent typical security measures and take advantage of weaker phishing protection and detection on mobile devices.
In an effort to steal credentials, attackers use QR codes to lure users away from laptops and trick users into entering information into fake websites – stealing sensitive data like credit card details in the process.
2. Spoofing
Attackers have become even more adept at spoofing websites and creating fake email addresses – putting significant amounts of time and resources into their research. This has resulted in more convincing lures and spoofed sites, with spoofing still being one of the preferred – and more successful – ways to deliver malware and compromise email accounts.
For example, threat actors are creating online document viewers which accurately mimic Adobe branding to trick users into opening malicious .zip files. With fake email addresses and spoofed sites difficult to recognise at first glance, users can be easily tricked into clicking on malicious links and downloads.
3. Thread hijacking
Used mainly by threat groups behind malware campaigns such as IcedId and Qakbot, thread hijacking is one of the most innovative mass-phishing techniques used today. By stealing email data from compromised systems and replying to existing email chains with infected files, users are more easily tricked into clicking on malware and giving attackers a foothold.
Users are more likely to trust existing email threads from known senders, so this method tends to be an effective way of compromising business emails and delivering malware.
4. Malvertising
Attackers are getting SEO-savvy, jumping on the hype of trending topics and placing fake adverts online to take advantage of higher web traffic. Attackers are going to great lengths to trick users, placing ads on reputable search engines to further increase the credibility of spoofed webpages. We see this done most often for software updates or popular programmes such as Audacity.
It’s now even harder for users to avoid fake sites, as they can be directed to them by following adverts from online spaces that might be considered ‘safe,’ like Google, Twitter, or LinkedIn.
5. New file formats
To add to the threats users are facing, attackers’ preferred method of malware delivery – emails – are becoming more diverse so they can slip past detection tools. Attachments and links are still heavily used, but threat actors are changing the file types they use to deliver malware almost daily to stay ahead of security measures.
It’s not just Microsoft Word and Excel files being used to deliver malware anymore – attackers are being more creative to try and get around anti-virus and email gateways. In the previous year alone, we’ve seen attackers using everything from malicious PDFs, OneNote files to malicious Chrome extensions to infect users. And security training simply can’t keep up with the onslaught of new techniques users are being exposed to.
We’re All in This Together
It is essential to recognize that users can not solely bear the blame for security breaches. No one person is responsible for security – it’s something everyone should engage and participate in. While technical controls, security training, and incident response play crucial roles, users will always remain vulnerable targets, and it only takes one click to trigger a breach.
A successful security strategy involves planning for failure and implementing measures to minimize the impact of breaches. A layered defense starting at the endpoint empowers employees with the necessary tools to do their job without fear. This will require a balance between being as unobtrusive as possible to avoid end-users trying to circumvent security, whilst also embedding layered security measures. With endpoint isolation, least privilege access, and a robust defense strategy, businesses can effectively protect against malware and ransomware attacks delivered through phishing.
Technology plays a pivotal role in safeguarding against security breaches. By providing the right cybersecurity tools, users can confidently click on links without fear of compromising sensitive data. Emphasizing the importance of technology in the security landscape, businesses can create an environment where users can work securely and efficiently. Ultimately, the combination of a proactive security approach and the integration of advanced technologies will bolster defenses and reinforce protection against evolving cyber threats.