The Elements of a Convincing Phishing Attack

Cassie Chadwick was a fraudster at the turn of the 20th century. Chadwick committed an early version of identity theft to carry-out wire fraud, convincing banks that she was Andrew Carnegie’s illegitimate daughter to take out loans against this claim. In 1905, Cassie was sentenced to ten years in prison for defrauding a bank. Successful scams, like Chadwick’s, become the stuff of legend. Over the centuries, fraudsters have used social engineering and similar scams to amass vast sums of money by tricking their targets. Today, fraudsters use modern communications such as email to carry-out scams. However, they still need to use the elements of a convincing story to make sure that a phishing email successfully tricks its recipient. Here are the elements of a convincing phishing attack.

Why Focus on Phishing Attacks?

Phishing attacks have been around since the early days of email. This makes sense as email can be used as the connecting point between a hacker and the corporate network; aka, a communication gateway that can open that network by helping to steal passwords, usernames, and email addresses or deliver malware. Phishing remains the “most common attack vector” according to the latest UK government research presented in the report “Cyber Security Breaches Survey 2021”. The reason for the continued use of phishing is because it continues to be highly successful with up to 32% of employees clicking on a phishing email link and up to 8% not even knowing what a phishing email is. A single employee clicking a phishing email link then entering login credentials puts the entire company at risk of a data breach or malware infection. Even employees with lower access privileges can still lead to privilege escalation and data breaches. Phishing is a main point of attack, and as such, cybercriminals put effort into making this attack vector convincing to ensure success.

Elements of Success for Phishing Employees

To successfully phish an employee, a fraudster needs to make sure the entire phishing campaign is convincing from the look and feel of the email, right the way through to any spoof site that the phishing links take the employee to. The elements of a convincing phishing campaign are increasingly sophisticated and involve:

Brand Impersonation

Brand spoofing has been used since the advent of email phishing. Certain brands are popular with companies, and they are consistently used to trick recipients into believing the email is legitimate and handing over their personal information. Check Point carries out regular research into the most popular brands that are used as a basis for phishing campaigns. One of the most spoofed brands in 2021 was Microsoft, the brand being used in around 45% of phishing campaigns in Q2 of 2021.

Rogue, Long, and Redirected URLs

Hovering over a link in an email is not always a sure-fire way to spot a malicious link. Recently, fraudsters have started to use ‘rogue URLs’ to mask the malicious nature of a phishing link. This typically involves hiding the true address of a link using special characters. A URL Encoder is used to change a URL by adding percentage signs, i.e., starting a URL string with a % character to hide the true nature of a web address. These URLs are accepted by Google so is hard to prevent using static content filters. Very long URLs are also used to mask a malicious web address. Email links on mobile devices are notoriously difficult to see, and very long URLs are making it even more difficult to spot suspicious links. The use of multiple links and redirects is also now used to confuse users. A recent multi-redirect phishing campaign took users through a series of redirects, ending in a Google reCaptcha page that then finally redirected to a spoof Office 365 page where login credentials were stolen.

False Security Signals

People can no longer rely on the use of security signals to indicate a website is trustworthy. For example, the lock symbol seen on certain websites and is associated with the S at the end of HTTP, i.e., HTTPS. This indicates that a website uses a digital certificate (SSL certificate) as a signal that it is a secure site. However, the Anti-Phishing Working Group (APWG) identified that 82% of phishing sites used an SSL certificate in Q2 of 2021.

Social Engineering Tricks

All the above tactics are backed up by several well-tested social engineering tricks that catch out employees, moving them to the next level of the phishers campaign game. It is the social engineering aspect of phishing that allows cybercriminals behind the campaign to kickstart the process that ends in ransomware, data breaches, and other types of cyber attacks. Social engineering is a coverall term that uses a variety of techniques to manipulate employee behaviour; typical methods include:

• Urgency: a phishing email or text message might use an urgent request to perform a task. Business Email Compromise (BEC) that applies phishing components in the attack often uses this trick. An example is a spoof email that may look like it is from a high-level executive with an urgent request to transfer money to a new client or risk losing the client.

• Other emotional triggers: fraudsters play with people’s emotions to make them perform tasks such as clicking on a malicious link in an email or providing sensitive information. Curiosity, concern over security, wishing to please, and wanting to do a job well, are all used as phishing bait.

• Spear phishing and reconnaissance: to perfect their phishing attacks, fraudsters may use spear phishing. This targeted form of phishing is behind many attacks, but it does require more effort by fraudsters as they create emails that closely reflect the role of the individual being targeted. To make spear phishing emails a success, fraudsters typically carry out reconnaissance of the target before creating the phishing campaign.

Cybercriminals are masters at creating successful phishing campaigns and the statistics prove this. A report by the APWG said that “after doubling in 2020, the amount of phishing has remained at a steady but high level.” The elements of a convincing phishing attack are tried, tested, and trusted by fraudsters. By understanding these elements an organisation can more effectively mitigate them.

How To Defend Your Organisation Against a Phishing Attack 

Increasingly, the elements of a successful phishing attack are based on applying techniques to evade traditional anti-phishing technologies such as content filters. This doesn’t mean to say that content filters do not play a part in protecting a company against sophisticated phishing campaigns. However, they cannot be relied upon. Phishing campaigns continue to use the human in the machine as their way into a corporate network. We should expect this situation to continue, and for phishing campaign developers to always find ways around technology. A layered approach to phishing control is to empower your workforce with the tools to prevent successful phishing. By using a mix of Security Awareness Training coupled with the use of ongoing phishing simulation exercises, a workforce is primed to spot a phishing email before it becomes an entry point.