Today’s most common phishing techniques have proven to pose a severe cyber threat, for they can enable bad guys to sneak a phishing email past security filters and right into the unlucky target’s inbox.

A well-designed phishing email is almost (if not entirely) the spitting image of a genuine email from a reputable company, making it incredibly hard to detect by the untrained eye. This is why you should provide your employees with solid knowledge of the phishing techniques that the bad guys use. Furthermore, they should be equipped with the best anti-phishing practices for every existing phishing method to protect themselves and your business.

Common phishing techniques are highly sophisticated and effective.

This article will walk you through the most common phishing techniques out there: highly sophisticated obfuscation strategies used by hackers to circumvent defenses. More often than not, they’re invisible to the user and bypass Exchange Online Protection (EOP) and secure email gateways (SEGs).

What is Phishing?

Phishing is a cyberattack in which cybercriminals pretend to be a reputable entity or person, engaging various ways of online communication to distribute malicious links or attachments that can perform a variety of functions, but to one single end: stealing the victim’s data for financial gain.

This type of online fraud uses subtle and cunning social engineering strategies that allow cybercriminals who leverage human trust to steal the victim’s sensitive data, which is a lot easier than breaching a computer’s or a network’s defenses.

5 Most Common Phishing Techniques

1. Using legitimate links

The majority of email filters scan for known malicious URLs. However, to avoid detection, scammers add genuine links to their phishing emails, tricking email filters into “assuming” the email is good to go. For instance, in recent Microsoft Office 365 phishing emails detected by Vade Secure, the attacker included a legitimate reply-to email address and legitimate links to Microsoft’s community, legal, and privacy webpages. They also added a link to Microsoft’s contact preferences page.

Phish impersonating Microsoft. Source: VadeSecure

2. Mixing legitimate and poisoned code together

In the below screenshot of a Wells Fargo phishing scam, the phisher even included a link to the bank’s fraud information center. Oh, the irony.

Phish impersonating Wells Fargo. Source: VadeSecure

EOP can detect the signatures of known phishing emails or viruses. One method to hide the signature is to mix malicious and legitimate code. For instance, complex Microsoft phishing pages include CSS and JavaScript from genuine Microsoft pages. Other strategies include arbitrarily encoding characters, adding invisible text, white spaces, and assigning random values to HTML attributes. This way, the email appears unique to the filter.

3. Abusing redirections and URL shorteners

Time is vital in phishing. To persuade their victims to believe nothing is suspicious, phishers will often redirect them to a legitimate website right after the phishing attack.

“Time-bombing” is another form of redirect abuse and involves a URL redirect from a genuine webpage to a malicious one. This method is very effective because the URL redirect to the phishing page is only created after the poisoned email has made it into the victim’s inbox.

Another obfuscating phishing technique consists of using URL shorteners such as TinyURL or Bitly. These are free tools that shorten long URLs, transforming them into aliases that don’t resemble the original URL at all. Most email filtering software won’t recognize it in a shortened URL.

4. Altering brand logos

Similarly to other elements of known phishing webpages, logos have HTML attributes that email filters can spot. However, to evade detection, scammers modify brand logos ever so slightly in ways that are undetectable for users but unique to a filter. For instance, hackers can alter the color or shape by only one character, and the signature will be different from that of a known phishing page, thus unique.

5. Puzzling the filter with too much noise or too little content

Oftentimes, threat actors circumvent detection by adding little to no content in their malicious emails. One variety of this method that is gaining traction is the use of an image instead of text. With no content to scan, the email filter might be tricked into thinking the email is clean. For example, in the picture below, the text that you see is, in fact, just an image.

Phishing email impersonating Apple with an image instead of text. Source: VadeSecure

On the other hand, the opposite strategy is to fill an email up with too much content/noise. This approach is practical because of the randomness of the code. The piece of code is just gibberish, with no purpose or meaning whatsoever. Therefore, it confuses the filter.

In the image below, the scammer stuffs the code with a random line of dialogue from “Pulp Fiction.”

Code stuffed with a dialogue from “Pulp Fiction” to confuse the filter. Source: VadeSecure

Train Your Employees With ATTACK Simulator’s Phishing Simulations

Thinking you’ll dodge the bullet (or hook)? Think again. Figures paint a rather grim cybercrime landscape.

Phishing attacks can be catastrophic, resulting in immense financial damage or even the end of your business.

You need security awareness training for your employees for many reasons:

  • To prevent cyberattacks and breaches
  • To strenghten your technological defenses
  • To attract more customers
  • To make you more socially responsible
  • To empower your employees
  • To meet compliance standards
  • To prevent downtimes and maintain a good reputation

Our realistic phishing simulations will expose your employees to life-like hands-on fake phishing attacks.

Here are some awesome perks of choosing us:

  • Automated attack simulation – we simulate all kinds of cyberattacks: phishing, malware, ransomware, spear-phishing, identity theft, online privacy attacks, online scams etc.
  • Real-life scenarios – we evaluate users’ vulnerability to give company-related or pesonal data away using realistic web-pages.
  • User behavior analysis – we gather user data and compile it in extensive reports to give you a detailed picture of your employees’ security awareness level.
  • Malicious file replicas – our emails contain malware file replicas, to make the simulation as realistic as it can be.
  • Interactive lessons – if employees fail to recognize our traps and fall into one, they will be redirected to landing pages with quick reads on the best security practices.
  • We impersonate popular brands on our simulated phishing pages – the user will be more tempted to click on the URL or open the attachment in the email.

ATTACK Simulator’s Security Awareness Training program will help you equip your employees with the necessary security knowledge and up-to-date security practices to keep your company safe from scammers and avoid potentially irreparable damage.

Everything being said, would your employees take the bait? Put them to the test with our free security awareness training trial and know for sure!

Attribution:

Computer photo created by rawpixel.com – www.freepik.com