Did you know that phishing scams are over 25 years old?
The first phishing emails went out in the early 90s, targeting AOL users. The first recorded mention of the term “phishing” also has an AOL connection. It happened within a Usenet newsgroup called AOHell, a program designed to steal AOL users’ passwords and credit card information.
Since then, phishing has grown into a massive “industry.” Phishing scams remain among the top action varieties, accounting for 36% of data breaches in 2020. 57% of organizations experienced this type of scam during the year, compared to 55% in 2019.
So how are phishing scams evolving?
More importantly, how can your organization protect itself?
Evolving Phishing Scams: Common Techniques
Even though the AOL/AOHell phishing scam was shut down, the scammers created a set of common phishing techniques that endure today.
Then and later, phishers registered dozens of domains that looked like legitimate sites, used email “worm” programs to send out fake emails in bulk, and fooled recipients into clicking on fake sites and entering sensitive information. These techniques still play a starring role in most phishing scams.
Phishing has also evolved from its early days. Today, many scams are automated, contain engaging subject lines, and resemble genuine emails sent by trusted sources. Also, unlike their predecessors, modern phishers only send out a small number of dodgy emails. With such “targeted” scams, they avoid creating “noise” that email filters could detect.
Polymorphic Phishing Scams
In polymorphic phishing scams, attackers make slight or random changes to an email’s elements (subject line, sender name, domains, etc.), allowing them to hide from signature-based email defence solutions or automated link-scanning programs.
Hijacked Search Results
Phishers hide their malicious spoofed sites behind benign ones. In 2019, a phishing scam redirected some Google search results, so the links pointed to and eventually redirected to a phishing page. With this technique, they were able to send emails that contained legitimate URLs from a trusted domain, and therefore more likely to be opened (and actioned) by victims.
Another evolving technique to perpetrate phishing scams is HTTPS sites – used by 74% of scams in Q4 2020. Spoofed websites contain a lock icon in the browser address bar, fooling victims into thinking the email came from a trusted website. Sometimes, threat actors also hack into legitimate sites to host phishing pages. It can be hard to detect such malicious activity or prevent victims from falling for the phishing scam.
Dynamic Phishing with a Man-in-the-middle Component
A particularly clever phishing scam leverages an attacker-controlled server to capture a legitimate company’s logos, banners, text, etc. Then they send out emails with URLs pointing to this server, which captures company-specific information and fools a victim into thinking that they’re on the legitimate company’s page.
Phishing-as-a-Service and Phishing Kits
The rise of Phishing-as-a-Service is helping to commoditize and commercialize phishing. Affordable “phishing kits” are now available on the Dark Web so scammers can create a convincing phishing scam with minimal effort. Such kits include some or all of the following:
- Evasion mechanisms: E.g. HTML character encoding
- Website development software
- Email templates
- Sample scripts
- Automation software for malware distribution
- Email addresses and/or telephone numbers
Strategies to Protect Your Organization from Evolving Phishing Scams
Cybercriminals have evolved, and so have their phishing techniques. However, by employing a combination of technologies and human capabilities, you can protect your organization from new phishing scams:
- Employ Machine Learning-based defence solutions to identify phishing sites (and scams) in real-time
- Use secure email gateways with anti-spam, anti-malware and policy-based filtering
- Disable automation code execution
- Identify and keep out spam by implementing Sender Policy Framework (SPF), Domain-based Message Authentication Reporting & Conformance (DMARC), and Domain Keys Identified Mail (DKIM)
- Enable Multi-Factor Authentication (MFA) to prevent account takeovers via phishing scams
- Implement network-level anomaly detection for inbound and outbound e-mails
- Run a simulated phishing penetration test to assess employees’ vulnerability to phishing
Modern phishing allows threat actors to hide from security solutions. However, Advanced Threat Protection (ATP) solutions can expose even sophisticated phishing scams – even if they hide behind legitimate domains or services or multiple layers of redirectors. The best ATP solutions are Machine Learning-enabled, so they can constantly learn and improve to provide continuous, reliable protection against many types of evolving phishing techniques.
Phishing scams have come a long way since the early days of AOL. Clever cybercriminals leverage clever phishing techniques, phishing kits and phishing-as-a-service to attack organizations. If you need more information about the methods and strategies discussed in this article, contact us.