We always speak of pivoting our tactics to keep up with contemporary attacks. However, given the massive evolution of the cybersecurity landscape over the past ten years, we also need to take into account that threat actors — and particularly phishing-oriented threat actors – are also changing their tactics based on us. And then, we need to be ready to pivot all over again.
Ten years ago, the industry was sounding alarm bells around email security, increased malware detection, better firewalls and antivirus (now endpoint security) tools, and catching behavioral-driven signs of compromise. Well, we did it. We created the tools, the cultures, the SOCs, and the infrastructure to do a very good job at all the above.
In response, phishers changed their tactics and have been changing them ever since. What we see now is fewer email attacks against highly defended institutions and more creative attacks against non-cyber-savvy users. The rise in social engineering tactics, the exploitation of cloud-based infrastructure, and the proliferation of IoT devices and SaaS applications are broadening the scope of today’s threats. Concurrently, the increased use of AI and machine learning is already revealing the destructive potential of these technologies against the potentially unprepared mind of the average user.
This year, we’ve seen phishers increasingly taking advantage of those various inroads to try and take companies down at the user level. Now they’re hitting us with personalized phone conversations, spoofed voices, and even our own nicknames (read below). Here are just a few of the trends that belie the direction of phishing for the foreseeable future.
Social Media: Low Security, High Gains
Fortra contributed to the recent APWG Phishing Activity Trends Report which highlighted a few phishing tactics on the horizon. Per the report, social media is now the most targeted industry, garnering 32.9% of all phishing attacks. Directly following were SaaS/Webmail at 25.6%, Financial Institutions (historically a hot target) at only 10%, and the Payment industry at 7.5%.
As noted in the report, “We have observed an increased share of fraud being targeted towards sites that do not require high security, such as social media sites like Facebook and LinkedIn, and SAAS and Webmail accounts such as Microsoft Outlook and Netflix.” Additionally, banks and other highly regulated institutions are generally being seen as harder to target using traditional email phishing lures, so attackers are opting for more creative techniques.
These techniques, unsurprisingly, have everything to do with increased personalization.
Vishing: The Power of Persuasion
With an email, threat actors only get one chance. But over the phone, a clever cybercriminal can try and convince you over and over again while simultaneously gaining your trust. And with the help of AI-based voice changers, that trust can be even more easily won.
When trying to hack into an account that requires MFA, fraudsters will often opt for a phone conversation which gives them ample opportunities to gain the victim’s trust and talk them out of sensitive information. While users may have been warned to watch out for suspicious emails, calls from friendly-sounding tech advisors, “Microsoft” employees, or even “security specialists” can throw unsuspecting users for a loop.
John Wilson, Senior Fellow, Threat Research at Fortra notes that “the hybrid vishing attacks we track typically begin as an email indicating the recipient has been charged for a product or service. The messages instruct the recipient to call a phone number if they wish to cancel their order and obtain a refund.”
Another key advantage of vishing in the era of AI is voice-changing technology. Using no more than a 10-15 second audio clip, attackers can leverage this technology to clone the voice of another human being and deceive employees with even greater success. Imagine getting a call from your boss telling you to send an urgent invoice to a new supplier, or one from your third-party contact re-negotiating payment. A voice is another form of biometrics and one that human beings have no trouble authenticating. For this reason, voice-matching technology is so pernicious. In a rising “four-word phone scam,” attackers ask, “Can you hear me?” When the victim answers “yes,” their voice gets cloned.
Nothing is more personal than someone’s voice, and when the person is trusted, their voice carries that trust with it. Exploiting that aspect of a human being is just one of the many ways in which advanced technology today is being leveraged to help phishing threat actors achieve new all-time lows.
A Personal Close-Encounter of the Phishing Kind
Just to bring it home, I thought I’d mention a sighting of next-level personalization I saw in my very own inbox.
The other day I received a message from an unknown number asking if I was interested in an online job. Normally I just delete these as junk and report them, but as I saved the scam into a dedicated folder, I noticed something that I hadn’t experienced before. The person who sent the message called me by a name that only my friends know (hint: It’s not Antonio). This got me to pause and wonder if I really did know the person — or if I was just seeing the next evolution of phishing scams.
With the amount of information that we let out into the world, I’m guessing that someone was able to create a profile of me that included not only my email and phone number, but also my full name, nickname, address, and personal details like the places I shop to personalize the message I received that day. While this was unsettling enough, in the future I would expect this kind of message to evolve into something even more personal, such as name-dropping people I know or including places I’ve recently visited.
Just like we teach users to not “click the link” but rather navigate to the website yourself, it seems future phishing education needs to include very much the same. This means not trusting the person on the phone (even with the same number, as there are countless number-spoofing apps), but calling them yourself and verifying. Even if it’s your boss. It’s come to that.
Once the threat actor can get you to fall for the initial trap, the rest is almost in the bag. Our latest Gone Phishing Tournament revealed that 60% of those who clicked on a simulated phishing email, for example, gave up their credentials on the subsequent landing page. This is why user education is one of the best defensive weapons an organization can have today against this brand of email attack.
Weaponizing Users: Phishing Simulations, Red Teaming, and SAT
When attackers came after our networks, we responded in kind with leveled-up detections and better tools. Now that the trend has shifted decisively against our users, we need to level up once again. But how do you level up the cybersecurity smarts of an entire workforce? With practice.
Phishing simulations are great practice for the kinds of scam-filled emails a user might receive while at work, utilizing tactics such as fake logos, persuasive and urgent techniques, and even “trusted” domains.
Red teaming might be unusually effective in preparing users for the creative techniques used by today’s all-too-personal attackers. Red teamers can scour social media, call executives on their home phones, phish, vish, and resort to any tactic employed by today’s threat actors in order to infiltrate the network. Once you’ve fallen for a breach of trust, especially one in which you’ve interacted directly with another human being, it’s hard to forget the experience. Experienced red team operators are some of the only ones trained and authorized to do this kind of teaching.
SAT (Security Awareness Training) is still key when educating your workforce about all the different kinds of attacks out there — BEC, vishing, social media, and AI-based exploits included. A good SAT provider will constantly be updating their training and modules to reflect the most common threats today.
The fulcrum of today’s phishing attacks is “the human element,” so today’s companies need to be mentally arming their workforce to be a better line of defense than ever before. The phishing winds are blowing hard in the direction of subtler, savvier, more humanly deceptive ploys, and organizations need to adjust their sails yet again.
Reduce Cyber Risks with Security Awareness Training
See how your organization can reduce user-related cyber risk.
Fortra's Red Team Bundle
Deploy sophisticated adversary simulations and assess your overall security posture and vulnerability with Fortra's Red Team Bundle.