Phishing - Don't be fooled by big brands

No matter how robust your firewalls and filters, phishing attempts - i.e., messages designed to dupe you into divulging information, enacting transactions, or downloading malware - can still very easily land in your inbox. 

What is a phishing attack?

A phishing attack is where a threat actor sends a fraudulent communication that appears to come from a trusted sender. If successful, the victim is coaxed into taking a specific action, such as disclosing information or clicking on a link to execute malware.

What is the goal of a phishing attack?

Phishing attacks are usually designed to coax the victim into disclosing valuable information (e.g., bank details or login credentials), to execute financial transactions, or to launch malicious scripts (e.g., to trigger a ransomware attack).

What tools are used to commit a phishing attack

A few of the types of tools used by hackers in phishing campaigns include the following:

• Domain name permutation engines to help them generate convincing-looking domains where their bogus service will be hosted. 
• Legitimate email services (e.g., Gmail for Business) to manage the sending of messages. 
• Email extractor tools to harvest large volumes of email addresses. 
• Spam assessment tools that make it easier for scammers to create and edit messages in such a way that they avoid getting caught in spam filters. 
• Tools like BeEF and SET to generate convincing login portals, steal credentials, and send mass phishing emails.
ChatGPT to automate the creation of phishing emails.


1. Phishing is the single most common form of cyber crime. An estimated 3.4 billion emails a day are sent by cyber criminals, designed to look like they come from trusted senders. This is over a trillion phishing emails per year. 

2. Email impersonation accounts for an estimated 1.2% of all email traffic globally. 

3. Around 36% of all data breaches involve phishing. 

Spear Phishing 

Definition: Sending messages - ostensibly from a known or trusted party - to induce specifically targeted individuals to reveal information to take specific actions. 

30. Spear phishing campaigns make up only 0.1% of all email-based phishing attacks, but they are responsible for 66% of all breaches. 

31. 50% of large organizations were targeted with spear phishing in 2022, receiving an average of five spear-phishing emails a day. 


Whaling

Definition: Also known as big phishing and CEO-fraud, this involves using precisely-engineered spoofing emails to trick senior figures within organizations into disclosing credentials, money, or information. 

Common Features of Scams 

A large proportion of attackers use fake messages that look as if they are from well-known companies. A growing number of attackers also seem to be putting AI to work to make their messages sound more convincing.   

Top Phishing Brands 

33. 55% of phishing attacks use established brand names to build credibility in their messages. 

Phishing Trigger Words 

36. The most frequently-used keywords used by phishing scammers in email subject lines:

  • Invoice 

  • New

  • Message

  • Required

  • File

  • Request

  • Action

  • Document

  • Verification 

  • eFax

  • VM

R.W. Sanders