Phishing: The Golden Ticket to Bypassing Security
In a previous article, I used the story of Alex–a busy salesperson targeted by a phishing scam–to illustrate the sophisticated nature of today’s phishing attacks, as cybercriminals work to stay one step ahead of end users. I also shared some general strategies to avoid falling victim to phishing.
While these methods are broadly applicable, understanding phishing’s evolving techniques and deceptive tactics is crucial—because spotting these scams is often harder than it seems. So, what exactly is phishing?
Understanding Phishing
Phishing is, fundamentally, an identity cyberattack that uses communication (emails, texts, calls) to trick targets into providing access to sensitive data or installing malware. The target takes an action based on mistaken identity and misplaced trust in that identity. Because the target is unwittingly providing access, the malicious actor does not need to use technical means to gain access to the computer system.
The most basic phishing attack occurs when the malicious cyber actor sends a link to the target, who erroneously trusts the link and enters their credentials. The malicious cyber actor then uses the credentials to commit fraud. A variation of phishing, known as smishing, uses SMS text rather than email to transmit the message.
Spear-phishing is a more sophisticated form of phishing. Unlike generic phishing emails sent to a large group, malicious actors specifically target a particular individual in a spear-phishing attack. By using this personalized information, such as Alex’s friend Jade’s phone number, spear phishing attacks appear credible, and are more likely to be acted upon by the intended targets. In the future, AI-powered synthetic data, such as deepfakes, will become increasingly prevalent in spear-phishing attacks, making it harder to trust even the most trustworthy voices and faces.
Phishing as an Attack Vector
The big secret of cybersecurity is that it is not especially challenging to get sensitive personal or organizational information, but it is difficult to monetize that access. Phishing offers a straightforward solution. Phishing thrives, because it offers a comparatively low-effort, high-reward pathway to monetization. Cybercriminals can use stolen personal information, such as Social Security numbers, credit card details, and bank account information, to commit identity theft and financial fraud. They can make fraudulent purchases, take over accounts, open new accounts, or even take out loans in the target’s name.
Additionally, creating a reverse proxy can serve as a command and control (C2) channel, enabling the malicious cyber actor to remotely control the compromised system to install malware, pivot to other systems on the network, and launch further attacks.
Phishing attacks can go beyond simple credential theft. They can also function as a delivery mechanism for more sophisticated malware, blurring the line between phishing and other cyberattacks. These types of advanced attacks should be classified as something other than phishing. For example, surveillance tools, such as those from NSO Group, Candiru, Sourgum, and Intellexa, are four of the commercial tool makers who have delivered cyber tool payloads via phishing. Security researchers have linked these companies to sophisticated phishing or smishing cyber tools that use zero-day or zero-click exploit payloads. They can combine the social engineering tactics of smishing with well-executed sophisticated technical exploits to achieve their goals.
Phishing's popularity as a cyberattack technique stems from its ease, flexibility, and low risk for perpetrators. The low barrier to entry is a significant factor; unlike complex malware development or network intrusions, phishing attacks need minimal technical expertise and resources, making them accessible to a broad spectrum of cyber actors. Phishing’s remarkable adaptability amplifies this accessibility. Attacks can be meticulously tailored (spear phishing) to target specific individuals with personalized lures, or scaled up to target entire organizations (whaling) by impersonating high-ranking executives. Even more broadly, business email compromise (BEC) attacks the target’s supply chains. Phishing attackers exploit our human nature. They meticulously study how we think and make decisions, leveraging our cognitive biases to craft phishing lures that trick us into making irrational choices.
The diffuse nature of phishing attacks, often targeting individuals, makes it difficult to trace and prosecute, creating a low-risk environment for cybercriminals. These attacks often go unnoticed, or are difficult to trace back to the perpetrators across international borders, further reducing the perceived risk for malicious cyber actors, and solidifying phishing's position as a highly favored attack vector.
In 2023 alone, phishing attacks accounted for over $2.9 billion in losses, according to the FBI’s Internet Crime Complaint Center (IC3) (2023 Internet Crime Report). When combined with data breaches, credential theft, and the operational expenses tied to MFA and password-based systems, the aggregate cost of phishing losses is significant.
Phishing attacks often have a direct and immediate financial motive. Cybercriminals that use phishing seek to steal sensitive financial data, such as usernames, passwords, and credit card information. This stolen data grants them direct access to victims' accounts, allowing them to withdraw funds or make fraudulent purchases. This direct access eliminates the need for complex and costly money laundering schemes, which aim to disguise the origin of illicit funds. The malicious cyber actor can make fraudulent purchases, transfer funds, or withdraw cash using the stolen credentials. There is no need to obscure the origin of the funds or move them through accounts to hide their tracks. The costs associated with money laundering can significantly reduce the profitability of cybercrime, making direct access to accounts provided by phishing more lucrative. Phishing provides a straightforward pathway to immediate financial benefits, making it a highly efficient and appealing method for cybercriminals seeking rapid low-risk returns.
The increasing use of multi-factor authentication (MFA) and “advanced email security” systems can make it more challenging for malicious cyber actors to use stolen credentials. Phishing attacks that rely on stolen passwords are rendered ineffective with MFA, but MFA implementations come with their own associated costs, including financial, operational, and potential hidden expenses. This is an active area of development, with innovative approaches emerging.
Advanced email security systems, leveraging AI, behavioral analytics, and sandboxing, can identify and neutralize most phishing attempts. Additionally, the adoption of zero-trust security models can detect and block such attacks. Users can overlook this sophistication, because it operates in the background without the user’s knowledge. Companies such as Microsoft, Darktrace, and Proofpoint are at the forefront of these innovations, indicating a broader industry trend toward more secure and resilient systems that challenge the dominance of phishing as the most popular cyberattack technique.
While sophisticated email security solutions have made significant strides in blocking phishing attempts, they are not perfect. Implementing and maintaining advanced email security solutions can be expensive and complex.
See the previous article in this series to learn 10 things you can do to protect yourself from this cyberattack.
In a previous article, I used the story of Alex–a busy salesperson targeted by a phishing scam–to illustrate the sophisticated nature of today’s phishing attacks, as cybercriminals work to stay one step ahead of end users. I also shared some general strategies to avoid falling victim to phishing.
While these methods are broadly applicable, understanding phishing’s evolving techniques and deceptive tactics is crucial—because spotting these scams is often harder than it seems. So, what exactly is phishing?
Understanding Phishing
Phishing is, fundamentally, an identity cyberattack that uses communication (emails, texts, calls) to trick targets into providing access to sensitive data or installing malware. The target takes an action based on mistaken identity and misplaced trust in that identity. Because the target is unwittingly providing access, the malicious actor does not need to use technical means to gain access to the computer system.
The most basic phishing attack occurs when the malicious cyber actor sends a link to the target, who erroneously trusts the link and enters their credentials. The malicious cyber actor then uses the credentials to commit fraud. A variation of phishing, known as smishing, uses SMS text rather than email to transmit the message.
Spear-phishing is a more sophisticated form of phishing. Unlike generic phishing emails sent to a large group, malicious actors specifically target a particular individual in a spear-phishing attack. By using this personalized information, such as Alex’s friend Jade’s phone number, spear phishing attacks appear credible, and are more likely to be acted upon by the intended targets. In the future, AI-powered synthetic data, such as deepfakes, will become increasingly prevalent in spear-phishing attacks, making it harder to trust even the most trustworthy voices and faces.
Phishing as an Attack Vector
The big secret of cybersecurity is that it is not especially challenging to get sensitive personal or organizational information, but it is difficult to monetize that access. Phishing offers a straightforward solution. Phishing thrives, because it offers a comparatively low-effort, high-reward pathway to monetization. Cybercriminals can use stolen personal information, such as Social Security numbers, credit card details, and bank account information, to commit identity theft and financial fraud. They can make fraudulent purchases, take over accounts, open new accounts, or even take out loans in the target’s name.
Additionally, creating a reverse proxy can serve as a command and control (C2) channel, enabling the malicious cyber actor to remotely control the compromised system to install malware, pivot to other systems on the network, and launch further attacks.
Phishing attacks can go beyond simple credential theft. They can also function as a delivery mechanism for more sophisticated malware, blurring the line between phishing and other cyberattacks. These types of advanced attacks should be classified as something other than phishing. For example, surveillance tools, such as those from NSO Group, Candiru, Sourgum, and Intellexa, are four of the commercial tool makers who have delivered cyber tool payloads via phishing. Security researchers have linked these companies to sophisticated phishing or smishing cyber tools that use zero-day or zero-click exploit payloads. They can combine the social engineering tactics of smishing with well-executed sophisticated technical exploits to achieve their goals.
Phishing's popularity as a cyberattack technique stems from its ease, flexibility, and low risk for perpetrators. The low barrier to entry is a significant factor; unlike complex malware development or network intrusions, phishing attacks need minimal technical expertise and resources, making them accessible to a broad spectrum of cyber actors. Phishing’s remarkable adaptability amplifies this accessibility. Attacks can be meticulously tailored (spear phishing) to target specific individuals with personalized lures, or scaled up to target entire organizations (whaling) by impersonating high-ranking executives. Even more broadly, business email compromise (BEC) attacks the target’s supply chains. Phishing attackers exploit our human nature. They meticulously study how we think and make decisions, leveraging our cognitive biases to craft phishing lures that trick us into making irrational choices.
The diffuse nature of phishing attacks, often targeting individuals, makes it difficult to trace and prosecute, creating a low-risk environment for cybercriminals. These attacks often go unnoticed, or are difficult to trace back to the perpetrators across international borders, further reducing the perceived risk for malicious cyber actors, and solidifying phishing's position as a highly favored attack vector.
In 2023 alone, phishing attacks accounted for over $2.9 billion in losses, according to the FBI’s Internet Crime Complaint Center (IC3) (2023 Internet Crime Report). When combined with data breaches, credential theft, and the operational expenses tied to MFA and password-based systems, the aggregate cost of phishing losses is significant.
Phishing attacks often have a direct and immediate financial motive. Cybercriminals that use phishing seek to steal sensitive financial data, such as usernames, passwords, and credit card information. This stolen data grants them direct access to victims' accounts, allowing them to withdraw funds or make fraudulent purchases. This direct access eliminates the need for complex and costly money laundering schemes, which aim to disguise the origin of illicit funds. The malicious cyber actor can make fraudulent purchases, transfer funds, or withdraw cash using the stolen credentials. There is no need to obscure the origin of the funds or move them through accounts to hide their tracks. The costs associated with money laundering can significantly reduce the profitability of cybercrime, making direct access to accounts provided by phishing more lucrative. Phishing provides a straightforward pathway to immediate financial benefits, making it a highly efficient and appealing method for cybercriminals seeking rapid low-risk returns.
The increasing use of multi-factor authentication (MFA) and “advanced email security” systems can make it more challenging for malicious cyber actors to use stolen credentials. Phishing attacks that rely on stolen passwords are rendered ineffective with MFA, but MFA implementations come with their own associated costs, including financial, operational, and potential hidden expenses. This is an active area of development, with innovative approaches emerging.
Advanced email security systems, leveraging AI, behavioral analytics, and sandboxing, can identify and neutralize most phishing attempts. Additionally, the adoption of zero-trust security models can detect and block such attacks. Users can overlook this sophistication, because it operates in the background without the user’s knowledge. Companies such as Microsoft, Darktrace, and Proofpoint are at the forefront of these innovations, indicating a broader industry trend toward more secure and resilient systems that challenge the dominance of phishing as the most popular cyberattack technique.
While sophisticated email security solutions have made significant strides in blocking phishing attempts, they are not perfect. Implementing and maintaining advanced email security solutions can be expensive and complex.
See the previous article in this series to learn 10 things you can do to protect yourself from this cyberattack.
