Why modern-day phishing attacks continue to be successful
Previous techniques like hover and poor grammar are no longer indicative of modern-day phishing attacks says Lance Spitzner at SANS Security Awareness , and urgency and pressure in the message are more indicative .
Phishing has been and continues to be one of the most common attack methods cyber attackers use because it is so effective . Phishing is a simple attack vector that enables cyber attackers to bypass most security controls . Reports like the Verizon DBIR or the Microsoft Digital
Defence report continue to identify phishing as a top risk .
Over the past several years phishing has continued to evolve . While many of the emotional lures used to get people to fall victim remain the same , we have seen changes in both cyber attacker modalities and goals .
Modalities
Traditionally phishing was done through email . However , we have seen a shift where messaging technologies are also being used , including Apple ’ s iMessage , WhatsApp and standard SMS functionality . Texting phishing attacks have become increasingly popular as many phones lack any type of filtering capability , which means scams and attacks are far more likely to get through .
Also , since text messages tend to be much shorter with little context , it is much harder to confirm what is legitimate versus what is an attack . As such , when training your workforce emphasize that phishing attacks no longer just happen over email , but via any messaging technology .
Goal
Traditionally the goal of cyber attackers with phishing attacks was to install malware on the victim ’ s computer . However , malware infections are becoming easier and easier for security teams to detect , so that approach has radically changed .
In today ’ s world we are seeing three other goals of phishing attacks .
Gaining passwords Phishing is used to get victims to click on a link that takes them to a website that harvests their passwords . Once an individual ’ s credentials are stolen , cyber attackers can cause a great deal of damage while operating undetected . For example , cyber attackers will send out emails pretending to come from people ’ s banks so they can reuse those credentials to access and steal money from people ’ s personal financial accounts .
Another common phishing lure is sending emails out pretending to come from Microsoft so attackers can steal people ’ s login credentials for their work-related Microsoft 365 cloud accounts .
Lance Spitzner , Director , SANS Security Awareness
Getting people on the phone An increasing number of phishing attacks have no link or attachment , only a phone number as their point of attack . The cyber attacker ’ s goal is to get the victim to call a
38 www . intelligenttechchannels . com