The problem with phishing is not just its relentless onslaught—it’s that threat actors continue to evolve toward more advanced phishing attacks. The ability to psychologically manipulate and dupe people into taking certain actions helps adversaries bypass many types of security controls and solutions.
Awareness about phishing must extend beyond the basic scams that many people can now recognize. This article overviews some of the more advanced phishing attack techniques used by threat actors and offers some tips to help your business and employees combat them.
Advanced phishing attacks surged by 356 percent in 2022 alone. Here are some of the techniques we’re seeing these attacks employ.
File hosting services like Dropbox or Drive are typically trusted sources, so email security tools tend not to flag them as suspicious. Using this tactic increases the likelihood of phishing emails reaching their intended targets, which is half the battle. The trust here is amplified by the fact that users also inherently trust the most popular file-sharing services, so emails containing links to SharePoint or Drive are less likely to set alarm bells ringing.
Since the harmful payload or link is hosted on a legitimate service, it’s easier for attackers to hide their malicious activities. The phishing activity happens when the user interacts with the hosted file, not directly within the email, making it more difficult for security systems to detect. With a well-crafted and convincing email, these attacks can result in stolen credentials or malware and ransomware downloads onto targets’ systems.
You probably remember invisible ink from your childhood, sending hidden messages to friends using pens with UV light. A similar concept has now crept into the domain of phishing, only the intention here is a craft way to avoid flagging spam filters and other email security tools.
Invisible ink phishing attacks work by embedding invisible characters into emails using some manipulation of Unicode and HTML. One tactic is to use a soft hyphen to break up words commonly flagged by email gateways as indicative of spam. The soft hyphen lets the email’s content bypass detection. Another invisible ink tactic uses zero-point font sizes to break up words like account or reset.
Demonstrating the innovation and adaptability of threat actors, fake Zoom meetings have emerged as a more advanced phishing technique that exploits the commonality of work-from-home arrangements. In a post-Covid world, many companies still offer their employees the chance to WFH at least part of the time, necessitating frequent Zoom meetings.
The fake Zoom meeting scam uses branded Zoom emails to trick targets into thinking they’re missing an in-progress meeting or to view the details of an upcoming one. Upon clicking the link, the target gets redirected to a malicious domain set up to appear exactly like the legitimate Zoom login page. The person then enters their Zoom credentials, which get stolen. And in a world where 53 percent of people reuse the same password for multiple accounts, a set of Zoom credentials can result in access to a host of other services and apps.
Business Email Compromise (BEC) is a highly targeted phishing technique where cybercriminals impersonate executives or other high-ranking personnel within a company to trick employees, partners or vendors into transferring money or sensitive information. As an advanced phishing attack, BEC is effective for several reasons:
Calendar phishing is a relatively new form of phishing attack where cybercriminals exploit calendar applications to send unsolicited event invites containing phishing links or deceptive content. The idea behind this advanced phishing technique is similar to the fake Zoom invites.
The attacker sends a calendar invite to a user’s email address. This email often bypasses spam filters because it comes in the form of a meeting invite rather than a traditional email. The calendar event can contain a link or message that is malicious in nature. This might be a link to a site designed to capture login credentials, a download that installs malware on a user’s system, or a scam aimed at defrauding someone.
Deepfake phishing is a sophisticated form of phishing that piggybacks off artificial intelligence (AI) developments to create convincing fake videos, images or audio recordings. Cybercriminals use AI technology to create realistic deepfakes, which can depict a person doing or saying something they didn’t.
This technology can be used to mimic CEOs or colleagues in an incredibly realistic way. In one real-world attack from 2020, threat actors cloned a company director’s voice using AI. A branch manager then began transferring hundreds of thousands of dollars to accounts controlled by the attackers.
Advanced phishing attacks can make it feel like the battle against this human element in cybersecurity is destined to fail. But just because these attacks are sophisticated, that doesn’t mean your business is powerless to stop them.
Defending against advanced phishing attacks requires a multi-layered approach that combines technology, policy, and training.
Nuspire’s managed detection and response service helps to round off your multi-layered approach to dealing with advanced phishing threats. Our team of security experts uses their knowledge and experience to provide 24x7x365 cyber threat monitoring and rapid incident response across your IT environment.