Advanced Phishing Attacks: How to Stem the Tide

The problem with phishing is not just its relentless onslaught—it’s that threat actors continue to evolve toward more advanced phishing attacks. The ability to psychologically manipulate and dupe people into taking certain actions helps adversaries bypass many types of security controls and solutions.

Awareness about phishing must extend beyond the basic scams that many people can now recognize. This article overviews some of the more advanced phishing attack techniques used by threat actors and offers some tips to help your business and employees combat them.

Advanced Phishing Techniques

Advanced phishing attacks surged by 356 percent in 2022 alone. Here are some of the techniques we’re seeing these attacks employ.

Using File Hosting Services

File hosting services like Dropbox or Drive are typically trusted sources, so email security tools tend not to flag them as suspicious. Using this tactic increases the likelihood of phishing emails reaching their intended targets, which is half the battle. The trust here is amplified by the fact that users also inherently trust the most popular file-sharing services, so emails containing links to SharePoint or Drive are less likely to set alarm bells ringing.

Since the harmful payload or link is hosted on a legitimate service, it’s easier for attackers to hide their malicious activities. The phishing activity happens when the user interacts with the hosted file, not directly within the email, making it more difficult for security systems to detect. With a well-crafted and convincing email, these attacks can result in stolen credentials or malware and ransomware downloads onto targets’ systems.

Invisible Ink

You probably remember invisible ink from your childhood, sending hidden messages to friends using pens with UV light. A similar concept has now crept into the domain of phishing, only the intention here is a craft way to avoid flagging spam filters and other email security tools.

Invisible ink phishing attacks work by embedding invisible characters into emails using some manipulation of Unicode and HTML. One tactic is to use a soft hyphen to break up words commonly flagged by email gateways as indicative of spam. The soft hyphen lets the email’s content bypass detection. Another invisible ink tactic uses zero-point font sizes to break up words like account or reset.

Fake Zoom Meetings

Demonstrating the innovation and adaptability of threat actors, fake Zoom meetings have emerged as a more advanced phishing technique that exploits the commonality of work-from-home arrangements. In a post-Covid world, many companies still offer their employees the chance to WFH at least part of the time, necessitating frequent Zoom meetings.

The fake Zoom meeting scam uses branded Zoom emails to trick targets into thinking they’re missing an in-progress meeting or to view the details of an upcoming one. Upon clicking the link, the target gets redirected to a malicious domain set up to appear exactly like the legitimate Zoom login page. The person then enters their Zoom credentials, which get stolen. And in a world where 53 percent of people reuse the same password for multiple accounts, a set of Zoom credentials can result in access to a host of other services and apps.

Business Email Compromise

Business Email Compromise (BEC) is a highly targeted phishing technique where cybercriminals impersonate executives or other high-ranking personnel within a company to trick employees, partners or vendors into transferring money or sensitive information. As an advanced phishing attack, BEC is effective for several reasons:

• Trust: BEC exploits your employees’ trust in their colleagues and superiors. If an email comes from an ostensibly trusted source, employees are more likely to comply with requests without questioning them.
• Authority: If the email appears to be from someone high up in your business, the recipient might be reluctant to question the instruction for fear of appearing insubordinate or inefficient.
• Urgency: Often, BEC emails create a sense of urgency or confidentiality to pressure the target into acting quickly without checking the email’s authenticity.
• Sophistication: BEC attacks can be highly sophisticated, with attackers often doing extensive research to mimic the writing style of the person they’re impersonating and choosing the perfect time to strike.

Calendar Phishing

Calendar phishing is a relatively new form of phishing attack where cybercriminals exploit calendar applications to send unsolicited event invites containing phishing links or deceptive content. The idea behind this advanced phishing technique is similar to the fake Zoom invites.

The attacker sends a calendar invite to a user’s email address. This email often bypasses spam filters because it comes in the form of a meeting invite rather than a traditional email. The calendar event can contain a link or message that is malicious in nature. This might be a link to a site designed to capture login credentials, a download that installs malware on a user’s system, or a scam aimed at defrauding someone.

Deepfake Phishing

Deepfake phishing is a sophisticated form of phishing that piggybacks off artificial intelligence (AI) developments to create convincing fake videos, images or audio recordings. Cybercriminals use AI technology to create realistic deepfakes, which can depict a person doing or saying something they didn’t.

This technology can be used to mimic CEOs or colleagues in an incredibly realistic way. In one real-world attack from 2020, threat actors cloned a company director’s voice using AI. A branch manager then began transferring hundreds of thousands of dollars to accounts controlled by the attackers.

Tips for Combating Advanced Phishing Attacks

Advanced phishing attacks can make it feel like the battle against this human element in cybersecurity is destined to fail. But just because these attacks are sophisticated, that doesn’t mean your business is powerless to stop them.

Defending against advanced phishing attacks requires a multi-layered approach that combines technology, policy, and training.

• Refresh Training and Awareness: Regularly educate employees about the latest phishing tactics and how to recognize them rather than having static training materials. Encourage your employees to exercise skepticism about unexpected requests for sensitive information, even if they appear to come from a trusted source.
• AI-Based Email Filtering: Use email security software that filters out potential phishing emails by leveraging AI algorithms. While no software can catch every phishing attempt, AI-based email filtering helps more accurately combat invisible ink-style attacks and other tactics that attempt to bypass traditional filters.
• Multi-factor Authentication: Implement multi-factor authentication (MFA) wherever possible. MFA helps to prevent unauthorized access to systems or apps even if a phisher does manage to obtain login credentials.
• Verification of Requests: Implement policies to verify wire transfer requests, password reset or sensitive information. For example, a phone call or an in-person confirmation can be used to verify these requests.
• Detect and Respond: Accept that it’s hard to keep 100% of attacks out. What’s most important is that even if a phishing attack is successful, you have the tools, people, and technologies to identify and deal with in-progress threats in real time.

The Value of Managed Detection and Response

Nuspire’s managed detection and response service helps to round off your multi-layered approach to dealing with advanced phishing threats. Our team of security experts uses their knowledge and experience to provide 24x7x365 cyber threat monitoring and rapid incident response across your IT environment.