Phishing isn’t going anywhere – it’s just getting more sophisticated

Phishing attacks have grown increasingly more sophisticated over the years. Usually targeting us on emails, sometimes via text messages, they attempt to lure users into providing sensitive data, making payments, opening backdoors for malware, or handing over credentials, knowingly or not.

The most basic and easily-recognizable attempts follow a scenario where an individual, usually from somewhere distant enough not be contactable in person, has come into money, and needs someone (you) to help manage it for a chunk. While these kinds of scams are easy to spot for most people – they’re usually poorly written and are far too good to be true – as data payloads continue to get richer, cyber attackers are getting smarter in their approaches. They are scraping LinkedIn to disguise themselves as company CEOs or finance chiefs and identifying individual targets within organizations based on freely available information. They are leveraging individuals’ anxiety and distractedness around current events, like the coronavirus; Google said it was blocking more than 100 million phishing emails a day at the height of the pandemic, with almost a fifth were scam emails related to the virus.

In 2019, the average breach cost US companies US$73,000, and that’s not to mention the cost of reputational damage as a result. The ransomware that takes even the mightiest of metal manufacturers offline for days or weeks, can generally be traced back to a careless click of a link in an email. Security software, automatic updates, multi-factor authentication can all help combat the likelihood that phishing campaigns hit their target, but with 90% of data breaches tracked by human error, the main defence mechanism must be our own vigilance. 

But that’s especially difficult when the red flags we’re told to look out for constantly change. A new scam targeting Wells Fargo customers demonstrates the evermore creative approaches cyberattackers are turning to. And with customers of the bank representing one in three American households, it demonstrates that even scattergun approaches are becoming harder to catch. 

Some 15,000 customers of US multinational financial services giant Wells Fargo – which employs more than 260,000 employees across 7,400 locations globally – were targeted by a phishing campaign impersonating the Wells Fargo Security, luring victims into phishing pages with calendar invites. 

According to researchers at Abnormal Security, messages include .ics calendar file attachments containing events directing the recipients to phishing pages. The messages claimed customers must update their security keys using the instructions included in the calendar attachment, or have their accounts suspended. On a fake Wells Fargo page, users are prompted to enter sensitive information such as username, password, pin and account number. 

The scam is particularly clever as it encourages users to open the message on a smartphone, where the .ics file can automatically be added to their calendar. The victim subsequently receives a calendar event notification from their trusted app, which they are more likely to click. If the user falls for the scam and submits all their details, the attackers would have all the information they need to take control of targets’ accounts, steal their identity and money. Not a bad day’s work. 

Last year, scammers targeted Google search results, luring in victims’ curiosity with official Google links. Phishers sent emails to targets which included Google search redirection links, and if they clicked on the link in the Google search results they’d land on the attacker’s website. Another sophisticated attack included a phishing campaign that used a man-in-the-middle (MitM) component to capture company-specific information like logos, banners, text and background images to create incredibly realistic sign-in pages – the only give away was the URL. 

Another clever scam from last year saw phishers using malicious customers 404 pages to serve phishing sites. 404 pages tell users when they’ve hit a broken or dead link. Targeting Microsoft, the attackers included links that pointed to non-existent pages, and when Microsoft security systems scanned the link, they’d receive the 404 error and deem the link safe. 

But if a real user accessed the same URL, the phishing site would detect the user and redirect them to an actual phishing page, instead of the server’s 404 error page. 

As phishing scams continue to change shape, they will more easily slip through the net: “These type of email attacks only highlight the ingenuity of attackers and emphasises to all of us the need to be aware and pay attention to contents of all emails, if it doesn’t read right or you’re asked to do something you wouldn’t normally do or have done before then don’t click on anything or follow their instructions – seek advice from your IT department or security team,” said Jamie Ahktar, co-founder and CEO at CyberSmart.