ADVERTISEMENT

How phishing attacks are evolving and why you should care

Email icon on laptop screen
Pierluigi Paganini
Pierluigi Paganini Contributor
Jan 14, 2021 Updated: 7 December 2023 5 min read
The ENISA Threat Landscape 2020 report states that cyberattacks are becoming more sophisticated, targeted, widespread, and undetected.
Top 15 Cyber threats
Image by ENISA: Cyberattacks becoming more sophisticated, targeted, widespread and undetected
  • Losses of €26.2 billion in 2019 with Business E-mail Compromise (BEC) attacks
  • 42.8% of all malicious attachments were Microsoft Office documents
  • 667% increase in phishing scams in just 1 month during the COVID-19 pandemic
  • 30% of phishing messages were delivered on Mondays
  • 32.5% of all e-mails used the keyword ‘payment’ in the e-mail subject

A constantly evolving threat

The majority of phishing attempts today are “polymorphic” in nature.
Today, phishing attacks are becoming much more targeted.
“Other factors contributing to the steep rise in HTTPS usage are the plethora of free certificate services such as Let’s Encrypt and the fact that modern browsers mark every HTTPS site as secure, without any further checks.”
states the ENISA report.

Phishing-as-a-service on the rise

During the past months, security firms spotted multiple creative phishing techniques to avoid detection.
“Because image recognition software is improving and becoming more accurate, this new technique aims to deceive scanning engines by inverting the colours of the image, causing the image hash to differ from the original. This technique can hinder the software’s ability to flag this image altogether.”
reads the analysis published by WMC Global.
ADVERTISEMENT
Microsoft Office 365 login page
Inverted background

Innovative phishing techniques

“Once the link was clicked, the user is redirected through several proxies, including AWS load balancers, all the way to a legitimate but compromised website.”
Ofir Rozmann, threat intelligence at Mitiga told Bleeping Computer
“Sometimes the characters are from a different language set or simply capitalizing the letter ‘i’ to make it appear like a lowercase ‘l’.”
Homoglyph example

How to prevent sophisticated phishing attacks?

  • Train employees to identify a malicious email. Simulated phishing campaigns could allow organisations to test the resilience and responsiveness of the staff.
  • Use a secure e-mail gateway with regular (possibly automated) maintenance of filters (anti-spam, anti-malware, policy-based filtering).
  • Deploy defence solutions that use machine-learning techniques to identify phishing sites in real-time.
  • Disable automatic execution of code, macros, rendering of graphics and preloading mailed links at the mail clients and update them frequently.
  • Implement SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication, Reporting & Conformance), and DKIM (Domain Keys Identified Mail) to identify spam.
  • Implement anomaly detection at the network level for both inbound and outbound e-mails.
  • Check the domain name of the websites you visit for typos, especially for sensitive websites, e.g. bank sites. Relying on the HTTPS connection is not enough.
  • Enable two-factor authentication (2FA) whenever applicable to prevent account takeovers.

Build your secure personal and business online presence


ADVERTISEMENT