“Know your enemy” is a key strategy for any good cyber defense program. Train employees on how to spot phishing emails, and they’re much less likely to click. Providing example phishing emails is a great way to do just that, especially as new, novel, and devious phishing techniques are being developed.
Phishing Attacks are Still a Growing Concern
According to the FBI Internet Crime Complaint Center, phishing attacks had the highest number of reported victims compared to other cybersecurity incidents in 2020, with 241,342 reported cases equaling a total monetary loss of over $54 million (IC3) . As people become more used to “standard” phishing attacks, bad guys have begun developing and launching novel attacks that are more sophisticated and therefore have a higher likelihood of succeeding. Organizations must be aware of these attacks and properly train their employees in identifying them in order to mitigate their risk and improve their overall security posture.
This article is a compilation of some of the more advanced phishing attacks that are targeting businesses and aims to provide insight into the techniques being employed by attackers.
Example Phishing Emails and Advanced Techniques.
1. Impersonating the Small Business Administration (SBA) to Scam Loan Applicants
Malicious actors are conducting phishing campaigns where they impersonate the SBA to trick loan applicants seeking federal aid in the wake of the pandemic into providing them with Personally Identifiable Information (PII) . The sender’s email address will even look legit because it is being spoofed to look like it is coming from a government domain.
These attacks can be tricky to identify because the email looks like it is from a real source when in fact, it is not. By hovering over the link, users can see that the URL it will bring them to is not the official sba.gov site, but instead a phishing website intended to steal their credentials and personal information.
If you applied for an SBA loan then you should be careful of this attack and carefully inspect any communications from the SBA, if you did not apply for a loan then you should immediately discard the email and blocklist the sender.
SBA Impersonator Example Phishing Email:
Note how the phishing link includes “sba.gov” at the end to try and fool users!
2. The Invisible Ink Phishing Technique
Attackers are exploiting Unicode and HTML to embed invisible characters within emails that are not visible to humans. Secure Email Gateways (SEG) can read these characters and it confuses their pattern matching, allowing the attacker to get through.
The exploit involves using a computing term known as “soft hyphen,” it is a code point that serves the purpose of breaking a word onto the next line by inserting a hyphen into the text, but unless the word needs to be broken, the hyphen will remain invisible to the user.
The SEG on the other hand will parse the text and read the soft hyphens as actual characters, therefore not matching and detecting any of the text within the phishing email. An example of this would be matching for the text “reset password”, if the SEG reads “r-e-s-e-t p-a-s-s-w-o-r-d” then it won’t match the text and detect the phishing email. This trick allows attackers to increase the chances of their phishing emails landing in a user’s inbox.
This is a very advanced attack that requires deep technical knowledge and is a good reminder of why we should be careful about clicking on any emails we receive, especially ones we weren’t expecting.
Invisible Ink Phishing Email Example – What the User Sees:
Invisible Ink Phishing Email Example – what the SEG Sees:
3. Fake Zoom Invitations Stealing Credentials
Available for Your Termination Meeting in a few Minutes?
Employees are receiving fake Zoom meeting invitations with words like “suspension” and “termination” with the meeting scheduled in only a few minutes. They hastily click the invitation link to join the meeting, are prompted to login to Zoom, and accidentally hand over their credentials to an attacker.
This attack is particularly nasty because it preys on our emotional response. Most people who get a meeting invitation regarding a performance review and potential termination are going to get panicky, especially when the meeting is starting soon, so they may not be thinking clearly. Then before they can realize it, they’ve just become the victim of a phishing attack.
For these emails, it is important to verify that the sender’s email address and domain are recognizable and trusted. If you feel it is safe to click on the link, ensure that the URL it brings you to is the official zoom.us website before entering any personal information or credentials, this is the point where an attacker would steal your information so you must remain vigilant and confirm the web address is correct.
Fake Zoom Meeting Example Phishing Email:
This might look legit, but it was not!
4. Phishing emails avoiding detection with Morse Code.
A highly advanced phishing campaign created emails that appeared to be regular financial transactions and provided attachments claiming they were invoices or other financial documents. The attackers used various forms of encoding and encryption to circumvent security controls and avoid detection. The attack involves attaching an HTML file to the phishing email, but with a modified file extension including a variation of xls meant to make users expect an Excel file.
When the attachment is opened, a fake Microsoft Office 365 dialog box appears, prompting the user for their credentials and ultimately providing them to the attackers. Attackers were able to hide links to JavaScript files in their attachments by encoding them in ASCII and then again in morse code to prevent any security scans from identifying the attack.
Microsoft has provided some mitigation steps to reduce the impact of this threat:
Use Office 365 mail flow rules or Group Policy for Outlook to strip .html or .htm or other file types that are not required for business
Turn on Safe Attachments policies to check attachments to inbound email. Enable Safe Links protection for users with zero-hour auto purge to remove emails when a URL gets weaponized post-delivery.
Avoid password reuse between accounts and use multi-factor authentication (MFA), such as Windows Hello, internally on high-value systems.
Educate end users on consent phishing tactics as part of security or phishing awareness training.
Example of a Fraud Payment Invoice Example Phishing Email:
5. Crime-as-a-Service Makes Advanced Phishing Attacks Easily Accessible
All the Fun of Launching a Phishing Attack, Without Any of the Effort.
Veteran cyber criminals can sell their techniques and tools on the web to anyone who is willing to pay. This makes it too easy for someone inexperienced to launch an advanced phishing campaign – everything they need has already been developed.
After they pay for CaaS, they will have an extensive range of phishing tools available to them, including but not limited to: email templates, detailed target lists, compromised servers, content encryption, and other tools to avoid detection.
CaaS reduces the risk of independent attackers getting caught because it allows them to instantly have a professional suite of tools at their disposal. Instead of doing all of their own tool development and phishing campaign planning, attackers can easily execute a phishing attack with minimal effort on their part.
How to Protect Your Business
Security Awareness and Strong Defenses are Key
There is a wide array of different phishing attacks and they can all cause massive damage to a businesses systems and reputation. It is more important than ever to take email security seriously and implement the proper security controls to protect your company. Listed below are some great ways to protect your systems and users from phishing attempts.
Security Awareness Training
If a phishing email makes it into a user’s inbox, that employee effectively becomes the business’ last line of defense for protecting its systems and data.
This makes it very important for all workers to possess a basic understanding of common phishing attacks and how to detect and respond to them. Employees are frequently targeted by malicious emails attempting to steal their credentials or gain access to internal systems. By training and enabling them to identify these threats, a company can decrease its likelihood of falling victim to such attacks.
It is crucial to remember the role employees play when considering your email security posture.
Follow Best Security Practices
Whenever possible, your business should strive to follow the security best practices for any software or system they are using. This is especially true when pertaining to email systems. There is a lot of information out there on how to improve your email security, we’ve included some guides below.
A quick note on Microsoft Outlook – we HIGHLY recommend all companies that use Outlook get an email security tool.
Fractional CISO Guide – Best settings to secure Microsoft Outlook :
Official Vendor Documentation:
Google Workspace – Security checklist for medium and large businesses: https://support.google.com/a/answer/7587183#zippy=%2Cgmail-google-workspace-onl
Microsoft 365 – Policy Recommendations for securing email: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/secure-email-recommended-policies?view=o365-worldwide
CIS Benchmarks™ Documentation:
Securing Google Workspace: https://www.cisecurity.org/benchmark/Google_Workspace/
Securing Microsoft 365: https://www.cisecurity.org/benchmark/microsoft_365/
Conclusion
As phishing attacks are becoming increasingly common and sophisticated, businesses need to be serious about protecting their employees’ email or they are leaving themselves vulnerable to a devastating blow, potentially leading to system downtime and a loss of revenue.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.