Phishing is one of the most reliable methods a would-be hacker can take to access your digital accounts or even your bank account—and these kinds of attacks are becoming more common and more sophisticated over time. Even if you think you know a phishing email when you see one, new strategies continue to spring up.
That’s not surprising, considering the rewards can be so huge for a successful phishing expedition. To make sure you’re staying ahead of the game, we’ve collected some of the best advice, most recent reports, and most common types of phishing attack in 2019 to keep you right up to date.
Around two-thirds of us know what phishing is now, according to the 2019 State of the Phish report from security experts Proofpoint, based on thousands of survey responses. For the remaining one-third, phishing scams are malicious attempts to obtain sensitive information, like usernames, passwords, or financial details, by fooling a user into handing it over with what appears to be legitimate communication. Frequently, phishing scams start with emails, but they take other forms as well. Even as awareness grows though, the phishers are trying new tricks to get through our defenses, which means constant vigilance is key.
Take the recent phishing attack spotted by a security researcher at Akamai: It attempted to use Google Translate to mask suspicious URLs, prefacing them with the legit-looking “www.translate.google.com” address to try and dupe users into logging in.
That followed hard on the heels of an Apple phishing scam that was carefully constructed to look like the real deal—asking unsuspecting victims to ring a number that displayed Apple’s real support number, web address, and street address through the caller ID system.
The list goes on: Phishing scams asking for Netflix payment details, for example, or embedded in promoted tweets that redirect users to genuine-looking PayPal login pages. Although the dodgy landing page was very well designed in that latter case, the lack of an HTTPS lock and misspellings in the URL were key red flags that this was actually a phishing attempt.
Getting you to try and log in to a major account is one of the main tricks a phishing attempt will employ. It’s hugely important that you double-check and triple-check every landing page that you come across—look for graphics or spellings that are out of place, or even better, open a new tab and go direct to the site instead.
“In 2018, Dropbox phishing was the top phishing attack lure,” Chris Dawson, Threat Intelligence Lead at Proofpoint, told Gizmodo. “However, click rates for DocuSign lures had the highest success rate with over five times the average click rate for the top 20 lures.”
“Dropbox and DocuSign lures attempt to trick individuals into opening what they believe is a link to a legitimate file but instead leads to either a compromised website, a dedicated credential phishing template, or malicious content.”
John LaCour, CTO of security risk firm PhishLabs, said phishing numbers were up almost across the board in 2018, with financial services, telecommunications, and shipping services seeing the biggest rises. The only industries where phishing volumes stayed steady were payment services and dating sites.
What PhishLabs is also seeing is an increase in spear phishing—more targeted phishing aimed at particular individuals or organizations rather than a wider range of users. If phishers can engineer access to an email inbox inside a company, they can produce emails that don’t just look as if they come from a genuine source, but that to all extents are from a genuine source.
“One of the newer trends we’re seeing is a rise in enterprise credential phishing,” LaCour said. “Users are sent to phishing sites that mimic their corporate webmail or SSO. The compromised accounts are then used for phishing and social engineering attacks from within the enterprise.”
“So you end up with highly-effective spear phishing email coming directly from the mailbox of a senior executive. As you might imagine, this is quite a bit more effective than the standard phishing attack.”
When phishing emails come directly from someone you can apparently trust, they become much harder to spot—especially if that person isn’t sitting on the desk opposite or a phone call away. To be better prepared to spot phishing when it happens though, it helps to know exactly what you’re looking out for.
We’ve already mentioned spear phishing, where individuals or specific businesses are targeted. Using a mix of social engineering techniques, would-be criminals can make their requests sound much more convincing—it’s not just Nigerian princes asking for your money anymore, it’s your boss sitting two floors up.
One type of spear phishing is termed Business Email Compromise or BEC. Hackers will access or very cleverly spoof an email from a CEO or a CFO, and use it to request money or login details from an employee lower down the ladder. The email might be crafted to look like it came from a mobile device, and might include a request not to be disturbed—dissuading the recipient from checking the email’s legitimacy.
Another one to be on the look-out for is clone phishing, where a legitimate email you’ve already had gets cloned and tweaked to include a malicious link or attachment. Then there’s whaling, specifically targeting those higher up at a company for bigger rewards—customer complaints or legal actions are common themes here.
According to security firm Cofense, based on an analysis of tens of thousands of phishing campaigns, six of the most common top 10 phishing lures use “invoice” somewhere in the email subject header—if you want some clear warning signs to look out for, then that’s one of them. (By the way, the other four subject headers in the list all refer to payments or statements in some way too.)
Chris Dawson at Proofpoint said three classic phishing lures continue to be popular with bad actors: Emails related to shipped packages, emails relating to invoices (as already mentioned), and emails referring to or including scanned documents.
“There are two main categories of email-based phishing attacks: those that use malicious links or attachments to direct victims to phishing pages or collect credentials electronically and those that rely on email fraud, with no malicious code or dedicated links included,” Dawson said.
“Additionally, while not specifically phishing, email attacks featuring malicious attachments or links to malware can be used for a variety of nefarious purposes and are extremely common.”
The worst part is you might not even know what’s happened. If you attempt to log in on a spoofed website, the hackers will usually save your credentials and then direct you on to the genuine version—from an end-user point of view, it looks very much like you just got the login details wrong the first time around.
Think you can spot a phishing email? Google recently posted an online quiz to test your security savviness, taking you through the common tricks used by phishers—dodgy domains, misspelled email addresses, fake security alerts, and so on. It’s worth running through the questions to get some pointers on the latest phishing tactics.
As the Google quiz points out, always double-check links (by hovering over them), as well as the email address of the sender. If in doubt, get in touch with the sender through a different method—a call across the office or an instant messenger app maybe.
We’re constantly trying to remind you to keep all your software right up to date, so we’ll say it again: Keep all your software up to date. It makes your browser, email client, and security tools are more likely to spot when you’re being phished, and it means the damage from any attack that does succeed will be minimized as much as possible.
If an email encourages you to click on a link, always go direct to the website in your browser to log in, rather than following the link, if you can. The exception would be when you’re resetting your password or verifying an email address—but only follow these links if you actually have just reset a password or registered on a new site.
Another security mantra we keep on pushing is to turn on two-factor authentication wherever possible. All the big apps and accounts now offer this, and it’s easy to set up. It’s no guarantee of protection against phishing, but it does “raise the bar” for hackers trying to get at your stuff, in the words of John LaCour.
We’d also recommend getting a password manager set up to ensure all your passwords are well protected and suitably strong. If that really doesn’t appeal to you, keeping your passwords in a notebook is okay, as long as it’s in a very safe place. “It’s absolutely better to have a bunch of unique passwords written down somewhere in your house than it is to have a single complex password that you’ve memorized and use across 10 different accounts,” said LaCour.
A bonus to using password managers is that they automatically populate credentials for recognized services. So if you land on a seemingly familiar site and your credentials don’t pop in, that’s yet another hint that maybe you’re not where you thought you were.
There’s no foolproof step-by-step approach to completely immunizing yourself against phishing attacks, especially as attack methods evolve and change, but with a little bit of common sense, you can reduce the risk significantly.
Proofpoint’s Chris Dawson gives a comprehensive list of what to watch for: Threatening language, misspellings, inaccuracies in the text, pressure to act quickly, attempts to cause panic, and requests to transfer money (even if you’re expecting them).
That last point is especially important when dealing with large sums of money. Even if an email does come from your estate agent’s genuine email address, for example, there’s a chance that hackers have gained access to that company’s inboxes and are operating them remotely. A quick phone call would be enough to confirm the right account for a substantial money transfer.
“Nearly every aspect of an email, even the display or From name, can be manipulated to trick users into believing they know who sent them an email,” said Dawson. “Because of this, all emails that request personal information, credentials, push readers to click a link, or open an attachment must be treated as potentially malicious.”