Phishing is a form of social engineering that aims to take hold of personal information by convincing the user to directly provide their credentials to the threat actor. By far the most common cyber attack, phishing is gaining popularity among attackers.

Find out how your organization can protect confidential information from cyber  attacks in the latest Gartner Market Guide for Email Security. Click here.

According to the Anti-phishing Working Group latest report, phishing attempts hit an all-time high in December 2021; Attacks triple since early 2020. In today’s reality, phishing attempts occur on a daily basis, reaching people via their private and company email accounts.

This blog will explain the challenges in detecting phishing, provide best practices and introduce advanced technologies that will help organizations learn about how to prevent phishing attacks.

What are the common types of phishing?

Attackers may choose to employ various types of phishing attacks. The attacks will usually use a common set of phishing techniques, but vary concerning their targets and the channels leveraged in the attack.

Examples for types of phishing attacks include:  

  • Email phishing – a classic example of phishing where a malicious message that looks legitimate, lures victims to click a link, open a file or provide their valuable credentials; 
  • Spear phishing – phishing targeted to a specific person that the attacker has prior knowledge of; 
  • Whaling – in this type of phishing attack the attacker targets high-profile personas, such as C-level executives. 

Attackers Use Advanced Techniques

Although common phishing techniques will lure victims to enter their credentials or to click a malicious link, there are actually many more advanced techniques employed by attackers that make phishing difficult to detect. We’ll give a couple of examples. 

Phishing Sites Using Legitimate Domains: Website builder tools like Weebly or Wix are providing attackers with free, quick and simple templates to build sites for attacks. Since these websites are delivered via legitimate links, e.g. a site hosted on Wix platform, they are hard to spot and require a combination of abilities from advanced threat detection tools, such as the ability to add new logic that will recognize new malicious URLs on the go, ability to adjust image recognition capabilities to recognize new phishing site URLs and more.

Phishing Attacks using legitimate file hosting services: Services such as WeTransfer and JUMBOmail can be easily and freely used by attackers to deliver malicious files. These websites obviously pass as legitimate sites, so Advanced Threat Detection solutions will need to actually scan and intercept each file before it is delivered or downloaded by the user, and files can be quite large so scanning speed can be an issue.

Example 1: Using a legitimate file hosting service for sending a malicious file

How to prevent phishing attacks?

The task of protecting employees and organizations from phishing attacks is not an easy one, however there are key techniques that advanced threat detection security solutions must provide in order to sufficiently protect against these attacks from ever successfully entering end-user inboxes.

Image recognition-based engine to identify brand impersonation and phishing attacks

In brand impersonation phishing attacks, attackers impersonate targeted popular brands using the brand logo, brand signature, brand color pallet and language, and more. An excellent example can be seen in this recent OpenSea phishing attack where you cannot see the difference between the malicious and actual site:

Example 2: Brand impersonation difficult to catch with the human eye

Image recognition is a key technology used to be able to validate if any URL is actually the legitimate site it is claiming to be. Similarities that are difficult to identify using human eyesight are easily caught using algorithms that know the original brand and analyze the potentially malicious content (e.g. an email, or a URL) against it – not leaving it up to chance, if the user is able to spot the attempt or not.

New call-to-action

 

Lexical analysis of URLs to determine maliciousness

Lexical analysis is another technique, helpful in determining if a URL is malicious or not. In Lexical analysis, the structure of the URL is analyzed to detect:

  • If it contains suspicious words
  • How many parameters are passed inside the URL
  • What type of encoding is used to encode the parameters
  • If the URL contains email address or suspicious domain names, and more

 

Reputation vector of various parameters of the sender and the recipient

A Reputation vector is the collection of parameters maintained on both the sender and recipient, derived from the data and metadata collected on them. Information collected could be related to the legitimacy of the IP or the domain that the email is being sent from and more. The reputation vector will ultimately result in a score that will assist in making the decision if any type of content is malicious or not. 

Novel algorithms help identify smartly spoofed domains

Attackers will use similar domain names that are visually very close to popular brands that they are spoofing. A standard approach to address spoofed domains is to use a database of known domains, for example: Coca Cola and Microsoft, and then counting the amount of differences. While this technique can work in some cases, it can be challenging to identify more sophisticated obfuscations. Novel algorithms, available in advanced email security solutions, significantly lower the success rate of such evasion attempts. A good example is usage of biological algorithms that have been found to significantly help identify such spoofing attempts.

Example 3: Spoofing the Instagram domain

Dynamically scanning all URLs to prevent phishing evasion attempts

In addition to using  the techniques mentioned above, and checking potential threats against threat intelligence sources, it is critical to dynamically scan all URLs, including the ones buried several levels deep inside the original content that was sent. Scanning all URLs dynamically, also referred to as “Sandboxing”, will make sure new and unseen attacks, or new senders that look legitimate but actually are not, are identified. Next generation sandbox technologies will perform this scan in a speedy and accurate manner, getting rid of “traditional” sandboxing technologies’ delays. 

Summary

Phishing is one of the most common cyber attacks. The variety of techniques and their increasing sophistication make phishing attacks difficult to detect and intercept. By using an advanced threat detection solution with the right combination of phishing prevention techniques, organizations don’t need to rely on their employees’ ability to identify sophisticated phishing attacks, which often  are overlooked, resulting in significant damages. 

Want to know how we stop phishing at Perception Point? Contact us for a live demo. 

gartner email security guide

 

Here’s some related content you may enjoy: How to Conduct a Phishing Attack in a 5 Easy Steps