Phishing attacks are on the rise, posing a significant threat to businesses. If companies are to protect their sensitive information, they must understand the most common types of phishing scams. We have outlined the basics in our post on some of the types of phishing attacks

state of phishing demo cta

Here, we’ll discuss the techniques used to execute the most common types of phishing attacks—namely email phishing, spearphishing, and whaling. Read on. 

Email Phishing

Here, an attacker sends out thousands of emails to multiple recipients to obtain valuable information and money. Several techniques are utilized to increase the success rates of this numbers game, including: 

Many attackers evade email filters’ detection by incorporating seemingly legitimate links into their emails. They do this by including an organization’s contact information that they are spoofing.

Technique #2: Mixing Malicious and Benign Code

Those in charge of creating phishing landing pages frequently mix malicious and benign code to fool filtering platforms like Microsoft Exchange Online Protection (Microsoft EOP). This technique could also involve replicating the CSS and JavaScript of a website’s login page to steal users’ account credentials.

Malicious actors do not want their victims to raise any red flags. To do this, they use shortened URLs to deceive Secure Email Gateways (SEGs). They also employ “time bombing” to redirect users to a phishing landing page only after delivering the email. The campaign then redirects victims to a legitimate web page after they have forfeited their credentials.

Technique #4: Modifying Brand Logos

Some email security filters can detect when fake company logos are used in attack emails or phishing landing pages. These filters do so by looking for the HTML attributes of the logos. However, malicious actors take advantage of this process by modifying the HTML attribute of the logo, like its color, to fool these detection tools. Filters can work, but doing this little tweak in the logo renders them ineffective. 

Technique #5: Writing Minimal Text 

Including as little content as possible in attack emails is another technique used to avoid detection. This is done by having images instead of text, for example.

state of phishing demo cta

Spearphishing

Contrary to the “spray and pray” method used in typical email phishing attacks, spearphishing adds a personal touch. In this type of phishing, the email is customized to include the target’s name, number, and other personal information to make it even more convincing. They use the techniques below to maximize clicks: 

Technique #1: Documents Stored in the Cloud

According to CSO Online, digital attackers store malicious documents on cloud services such as Dropbox, Google Drive, etc. Because IT teams are unlikely to block these services by default, the weaponized documents might not get flagged by the organization’s email filters.

Technique #2: Compromised Tokens

In the same report, CSO Online also noted that digital criminals are attempting to compromise API tokens or session tokens. If they are successful, they will be able to steal access to an email account, SharePoint site, or other resources.

Technique #3: Out-of-Office Notifications

To launch an effective spearphishing campaign, attackers need a large amount of intelligence. Trend Micro pointed out that attackers do this by sending email blasts to employees and collecting out-of-office notifications to learn the email addresses used by internal employees.

Technique #4: Social Media Stalking

Malicious actors must learn who works at a specific company. They typically accomplish this by using social media to investigate the organization’s structure and decide who to target in their attacks.

Whaling

Spearphishing can target anyone in the organization. Whaling attacks, on the other hand, attack those at the top. To do this, the following methods are used:

Technique #1: Network Infiltration

A compromised executive account is more potent than a typical spoofed email account. These accounts usually have multiple layers of email protection and other security cushions. But cyber attackers have figured that the best way to penetrate these accounts is through network infiltration. As Varonis pointed out, digital attackers use several tools like malware and rootkits to infiltrate their target’s network.

Technique #2: Aggressive Follow-Ups

In several instances, attackers followed up a whaling email with a phone call confirming the email request. This social engineering technique helped assuage the target’s concerns that something suspicious was happening.

Technique #3: Supply Chain Strike

Malicious actors also use information from targets’ suppliers and vendors to disguise their whaling emails as coming from trusted partners.

As cyber crimes escalate, companies need to fortify their cyber security systems even more substantially. Get ahead of these types of phishing by having a dependable email security provider, allowing your team to focus on what matters. 

Start today with Perception Point’s email security platform. We offer comprehensive email security that eliminates threats before they reach your employees. Our end-to-end advanced cyber threat detection protects your enterprise against modern-day phishing scams. 

Stay on top of the latest email security trends through our other blog posts and resources.

state of phishing demo cta
What are techniques used for email phishing?

Several techniques are utilized to increase the success rates of this numbers game, including: 
– Technique #1: Using “Legitimate” Links
– Technique #2: Mixing Malicious and Benign Code
– Technique #3: Sending Shortened Links
– Technique #4: Modifying Brand Logos
– Technique #5: Writing Minimal Text

What are techniques used for spearphishing?

– Technique #1: Documents Stored in the Cloud
– Technique #2: Compromised Tokens
– Technique #3: Out-of-Office Notifications
– Technique #4: Social Media Stalking

What are techniques used for whaling?

– Technique #1: Network Infiltration
– Technique #2: Aggressive Follow-Ups
– Technique #3: Supply Chain Strike