Automatic protection solutions are oftentimes considered half the battle when it comes to modern security. However, humans (users) continue to play an extremely important role. Attackers love taking the shortest and easiest path, and that is most often straight through the personnel, for any organization. No matter how well guarded the security perimeter, you’re still low-hanging fruit if your personnel fall for phishing attacks.

What we learn from the latest report by the international Anti-Phishing Working Group (APWG) is that 2022 Q3 was the worst quarter for total phishing attacks that the consortium had ever seen. Recorded attacks for that quarter exceeded 1.2 million worldwide. The average dollar value requested in wire transfer business email compromise (BEC) scams also reached $93,881—a significant uptick in amount being requested.

Thinking like the enemy can help defenders improve barriers to entry through social engineering tricks, enhancing the foundation for effective security awareness training. This will result in a hardening of the human factor of organizations’ defenses, instead of allowing it to remain the weakest link. Below is a breakdown of the tactics that set the most successful phishing campaigns apart from the mediocre attempts.

A 'mental payload' that pulls the right strings

Phishing communications’ goal is to induce a recipient to make a mistake in one of two ways:

1. By clicking a malicious link.

2. Downloading a malware-bearing file.

The first of the two typically takes the victim to a credential phishing page, while the second typically fires off malicious macros in a Microsoft Office document or drops an installer from an infected PDF.

In penetration testing, you’ll see security professionals make use of harmless (“neutered”) files or web pages through which they oftentimes keep a record of successful hits—the equivalent of seeing the target organization’s defenses compromised.

As for the message content used, the best attacks accurately align with the attacker's objectives and the intended victim's role in the organization. A threat actor who wants to obtain a senior executive's credentials will craft an email that seems to come from a person whose rank and reputation in the purported sending organization matches those of the recipient (i.e., a “peer”). If the objective is instead to remotely access a finance department computer, the message content would best masquerade as a manager’s request to verify details for a transaction or as an accounting report

Creating a sense of urgency is key for attackers as well. Effective phishing messages order targets to take action immediately. They compel the victim to fear a fast-approaching doom. For example, they can emphasize adverse consequences that will result from passing a specified deadline.

Proofreading is also important for attackers these days, as more users are becoming better at identifying grammatical errors and typos and becoming suspicious. A trend today with the advent of artificial intelligence (AI) language learning modules (LLMs) like ChatGPT is that they can help attackers craft grammatically perfect phishing emails—and the checks AI providers have put in place can often be circumvented.

Taking attacks to the next level

Email attachments are more likely to be opened than seeing someone enter personal information on a credential phishing page. This means perpetrators have a greater chance for success when trying to depositing malicious programs than stealing passwords via a fake web form. No surprise, then, that Trojan downloaders and ransomware are becoming indispensable components of a phisher's repertoire, as they add an extra layer of monetization to these attacks.

Regarding phishing themes, the most lucrative ones are built around corporate benefits; for example, freebies and discounts from partnering businesses. About a third of all targeted users get hooked by such attacks. Additionally, messages instructing personnel to familiarize themselves with changes to organizational policies and similar rules are also highly effective.

One more type of "delicious phishing lure" is to embed a bit of hype, like seasonal events or current event references. When winter holidays are approaching it's time to be wary of attacks with bogus promos and giveaways. Malicious actors may also try to disguise malware as a holiday work schedule—which most users will open without a second thought.

“Spear phishing” refers to messages adeptly tailored for a specific recipient, which has a much higher success rate than the generic attacks. Open-source intelligence (OSINT) uses publicly available sources such as social networks, forums, and professional publications like blogs can often provide threat actors with plenty of personal data and insights into pain points by which a threat actor can concoct a legitimate-looking email that is very tempting to the target. An attack targeting only several personnel in a company usually has a much higher success rate.

How to stymy the phishers

No matter an individual’s role, all must keep in mind that any hyperlink or file embedded in an email is potentially dangerous—even if the message appears to come from a trusted individual or organization. SMTP has long-standing flaws in its design that make it ridiculously easy to pull off email spoofing via tweaking the message header, lowering the bar for carrying out impersonation attacks.

Honing a sharp eye for red flags in all electronic correspondence is a precious skill your organization should support. These days, looking for misspellings, inaccuracies in the sender's name, and the use of non-business domain names (for example, gmail.com or yahoo.com) when the email claims to come from a reputable company are becoming less and less important. Besides technical measures such as using a Secure Email Gateway (SEG) and an anti-malware program (or, best of all, a Managed Detection and Response (MDR) solution), security awareness training is indispensable these days.

The Webcheck Aware phishing simulation platform, combined with simulation design elements described in this article, can help your organization hone the right skills to cut the phishing lines, rendering the attackers’ lures inert. Contact us to learn more about our solutions and services.