Of all the techniques invented during the era of Internet cybercrime, none matches the phishing attacks for effectiveness, ingenuity, and lasting potency.
From the very start, one of the most characteristic features of phishing has been its ability to catch out to anyone, including even the expert users. In the early days, this confounded some deeply held but mistaken notions about how cyberattacks happen. For years, people believed that only naïve, inexperienced users fell for digital attacks, for example, replying to spam emails as if they were genuine. Phishing proved that this was wrong. Anyone can be socially engineered if the context, timing, and attack format are clever enough.
Today, phishing attacks manifest in many forms, some crude and basic, others highly sophisticated. The number of successful targeted nation-state attacks demonstrates phishing’s usefulness against self-aware targets. One should never fall into the trap of generalising about what is possible.
Most phishing attacks are carried out via legacy channels such as email. Calling email ‘legacy’ isn’t an insult. It’s simply a fact that email systems date from an era long before phishing attacks and the commercial Internet were commonplace, allowing attackers to exploit these platforms’ design assumptions and weaknesses.
However, phishing will work across any communication medium, including mobile SMS, instant messaging and even phone calls. It is simply a way of manipulating targets into doing something they shouldn’t, be that clicking on a link, opening an attachment, downloading something, or performing an action such as transferring money to a bank account.
To work, phishing must do two things: evade any security systems designed to stop attacks from reaching the target user. If it passes this test, the next task is to fool the user using social engineering.
Contrary to popular myth, as with fishing for a catch, most phishing attacks fail. But instead, like spam marketing, that matters not. Phishing is a percentages game built on patience. In an age when compromising a single high-value user can undermine the network security of an entire organisation, phishing only needs to work once to deliver a pay-off.
The classic phishing technique is to lure a user into logging in to a website under the attacker’s control, which is impersonating one of several well-known legitimate sites such as Google, Facebook, or a corporate portal. If the user is fooled – mobile attacks can be hard to detect on a small screen – their credentials (username, password) are stolen to be re-used by the attacker.
A second type of phishing attack is to trick users into opening attachments that launch scripts and malware infection or to visit an infected domain using a plausible looking weblink.
Over time, phishing has evolved into a wide range of attacks. Some are isolated but complex (impersonating a known contact, say), others highly elaborate, involving a sequence of actions, for example, the phenomenon of business email compromise (BEC). The end-user believes a communication or request is genuine and trustworthy even though it is anything but. They are being phished because their assumptions and trust are being abused.
As phishing became a problem, the security industry proposed new security standards to fill holes in how email protocols allowed attackers to impersonate users at legitimate email domains and stop rogue email senders from entering the system (DMARC, SPF, DKIM, aimed at service providers).
Unfortunately, change has been slow, and these haven’t been universally adopted. However, they were never a complete solution, hence the need for other layers of protection such as email filtering and the disablement of vulnerable programming interfaces used by standard office software, which can be used to exploit phishing attacks.
Meanwhile, a debate still rages about whether the fundamental weakness that makes phishing possible is technology limitations or the users themselves.
The first generation of anti-phishing tried to address the problem technologically using phishing or endpoint isolation and blocking suspect domains. The next generation focussed more on training users to better detect phishing emails, for example, through formal anti-phishing training. These programmes help, but it’s debatable whether training alone will ever be enough to beat criminal ingenuity on its own.
Short of locking down what users can do with email (blocking certain types of attachments and scripting interface), it’s arguable that the answer has always been an evolving mixture of both approaches.
Endpoints are now better segmented to stop attacks from spreading, while the applications are more likely to be sandboxed. If the user makes a mistake, it’s more difficult for attackers to move sideways.
Importantly, if the user reaches a phishing site, implementing strong authentication is the one technology guaranteed to make the attacker’s life hard. Using it means that stealing the username and password is not enough – the attackers still need a one-time passcode (OTP) or token to access the targeted account.
Cloud-based email systems increasingly offer to detect phishing emails with AI detection that monitors suspicious elements such as the language used, the course data, or the programming elements hidden inside them. In some cases, this involves executing emails to see what they do before the user has opened them. The limitation of this approach is the possibility of false positives.
Beyond authentication lies zero trust, a set of principles designed to limit the privileges of end-users to a minimum needed to do their jobs. This counters phishing by carefully defining the resources and data users can access with any set of credentials at certain times and from specific locations. It sounds limiting, but user accounts are often unnecessarily permissive. If properly implemented, users shouldn’t notice any difference.
Perhaps the most significant barrier to countering phishing is simply complexity itself. Every anti-phishing system is another thing to manage, which consumes time and expertise. Meanwhile, when phishing attacks get past defences, which inevitably they will, cybercriminals can roam inside the network.
An alternative approach is to focus more resources on detecting and remediating the effects of phishing attacks than simply trying to stop them from ever happening. Managed services, including endpoint detection and response (EDR) and managed detection and response (MDR), offer a way to achieve this. This type of service processes events from multiple devices, users, applications, and traffic to spot compromises in progress.