How to identify every type of phishing attack

Every data breach and online attack seems to involve some kind of phishing attempt to steal password credentials, to launch fraudulent transactions, or to trick someone into downloading malware. In early 2016, 93 percent of phishing emails delivered ransomware, according to statistics from PhishMe.

Enterprises regularly remind users to beware of phishing attacks, but many users don’t really know how to recognize them. One reason for this is the fact that these attacks can take many forms. “Phishing attacks come in all shapes and sizes, targeting specific individuals within an organization who have access to sensitive data,” says Area 1 Security’s Shalabh Mohan.

Users tend to be bad at recognizing scams. According to a Verizon cybersecurity report, an attacker sending out 10 phishing emails has a 90 percent chance that one person will fall for it. This seems absurd at first, but it is reasonable when considered in the context of users outside the tech bubble, such as those in manufacturing and education. Add in the fact that not all phishing scams work the same way — some are generic email blasts while others are carefully crafted to target a very specific type of person — and it gets harder to train users to know when a message seems a little hinky.

Let’s look at the different types of phishing attacks and how to recognize them.

What is phishing? Mass-market emails

The most common form of phishing is the general, mass-mailed type, where someone sends an email pretending to be someone else and tries to trick the recipient in doing something, usually logging into a website or downloading malware. Attacks frequently rely on email spoofing, where the email header — the from field — is forged to make the message appear as if it was sent by a trusted sender.

However, phishing attacks don’t always look like a UPS delivery notification email, a warning message from PayPal about passwords expiring, or an Office 365 email about storage quotas. Some attacks are crafted to specifically target organizations and individuals, and others rely on methods other than email.

What is spear phishing? Going after specific targets

Phishing attacks get their name from the notion that fraudsters are fishing for random victims by using spoofed or fraudulent email as bait. Spear phishing attacks extend the fishing analogy as attackers are specifically targeting high-value victims and organizations. Instead of trying to get banking credentials for 1,000 consumers, the attacker may find it more lucrative to target a handful of businesses. A nation-state attacker may target an employee working for another government agency, or a government official, to steal state secrets.

Spear phishing attacks are extremely successful because the attackers spend a lot of time crafting information specific to the recipient, such as referencing a conference the recipient may have just attended or sending a malicious attachment where the filename references a topic the recipient is interested in.

In a recent phishing campaign, Group 74 (a.k.a. Sofact, APT28, Fancy Bear) targeted cybersecurity professionals with an email pretending to be related to the Cyber Conflict U.S. conference, an event organized by the United States Military Academy’s Army Cyber Institute, the NATO Cooperative Cyber Military Academy, and the NATO Cooperative Cyber Defence Centre of Excellence. While CyCon is a real conference, the attachment was actually a document containing a malicious Visual Basic for Applications (VBA) macro that would download and execute reconnaissance malware called Seduploader.