The term “phishing” can be traced back to 1996, when it was used to reference a group of attackers that were imitating AOL employees using AOL messenger, asking people to verify their accounts or billing information. Many unsuspecting users fell prey to this scam purely due to their novelty. Though we would like to believe that we would never be fooled by such an attack these days, phishing remains as popular as ever. Though internet users may have become more discerning, attackers have also become more skilled in how they’re luring in more victims. Read on to find out how these phish are more sophisticated, and how your organization and its employees can outsmart them.

Advanced Phishing Strategies

In some ways, the core tenants of phishing have remained the same. The motives are still getting malware past the perimeter or accessing credentials. This is still most frequently accomplished through malicious links or attachments.

What has changed is presentation. Though there are still emails with obviously fake email addresses, riddled with spelling errors, an increasing number are nearly impossible to tell from the real thing. Many lead to websites prompting credentials that look almost identical to the site they are imitating. More recently, threat actors have been making conversation-hijacking attacks, using previously compromised email accounts to reply to ongoing email threads. They slide in with an email that has malicious links or attachments right in the midst of a conversation, easily catching other members of the thread off guard.

How Phish Get to Your Inbox

The backend of phishing has also evolved. There have been increasing advancements in evading filters. One simple method is using images of text to avoid being readable and tagged as junk mail. Another is obfuscating URLs by simply adding a few additional characters—spoofing URLs and email addresses, fooling both the filter and recipient into opening an email or proceeding as normal when on a fake website. Mostly, attackers have just become more shrewd in constantly trying new tactics, knowing that as soon as one obfuscation or evasion technique is exposed, they’ll need to move on to another.

Who is Phishing and Who is Getting Phished

Another change is in who is targeted. While there are still massive campaigns aimed at whoever will click a link, other phishing attacks are far more precise. Spear-phishing, for instance, targets specific individuals or organizations using sites they are familiar with or imitating known individuals in order to lure them in. Whaling is even more precise, aimed at high level executives. In both cases, extensive research is conducted so threat actors know what may entice these organizations or individuals to open a message. From there, an email is crafted to both personalize the content and convey the right tone for the business or individual. For example, a whaling attack against a c-level employee may require a certain level of urgency to ensure that it’s opened, typically involving financial, legal, or, ironically, security matters.

Finally, there is an increasing number of people who have the ability to phish. Before, threat actors were only those who understood the mechanics of phishing. Now, phishing kits can be purchased readily on the dark web, giving nearly anyone who has the desire to phish the tools needed to do so. This has helped boost the amount of attacks even farther upward. With constant attacks being launched, it’s no wonder that so many people have been fooled.

How Can Organizations Avoid Getting Phished

Advancements are being made to help strengthen filters and prevent phish from ever arriving in your inbox, and browser security is also evolving to detect malicious websites the moment you land on them. For the foreseeable future, however, phishing will continue to be an ongoing challenge for organizations. Strategically manage this threat by following these three steps:

  1. Deploy anti phishing pen tests.
    You don’t want to wait until after you’ve been hit to find out that your employees are particularly susceptible to phishing. Social engineering testing imitates phishing campaigns in order to safely determine whether your employees are vulnerable to, and what types of phish are most likely to fool them. Using social engineering pen testing services or tools allows you to find out where your weaknesses are by safely launching an attack just like those currently being used by actual threat actors. Such campaigns can be the difference between a company that suffers a huge breach, and one that remains secure.
  2. Educate employees and follow best practices.
    No matter the outcome of your pen test, it is always worthwhile to educate your employees. Teach them ways to identify phish—from lack of personalization to odd URLs. Urge caution when opening links or attachments, particularly those that come unprompted or from unusual sources. Follow best practices, like going directly to a website instead of using a link when possible. Encourage employees to keep an eye on OpenPhish and PhishTank to familiarize themselves with the most common phish currently floating around.
  3. Retest on a regular basis.
    Anti phishing penetration tests can and should be utilized frequently. The best way to ensure your education efforts are effective is to test again. Additionally, new phish are constantly being introduced, so you’ll want to stay up to date on the latest tactics. Regular testing keeps employees accountable, vigilant, and ensures that new employees aren’t a security weakness that goes unaddressed for too long.

Ready to run your first anti phishing pen test?

Learn what to do from an expert in our Best Practices for Effective Phishing Simulations eCourse.