Social engineering and deception are as old as humanity itself. Phishing is social engineering and deception via digital means and has been with us since the beginning of computers. After early computer worms, among the very first computer crimes were fake email messages asking the recipients to do some action that was against their own best interests.
I clearly remember my experience with an ANSI bomb back in the early 1980s. An email arrived to me on a FIDOnet (an early precursor of the Internet) chat channel asking me to open and read a text file to learn how to get a free HST modem. At the time, HST modems offered 9600 baud speed, which was high tech and blazing for the time. I opened the text file with a text editor (called edlin in MS-DOS). The document contained a single, short, sentence, “Steal one!”
It was a strange line to read. I closed the document as I shook my head. Then the next key I hit formatted my hard drive! It was a tough lesson to learn. Turns out that even the simplest of documents could contain embedded, invisible printer control characters (e.g., ^G01h), that when appropriately combined could re-map a computer keyboard so that any key hit would the perform a set of instructions. In this case, those instructions told my computer to reformat my hard drive. I’ve been distrustful of emails asking me to open documents ever since.
Since then, many more digital avenues have been developed for people to be phished and socially engineered. Social engineering and phishing are now responsible for 70% to 90% of all successful cybersecurity incidents. Here are all of the phishing methods I can think of.
Email is by far the most common media channel for social engineering people. I think we are all quite acquainted with this phishing method. Phishing emails are either attempting to trick us into providing our login credentials or into opening a maliciously-rigged document or into running a Trojan Horse program. The emails will often arrive pretending to be from a person or organization that the recipient is inclined to trust.
If you are interested in learning how to better determine legitimate emails from realistic-looking, phishing emails, consider viewing my webinar on how to forensically examine emails.
Websites
The second most common phishing method involves websites, either using email to redirect a recipient to a malicious website or a bogus website or malicious script hosted on a legitimate website that a visitor arrives at even without an email involved. Oftentimes, completely legitimate, long-time trusted, and otherwise innocent websites are manipulated into hosting malicious content. The most common method is a malicious banner ad. The host website has allowed banner ads to be displayed while expecting only legitimate ads to be displayed, but the attacker used a variety of methods to insert their malicious script in with the legitimate ads. Or other times, the attacker simply finds and takes advantage of a vulnerability in the website to post his/her malicious script. Either way, websites are often involved in today’s phishing attempts.
One way to cut down on some of the malicious websites is by being able to recognize when a URL is legitimate or not. If you are interested in learning how to better recognize the difference between legitimate and rogue URLs, see my related webinar.
Social Media
Much of the world spends the majority of their time on social media sites: Facebook, Twitter, LinkedIn, Instagram, etc. So, it’s no great surprise that phishers love using people’s enjoyment of such sites against them. Many times, a person’s legitimate social media account will be taken over by a phisher, usually from a prior involved phishing attack that tricked the legitimate owner out of their login credentials, and then that account will be used to trick others who trust the original victim.
Sadly, it can be very difficult to impossible for the original victim to reclaim control over their own social media account. Victims often lose all the content and photos they have entrusted to the social media site, losing information and memories forever. Even the social media company’s proactive security measures, such as using multi-factor authentication (MFA) to protect someone’s account access, can be used against the victim. I’ve been contacted by many dozens of people who didn’t use MFA, who had their social media account taken by a phisher, and then that phisher enabled MFA, and that MFA protection prevented the original victim from ever reclaiming his/her account and content.
Browser/Desktop/Mobile Notification
A relative newcomer on the scene is that of malicious browser and desktop notifications. When a user visits a new website or application, that site or application can ask the user for permission to send him/her desktop notifications. Once approved, these notifications can be sent outside the application or website that asked for approval to send. The notifications can contain text, icons, images, multimedia content, and URLs. And like banner ads, notifications can be “rented” to others which are then involved with sending malicious or unwanted content to unsuspecting users. Because notifications are a relatively new method of transmitting malicious content, most antivirus programs do not do a good job in detecting or preventing involved malicious content.
If you are interested in more detail on malicious notifications, see my related webinar.
Voice Phone Call
Phishing and social engineering can certainly come from voice calls and voicemail messages. Like all social engineering and phishing, voice-based phishing comes from someone pretending to be an otherwise trustworthy source. The originating phone number can be spoofed and the phisher or call center is often located in a foreign country, making prosecution extremely difficult. The most common voice phishing methods include fake technical support calls pretending to be from Microsoft trying to help the victim with a computer malware program and calls for victims to pay emergency fines to the IRS and law enforcement. If someone requesting an emergency payment says it’s okay to pay in prepaid cards you can buy at Walmart, it’s probably a request you should verify first. The big telephone companies are trying to enact new technology that prevents call number spoofing, but the defenses seem inadequate and decades too late.
Messaging/SMS
Like voice-based phishing, spoofing using short message service (SMS) texting and other messaging protocols (like Instant Rely Chat, etc.), are subject to easy origination spoofing. SMS messages can be sent by anyone and pretend to be from any phone number the spoofer wants to use. SMS messages can even appear from “short numbers” that are not phone numbers at all. Even if the phone number is real, a potential victim has no way to know if the originating phone number is valid and if who is using it is really the person or organization they say they are.
For all purposes, any phone-based media channel should be treated as untrusted by default and subject to easy spoofing. Never start performing actions that could negatively impact you without first verifying that the caller or sender is really who they say they are. It can be difficult to do that, but at the very least, the caller or sender should be able to provide a method where you can call a known, legitimate number to reach them, instead of simply relying on their inbound call or text. Sadly, at times, even legitimate services and requests cannot provide that sort of reassurance. We all await the time when phone calls and SMS messages are significantly harder to spoof.
Hybrid Combinations
It is also not rare for a phisher to use a combination of methods to win the trust of potential victims. Oftentimes, the phisher will pretext the victim by first calling or emailing a friendly, not overly suspicious message, to start establishing premature trust. Instead of asking for an action that can potentially harm the victim right away, they say hello, mention names or departments the victim is already familiar with, and so on, in order to get the victim accustomed to the new person’s name and purported role. Then after the previous trust is established, the phisher will call/text/email back with the real intended request, that when executed, can harm the victim or his/her organization.
Social engineering and phishing can be done using a variety of methods. Email and websites are the most popular methods, but the other methods are becoming more and more common. As a computer security professional with 34 years of experience, any time I see a new technology, the first thing I wonder is how it can be abused by hackers and social engineers. Because if history is any guide, if a technology can be used maliciously, it will be.
It is up to us to educate others about all the ways they can be socially engineered and phished. Email and websites are just two ways. There are others. So, make sure all the people you care about and manage are aware of all the ways they can be phished. KnowBe4’s technology allows you to give training and do simulated phishing across all of these methods.
Here's how it works:
