theNet by CLOUDFLARE

Phishing keeps evolving

New ways of exploiting human behavior

Phishing, like any type of cyber attack, exploits the weakest link. However, unlike many other attacks, phishing exploits human behavior rather than technical vulnerabilities. Whether you are booking a trip, responding to a Zoom invite, or simply checking email — everyone online is a target.

As described in the latest Phishing Threats Report, based on data from approximately 13 billion emails, attackers focus their efforts on appearing authentic: They attempt to impersonate the brands we know and rely upon, and they exploit trust in normal ‘course of business’ interactions.

Attackers have become relentless when it comes to crafting authentic-looking messages to evade common email security. Here are several key trends about the specific tactics they are using, along with strategies organizations can use to prevent those tactics from causing a breach.



Don’t click here, there — or anywhere

Deceptive links are the #1 phishing threat category — appearing in 35.6% of threat detections. Since the display text for a link (hypertext) in HTML can be arbitrarily set, attackers can make a URL appear as if it links to a benign site when, in fact, it is actually malicious.

Most organizations have implemented some form of cyber security awareness training to remind their users to be aware of links in suspicious work emails. However, attackers are increasingly casting their phishing lures into channels where users are less cautious about where they click.

In an approach called “multichannel” phishing, attacks may start with one email, but continue on to SMS/text messaging, IM, social media, cloud collaboration services, and other Internet-connected tools not typically protected by anti-phishing controls.

For example, one multichannel phishing campaign involved the highly-publicized “0ktapus” attack targeting more than 130 organizations. Individuals were sent text messages redirecting them to a phishing site impersonating the popular single sign-on (SSO) service, Okta. Ultimately, nearly 10,000 credentials were stolen.

In another campaign targeting multiple communication channels, attackers phished an employee at Activision then stole confidential data via the company’s internal Slack channels.

According to a Cloudflare-commissioned global survey conducted by Forrester Consulting*:

  • 89% of security decision-makers are concerned about multichannel phishing threats.

  • 8 in 10 said their firm is exposed across various channels such as IM/cloud collaboration/productivity tools, mobile/SMS, and social media.

  • Yet, only 1 in 4 respondents felt their firm is completely prepared for phishing threats across various channels.

Attackers still use links because even the most “trained” employees (and security solutions) cannot accurately spot malicious links 100% of the time. Just one user clicking on the wrong link can lead to credential theft, malware, and significant financial losses.

Which brings us to another key phishing trend: Malicious emails that evade (or even utilize) services that are supposed to authenticate the sender’s identity.



Attackers “pass” security checks

Phishers will pose as any recognizable company or brand to get you to click. According to research, attackers posed as nearly 1,000 different organizations; Microsoft and other brands that people frequently interact with to conduct their work like Salesforce, Box, and Zoom — who all topped the list.

This tactic, known as brand impersonation, is conducted with a wide range of techniques, including:

  • Display name spoofing, where the sender display name in the visible email headers includes a known or legitimate brand name.

  • Domain impersonation or domain spoofing, where the attacker registers a domain that looks similar to the impersonated brand’s domain, but uses it to send phishing messages.

  • Newly registered domains that have not yet been classified as malicious. (In the 0ktapus campaign, attackers leveraged a domain that had been registered less than one hour before the attack.)

Email authentication standards (SPF, DKIM, and DMARC) are often brought up as a key defense against brand impersonation. However, those methods have limitations. In fact, the research found that the majority, 89%, of email threats “passed” SPF, DKIM, and/or DMARC checks.

There are many reasons this can happen. For instance, university researchers recently described flaws in email forwarding that could let attackers exploit Microsoft Outlook’s

Other limitations of email authentication include:

  • Lack of content inspection: Just like sending a letter via registered mail, email authentication ensures delivery; it does not check whether the contents of a message contain malicious URLs, attachments, or payloads.

  • Limited protection against lookalike domains: Email authentication will not alert you to a properly-registered lookalike or cousin domain name; for example, a message sent from name@examp1e.com instead of name@example.com.

  • Complexity of configuration and ongoing maintenance: If your configuration is too strict, legitimate emails will be rejected or marked as spam. If it is too relaxed, your domain might be misused for email spoofing and phishing.



Phishing is too dynamic to trust ‘safe’ senders

As seen with the failure of email authentication to stop brand impersonation, attackers adapt. If they sent fraudulent messages about COVID-19 yesterday (the World Health Organization was the second-most impersonated organization last year), student loan repayment scams today, then what might tomorrow’s phishing campaigns contain?

The big challenge is that the costliest phishing attacks are highly targeted and low volume. They are not easily identified by reactive secure email gateways (SEGs) that look for ‘known’ threats.

For instance, business email compromise (BEC), a type of social engineering attack that does not contain malicious attachments or malware, is tailored to a specific recipient at an organization. The attacker may impersonate someone the intended victim regularly messages, or the attacker may ‘hijack’ an existing, legitimate email thread.

BEC has cost businesses and individuals $50 billion worldwide; BEC losses now even outpace ransomware-related financial losses. Here are a few examples that show how attackers first gained a deep understanding of the victim’s operations (and who they trusted) to successfully launch these BEC campaigns:

  • Attackers monitored the emails of — and then proceeded to impersonate — a Connecticut public school system’s COO and vendors stole more than $6 million earlier this year. (Learn more about this complex form of BEC known as vendor email compromise).

  • A series of BEC schemes tricked state Medicaid programs, Medicare Administrative Contractors, and private health insurers into diverting more than $4.7 million to attackers, instead of to the intended hospitals’ bank accounts.

  • In 2022, attackers pretending to be four (fake) companies and defrauded a food manufacturer of shipments valued at $600,000. This type of incident has become so prevalent that the FBI, US Department of Agriculture (USDA), and Food and Drug Administration (FDA) issued a joint advisory for businesses to “prevent, detect, and respond to BEC-enabled product theft schemes.” (Stolen or ‘counterfeit’ food is estimated to cost the global economy as much as $40 billion a year.)

Uniquely specific phishing campaigns will outwit a traditional SEG. That may be why Forrester analysts proclaimed in a blog about attackers exploiting a Barracuda Email Security Gateway vulnerability: “2023 called, and it doesn’t want its email security appliances back.”

Forrester goes on to recommend moving email security to the cloud, instead, for several reasons, including:

  • Faster updates delivered automatically

  • Simpler architecture

  • Scalability to meet demand

  • No hardware to worry about or replace

  • Easier remediation and mitigation

Replacing a SEG with cloud email security is the most important step to prevent phishing. But just as attackers use multiple channels to launch their campaigns, businesses should also ensure they have multiple layers of protection against phishing.

Layered anti-phishing is a must, particularly when messaging, cloud collaboration, and SaaS apps across multiple devices all pose risks. As Forrester senior analyst, Jess Burn, notes, “Protections developed for the email inbox must extend to these environments and throughout the day-to-day workflows of your employees.” She adds, “When selecting or renewing with an enterprise email security vendor, understand which is delivering or prioritizing a more comprehensive approach to protecting all the ways that your people work.”



The power of a layered approach to stopping future threats

Even if a message has passed email authentication, originates from a reputable domain, and is from a “known” sender, it should not be inherently trusted. Instead, preventing a potential phishing attack requires a Zero Trust security model that ensures all user traffic is verified, filtered, inspected, and isolated from Internet threats.

Cloudflare Zero Trust comprehensively protects against phishing threats and includes:

  • Integrating cloud email security with remote browser isolation (RBI) to automatically isolate suspicious email links; this prevents users’ devices from being exposed to malicious web content.

  • Proactively scanning the Internet for attacker infrastructure, sources, and delivery mechanisms to identify and stop phishing infrastructure days before phishing campaigns launch.

  • Detecting hostnames created specifically for phishing legitimate brands; this works by sifting through the trillions of daily DNS queries.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

*Source: Forrester Opportunity Snapshot: A Custom Study Commissioned by Cloudflare, “Leverage Zero Trust to Combat Multichannel Phishing Threats,” May 2023.



Dive deeper into this topic.

To learn more about modern phishing threats that trick common email security defenses, get the latest Phishing Threats Report!

Get the report!



Key takeaways

After reading this article you will be able to understand:

  • Attackers are impersonating brands we rely upon, appearing authentic

  • The evolution towards multichannel phishing

  • How migrating to cloud email security is the most important step to prevent phishing

  • The role Zero Trust has in protecting the modern enterprise



Receive a monthly recap of the most popular Internet insights!