The bad guys who run phishing campaigns are nothing if not relentlessly innovative. In our consideration of new trends in phishing, though, we often focus exclusively on the technical innovations of the malware delivered to users' desktops.
While the developments in malicious software have been striking in the past few years, especially those surrounding ransomware, we should not overlook the other smaller, more subtle innovations that online fraud artists have introduced into their phishing campaigns.
At the heart of every phish that lands in users' inboxes is a social engineering job -- an attempt to con gullible users into believing claims that are contrary to reality and then persuade them to take dangerous actions based on their belief in a lie.
The art of lying is one of the dark arts -- an endeavor that rewards those with the patience for small gestures and a keen eye for seemingly innocuous detail that makes nonetheless all the difference. In what follows we take a look at several trends in social engineering that we have observed in the phishing emails that customers have elected to share with us through KnowBe4's PhishAlert Button (PAB).
Putting marks behind the eight ball
One of the easier ways to persuade marks to indulge demands that they take potentially dangerous actions is to put them on the defensive. Classic phishing emails often tease users with offers too good to be true (think Nigerian 419 phishes and other similar "advance fee" scams) or with claims that minor problems with online accounts need to be rectified (e.g., your stereotypical credentials phish that invites users to log in to fake online banking sites for the purported purpose of confirming their identity or correcting data issues). Over the past few months, though, we have noticed the bad guys ratcheting up the pressure on users with claims that undesirable events will be occur if they fail to take the action requested of them (which usually involves opening an attachment or clicking a link).
Here is an all too typical example of what we shall call the "prevent negative consequences" phish:
And here is a variant purporting to hail from an organization's IT Help Desk:
The goal of these phishes is clearly to compel action on the part of users in response to an immediate problem of vital interest to the recipient (few of us could handle our jobs with a deactivated email account in spite of the sheer amount of aggravation an active one causes us on a daily basis).
Warning users of negative consequences isn't the only way to compel action from potential marks, however:
The prospect of an imminent phone call would be more than enough for many desk-bound users to warrant opening an infected attachment.
To apply maximum pressure on users, however, the bad guys are increasingly bringing in the big guns: the President or CEO of a targeted organization:
Most wire fraud phishes lead off with a simple question: "Are you in the office?" or "Are you at your desk?" Notice how this simple one line variant immediately puts recipients on their back foot and demands a compliant, unthinking response.
Here is a more expansive version of the same approach:
Snowing marks with a blizzard of detail
Putting users in a tight spot isn't the only way to persuade them to open an infected attachment or click a dangerous link. Sometimes a subtler, less obvious approach is all that is required.
In this phish the bad guys snow users by crafting an alternate reality so rich in detail that the resulting confusion on the part of potential marks compels them to click a malicious link in order to make sense of the email sitting in front of them on their screen:
Sheer quantity of context and detail can prove a barrier to action. Notice how the call to action in the above phish is vague and buried in the third paragraph of the email, which some users may not even see.
In many cases a light dusting of faux-personal context and detail may be all that is necessary to transform an alarming request to open a potentially infected Word doc into an everyday office event:
One thing the bad guys can count on is the baseline state of bewilderment and confusion on the part of corporate office denizens. Bizarre, unexpected requests are the norm in many office environments -- and complying with the following request to open an unanticipated attachment might very well strike many an employee as simply par for the course:
When small details are enough
Even more subtle is the inclusion of little details that lend the air of legitimacy to phishing emails that would (or at least should) otherwise raise suspicion:
Obviously the above credentials phish will effectively be doing precisely what the disclaimer states it will not: asking for the user's password and other sensitive information via email.
The more brazen such small details are, the more convincing they can be:
Bad grammar ain't what it used to be
So much of the advice given to users over the past few years on how to recognize phishing emails has consisted of spotting improper grammar or syntax and spelling errors. Hilariously clumsy as many earlier phishing campaigns may have been, the bad guys have become very skilled at crafting malware and social engineering hooks designed to inflict maximum damage on targeted organizations.
You can't count on the bad guys being daft or flat footed anymore. They are phishing your employees with increasingly sophisticated social engineering hooks, and running phishing campaigns designed to exploit the boredom and confusion of your typical office environment.
To combat these kinds of subtly crafted social engineering attacks your organization needs new school security awareness training, because when your email security solution fails to flag this kind of sophisticated assault on your organization and the bad guys are inside the wire, your employees are the last line of defense.