Skip content

Phishing: it's not just about email

Other types of phishing aside from emails

The following are methods of phishing delivered outside of email:

1. Social media and Angler phishing

Phishing is seen on all social media platforms, from Facebook quizzes collecting sensitive user data to crypto scams and messages carrying malicious URLs. Professional networks like LinkedIn are also vulnerable, where threat actors use fake job offers to ensnare targets.     

A common tactic is ‘angler phishing’ where the campaign is based around a fake customer support profile posing as a legitimate organisation. They target social media users already complaining publicly about that company. By responding with sympathetic messages and links, the angler phishers trick victims into handing over login credentials or sensitive information.

2. Telephone - Vishing and Smishing

Vishing is a form of phishing where scammers use phone calls to catch victims off guard.  Campaigns are crafted by setting up a Voice over Internet Protocol (VoIP) server to mimic legitimate entities. August 2022 saw Cisco fall victim to this type of attack where an employee’s Google account was compromised using a phone call prompting them to approve a multi-factor authentication (MFA) request, which led to multiple accounts being compromised. Smishing is another phishing method to be wary of. This is conducted by spreading malicious links and content via SMS text messages. Criminals often impersonate family members on platforms like WhatsApp, asking targets to send money urgently. Like email phishing, these text scams trick users into handing over sensitive information or clicking dangerous links. 

3. Malicious websites - Typosquatting

A malicious website can come in the form of typosquatting, also known as URL hijacking. This method involves criminals registering domains with slight misspellings of legitimate brands and websites where the targets are users who mistype the URL. This will trick the victim into thinking the website is legitimate, encouraging them to input sensitive data. LRQA’s ThreatWatcher service can help combat this.

ThreatWatcher looks at millions of digital data points, identifying and alerting you to risks in the wild giving you the chance to act before impacting your business. Two core services of ThreatWatcher include brand monitoring which discovers brand mentions over multiple sources including the dark web and code repos. The other is discovering credential leaks impacting your employees. An optional service worth mentioning is 'Takedown' where sites impacting brand infringement can be taken down.

4. SEO poisoning

SEO poisoning is a phishing technique that involves masking malicious websites as trustworthy and legitimate by appearing among the top results on a search engine. All that is needed after this is for the target to interact with the website. Victims land on these fake but credible-looking sites and hand over personal information or download malware not realising the risks. All it takes is registering domains imitating real companies, products, or services then building out content, backlinks and strategically selected keywords. Users grant account access and expose personal data believing that the site is genuine. 

Personalities are the targets

It is important to conduct regular, up-to-date, and high-quality security awareness training for your employees. Your phishing detection solution will inevitably let through phishing e-mails as 100% prevention does not exist.

1. Personality traits

The five personality traits refer to openness, conscientiousness, agreeableness, and neuroticism. These traits usually determine how susceptible an individual is to a phishing attack. Individuals displaying strong signs of openness, extraversion, and agreeableness tend to be more susceptible than those who lean towards neuroticism or conscientiousness.

2. Heuristics and cues

Heuristics can be described as mental shortcuts that facilitate decision-making.  This way of thinking is developed over time to provide a more efficient decision-making process. Heuristic thinking can lead to systematic logical errors, known as cognitive biases. Another weakness attackers prey on is social cues and the way our brain processes them. There are many cues that an attacker will use but some common ones to look out for are distracting details, a sense of urgency, authoritative, humanitarian appeals, limited-time offers, or situations that are too good to be true.

Phishing often leads to ransomware

Beyond personal privacy risks, phishing attacks threaten organisations on a much larger scale. Attackers are often motivated by financial gain, stealing data, or causing disruption. By compromising one individual through phishing, they can gain a foothold to access your entire corporate infrastructure.     

A 2022 study highlighted that 88% of organisations from a pool of 1,400 experienced ransomware attacks following phishing. E-mail phishing is the most common delivery method of ransomware. An example of this is the ‘QakBot’ phishing e-mails delivering the ‘REvil’ ransomware. 

Once inside the network, attackers can exfiltrate sensitive data, encrypt files for ransom, distribute malware, and potentially breach connected partners and customers. Therefore, organisations must implement awareness training, email security defences, and response plans focused on early threat detection across their digital assets. 

Immediate actions organisations can take against phishing

There are some actions your organisation can take to prevent you from becoming the victim of a phishing attack.

  • Security awareness training: this will educate individuals on potential risks, threat detection, and safe online practices. It covers topics such as phishing, password security, and social engineering to empower users in recognising and mitigating cyber threats, fostering a vigilant, and resilient organisational security culture.
  • Verify emails to ensure they are from a legitimate source, taking care to analyse any links or attachments.
  • Implement mandatory multi-factor authentication (MFA) on all user accounts.

How can LRQA help?

One of the tools leveraged by LRQA is Microsoft Sentinel. Microsoft provides extensive playbooks for phishing attacks along with proactive approaches to eliminate the threats of bypassed phishing e-mails, such as threat hunting with Kusto Query Language (KQL), the query language used primarily for querying and analysing large volumes of data stored in Microsoft Azure services.

Microsoft Sentinel also reports on phishing incidents that have been detected or reported by a user along with the aftermath if it becomes a multi-staged attack, regardless of the way it was delivered.

Other services include:

  • Managed SIEM services
  • Managed Endpoint Detection & Response
  • Managed Network Detection & Response
  • Managed vulnerability scanning