The Nigerian prince does not catch whales: Know the different levels of phishing emails
- News
The "Nigerian Prince" scam, also known as the "419 scam" (under section 419 of the Nigerian Penal Code), began to spread in the 1980s and 1990s with the advent of email communication. Although the roots of this scam go back to the 18th century, when it was known as the "Spanish Prisoner" and was spread by means of letters, we can encounter its modified form even today in similarly so-called phishing e-mails. Some encounter phishing emails on a daily basis, others sporadically, but I firmly believe that they are notoriously known to everyone. However, few people know that these attacks represent only the elementary school level in the plethora of phishing attack possibilities. Targeted phishing attacks or entire campaigns can take us as far as high school in an imaginary level. Sophisticated campaigns aimed at executives even up to university.
Just as the difference between elementary and high school is the complexity that must be mastered, targeted phishing attacks are also much more complex.
The basic premise of simple phishing attacks is that they are sent to a large number of users with a small success rate. However, since sending e-mails as well as obtaining e-mail addresses is very cheap, even this small percentage of success is sufficient. These attacks are often impersonal, use generic information and addresses, and aim to obtain sensitive data such as passwords or banking information.
In contrast, targeted phishing attacks (spear-phishing) are based on the opposite premise. As their name suggests, a targeted attack is aimed at a small group of users or even an individual. The information in these e-mails is tailored to the given group of users. It is the credibility of the information in the e-mails that makes these attacks much more dangerous, because the information contained in the e-mail seems more convincing. Of course, even from the technical side, these attacks are more sophisticated – e-mails use forged or compromised e-mail addresses, they are written without typos, the logos used are accurate, and so on. We have just reached the imaginary high school level.
How does an attacker get the information to create such a targeted phishing email, you ask? You simply gave them to him yourself. From publicly available sources, such as websites, an attacker obtains a huge amount of data. In addition to basic information, such as your company's headquarters, which e-mail addresses you use, it also gets an overview of what is currently happening in your company. Do you have a "News" or "Blog" page? The attacker can then easily find out whether you are migrating or launching a new product. However, that is far from all. It can obtain much more accurate information from the social networks that you use to communicate and promote the brand. Who you communicate with on social networks, specific names in the marketing department, names of employees and so on. The attacker then uses all this information to compose a persuasive email, which will also be targeted to a specific user group and situation.
If you've just started to feel anxious or nervous, believe me, we're still only in high school. If we wanted to look at a university, we would narrow the scope to an even smaller group of employees, for example, executives. In this case, attackers search all available social networks, obtain phone numbers, organize personal meetings. The whole attack on such a specific group is then not just one e-mail, but a whole campaign together with contextual information, phone calls and whole fake websites. Yes, that's right, just like they can spoof an email, they can also create a fake website. This type of attack aimed at the highest-ranking members of companies is called whaling in English.
In addition, attackers can use artificial intelligence (AI) and literally create these campaigns on demand. Tasks for AI like “Act as a professional lead marketer and create an engaging email to establish initial communication. Emphasize that if you use the link below, you will receive a significant discount in the first week. When getting a contact, refer to the LinkedIn platform..." are not unusual today. Similar tasks can be used not only to create a story from contextual information, but also to generate the web pages themselves, or the entire campaign. And on this example, we can see what the corresponding attack would look like in our imaginary college level.
Phishing as an attack vector is extremely popular among hackers. Some surveys even show that in up to 90 percent of cyberattacks, this vector has been used in some form. This fact is caused by the fact that, especially in mass phishing campaigns, the phishing message itself does not exploit a technical vulnerability, but focuses on the psychological aspects of the person who will read the e-mail. De facto, we can say that the principle of these fraudulent reports has not changed since the 18th century. Only the technical implementation has changed.
When creating a defense against phishing, it is therefore necessary to take into account both the technical side itself and this non-negligible psychological dimension. Among the technical defenses we use as standard against phishing emails are multi-factor authentication and the use of email checks. However, if we want to focus on phishing comprehensively, we must not leave out employee education. Moreover, both of these protection levels must be set more specifically for potential victims of targeted phishing campaigns. Just as one size does not fit all, the security settings for e-mail communication must reflect the different security needs of different groups of employees. For example, an email gateway setup may have different policies for executives and non-public communicators. However, the most important thing is to approach education in the field of phishing e-mails in this way - employees who speak publicly should have more comprehensive phishing training, including the issue of targeted phishing attacks.
SOURCE: Trend
