Cybercriminals innovate and update their phishing tactics all the time, deploying the latest strategies to deceive their targets and steal their resources. High-profile attacks increasingly dominate headlines, from celebrity deepfakes to multi-million-dollar scams in the finance industry. However, as we’ll learn, these stories are the tip of the iceberg, and phishing attacks affect businesses and their clients at every level.
To achieve comprehensive protection, businesses must update their strategies in line with phishing’s innovative growth, both in understanding and efficacy. From the core mechanisms that underpin it, to the latest AI-enhanced campaigns, reinforcing your grasp of phishing attacks helps you defeat cybercriminals and protect your brand.
Here, we’ll define phishing, and look at some of the most common threats facing your business. We’ll then explore some fresh examples in modern cybercrime, before highlighting the most effective strategies for keeping brands safe online.
What is Phishing?
Phishing involves malicious attempts to trick people online, normally by posing as a trustworthy contact across digital communication. While deceptive emails are a phishing attacker’s bread and butter, modern cybercriminals launch multimedia attacks over social media channels, phone calls, video conferencing, and more. Phishing presents an especially cruel threat as attackers exploit human psychology. Leveraging trust, good faith, and influence, cybercriminals engineer scenarios that prompt targets into giving away valuable login details, private information, and cash.
AI-Powered Phishing: Deepfakes and Beyond
Recent advancements in AI technology are already ushering in a new wave of phishing threats. Generative software turns suspicious typos into fluent English, while also helping attackers multiply their campaigns with the click of a button. A UK government report into “The near-term impact of AI on the cyber threat” recently found that AI tools also decrease the time it takes for hackers to identify and exploit security weaknesses. With AI coding, copywriting, and design, criminals also increase the frequency and sophistication of their attacks, potentially evading security filters.
Crucially, AI’s impact on phishing attacks extends beyond textual communication, and into the audiovisual world of deepfakes. Cybercriminals increasingly deploy deepfake videos and voicecloned audio messages to trick targets both inside and outside of a business. For example, a successful attack recently defrauded a finance company of $25 million by impersonating their CFO. Other campaigns impersonate customer service workers to trick clients into revealing their card details or other private information for later sale online. Find out more about deepfakes in a new guide from Alex Wägner right here.
Domains: A phishing lynchpin
As a cornerstone of the internet, domain names also form a cornerstone of many phishing attacks. Domains let their owners host webpages and register email addresses. These assets help cybercriminals sharpen the hooks of their attacks. Typically, phishing attacks revolve around domain names that impersonate legitimate organizations, with strings that pass as the real thing at first glance. These lookalike domains trick their targets with convincing emails in their inbox, or cloned landing pages where they enter their login details unawares.
When it comes to spoofed domains, phishing attackers have plenty of tricks up their sleeves. From simple homoglyphs like replacing an “o” with a “0” in “d0main.com”, modern cybercriminals even register domains that sound like a legitimate business name rather than look like one, so they can trick a smart speaker into visiting their page when a user searches via voice control. Discover the top ten domain phishing strategies, as outlined by EBRAND’s Chief Technical Officer, here.
Different Types of Phishing Attacks
As we’ve established, phishing uses social engineering to trick its targets, and like any social interaction, each phishing attack looks and feels unique. However, learning the main types of phishing attacks equips you to recognize the patterns and detect the warning signs. Better yet, it also helps you put the tools in place to protect your brand.
Standard phishing attacks include vishing (voice phishing), smishing (SMS or text message phishing), and whaling, or CEO phishing. Whaling attacks refer to the cybercriminal targeting of executives and VIPs, aka “the big fish”. Attackers target high-profile victims as they often have the most to lose. Moreover, their influence also helps coerce colleagues or followers, particularly when newer team members lack experience with cyberthreats.
BEC (Business email compromise) represents another important umbrella term in phishing. BEC refers to attackers impersonating company emails via lookalike phishing addresses. Cybercriminals then trick team members into downloading malware, transferring funds, or even buying gift cards.
These attacks target businesses internally, but phishing attacks also impersonate the business itself, to target its clients. Attacks like customer rewards scams leverage a consumer’s desire for prizes, enticing victims with fake rewards or lottery winnings. Cybercriminals also impersonate company websites and apps, tricking clients into entering private details or downloading malware. In fact, fake apps pose a growing threat, as scammers on product launches or new platforms with app store scams. These attacks strike every industry, from ecommerce to gaming. Ultimately, fake websites and apps don’t target a business directly, but they still divert revenue streams and pollute brand images. Businesses must take steps to protect their clients.
How Businesses Tackle Phishing Attacks
Each style of phishing attack calls for a different business response. Thankfully, modern brands have plenty of tools at their disposal. Proactive measures like employee education help lower the risk of successful scams, along with infrastructure like email security. However, attacks do slip through the net.
Internal cybersecurity teams take down threats like social media impersonations or infringing domains on a manual basis, working with legal teams to issue cease and desists, or involving the police to tackle more serious cybercrimes. However, employing cutting-edge technical solutions helps businesses work efficiently at scale to protect their brands.
Technical Solutions for Businesses
Complex issues like phishing require comprehensive solutions. Secure businesses tackle phishing with Digital Risk Protection, a well-rounded solution for detecting, tracking, and removing online threats. With a risk protection platform, businesses scan the domain landscape for anything that spoofs or infringes upon their brand. Legal teams and technical experts then assist in removing these risks from the internet before they host their scam pages or send their deceptive emails to CEOs, colleagues, or clients. AI technology raises the threat level for phishing attacks, but it also raises the bar for EBRAND solutions. Artificial Intelligence powers algorithmic scrapers that identify phishing threats, and smart risk assessment tools that prioritize scams for timely action.
Phishing attackers place CEOs, executives, and VIPs in their crosshairs, targeting them with high-profile attacks. To match this threat, you should also explore EBRAND’s new VIP and Executive Protection solution. This package of tools and expertise keeps high-profile individuals safe from online attacks.
What’s Next? Actioning Your Insights
We’ve now established a foundational understanding of the modern phishing landscape. The next steps involve turning your insights into action. Help your business establish a proactive anti-phishing culture, and keep up to date with subject experts like EBRAND. You can also learn more about Digital Risk Protection here, or get in touch with our team to keep the conversation going. When it comes to anti-phishing, there’s no time like the present.
