Phishing is the tool of choice for malign actors to exfiltrate credentials and sensitive information that can be exploited for their own gain, steal identities and defraud people. It can be a broad campaign or highly targeted to individuals as spear phishing or high-ranking executives as whaling.

Phishing works because…

  • Device and infrastructure security have improved with maturity of the internet, so actors moved to other techniques and phishing became the most prevalent form of attack against people and businesses. Phishing is the easiest and most successful method to exploit.
  • Social engineering techniques are easy to exploit against humans, who by their nature are social beings. People tend to be trusting and think others are trustworthy by default. Actors can craft messages which convince individuals to performing an action that appears to be in the benefit of the user but serves the aims of the malicious actor.
  • The proliferation of websites and online services means users need to have a lot of accounts and many passwords. Many people use weak one-word passwords and reuse them across services, meaning that when a password is obtained, it can be tried against multiple services.
  • Impersonation of brand identity with fake website creation and hosting. Actors can design their fake website with high or identical conformance to the target website so that the visual user inspecting the site is assured this is a legitimate site, when of course it is not. Using logos, brand colours and replicated layouts, it is not difficult to mimic the official website.
  • Speed and urgency in messages. If an email says your account has been compromised, people tend to act quickly and irrationally because they want to keep their account secure. But unfortunately, they follow the instructions and links in the phishing email because normal thought processes have been impeded by the threat.
  • Impersonation of the company brand and design in emails. Actors can make the email look professional and what they’ve used to from the brand in question. Once they have convinced a user to click a link, that is often enough to complete their campaign, and it may not be necessary to perfect the design of the fake website because they have already won the trust of the user.
  • Targeted and temporal nature of messaging. Phishing actors can fine-tune their message to the targeted user or group. With prior research, information gathering, social engineering and open-source intelligence (OSINT), they can use a variety of details to try to convince users of legitimacy. Actors can employ time as a key factor in convincing a user, either by intention or accidentally. If a user is expecting a package, sending a “delivery fee required” phishing email can be effective in getting the user hooked.
  • Curiosity, serendipity and surprise factors. A potential hacker can exploit aspects of human nature. Users may be tempted by an offer, discount or prize, and they might be intrigued by something that surprises, shocks or confuses them. They might click through to learn more and proceed to give their details to claim what they think is on offer, or to fix what they think has happened.
  • Low cost of messaging. The scale of messaging infrastructure and providers means there are minimal costs to operate email and SMS campaigns. This makes it attractive for would-be hackers to use email and SMS as their channels of choice.
  • Email sender address faking. The success of email is largely down to its deliverability and scalability over the years, with security and trust being an afterthought for much of its time. Malicious users can fake the sender name and sender email address so it really looks like it came from an official domain.

    In focusing on email scale, the original designers let sender addresses be unverified so they could flow through SMTP networks with ease. SPF, DKIM and DMARC, the protocols recently introduced to combat spoofing and phishing, focus on backward- and forward- compatibility for email so that deliverability can continue, target the prevention of misusing domains that opt in to the protocols. This means defending your domain from being used in phishing campaigns, rather than protecting your domain from receiving phishing. In this approach, adoption is slow and it is sender-side driven, not receiver-side. It requires the owners of all domains (that might be used for phishing) to integrate these protocols. Many companies use a variety of providers, including for email and marketing campaigns, and these protocols require integration with all the providers that might be used. While these protocols can cryptographically guarantee that an email originated from an authorised server or provider, it does not mean that an account at the provider will not be breached and misused by a hacker to launch their phishing campaign. Also, given that a lot of phishing doesn’t try to fake the sender address, and that many users don’t look at them, these protocols do not combat phishing at the client and user side. To defeat phishing, more work needs to take place on the side of users.

  • SMS sender name faking and poor SMS practices by legitimate companies. Setting the sender name is as easy as supplying it when sending a message through an SMS provider. There are often no verification checks for ownership of the brand in question. When a user sees a text which has a sender name they recognise, they can react with positive trust, especially with the misplaced notion that it is hard or costly to send a message with a sender name rather than number. Legitimate companies often use a mixture of sender names and numbers, so their patchwork of practices do not build confidence in the system.
  • Email links don’t have to show their destination; they are only shown on hover or hold. Crafted emails can use highly recognisable designs and use links which present their destination as text and conceal their technical destination. Some actors might pretend to be transparent by showing a URL as the link text with a different technical destination as the actual link.
  • Legitimate brands use many providers for service delivery in the age of software-as-a-service (SaaS). Email links often use third-party link-tracking providers. As the final destination URL is hidden by the proxy URL and layers of redirection, a user cannot see any readily useful information in the original URL. Companies also often use special or one-use domains for their marketing campaigns so it is a first-party problem too. Since this practice is so common, users cannot distinguish legitimate from malicious links, and give up because authentic services use bad URLs, so they cannot use URLs as a distinguishing mark.
  • False sense of security. We’ve come to associate "https://" and the padlock with strong security and that the site is secure. It was drilled into us that we should always ensure that we see the padlock — it’s an easy thing to teach, learn and recognise, but it’s not everything. The site being secure does not mean you are talking to the correct site, it merely gives guarantees that the connection between you and the site is secret and encrypted. Unfortunately we are not thoroughly educated about website identity, trust and phishing.
  • A culture of link clicking without checking destination. In the era of web scale, we’re in the age of links. There’s so much content out there that links are need to get around the vast expanse of the web. Links are meant to make it easier to navigate the complexity. But this ease, their speed of operation and opaqueness hide their esoteric foundation — they represent a URL (another opaque non-friendly structure) and point at a resource hosted on a server. Users may also perceive that links are non-trivial to create and therefore that links should be safe, but links are in fact easy to create for those minded. Users might think that services and browsers do enough to protect them in the modern age, so they click links without much thought given to checking the destination.
  • URLs don’t work. People can’t accurately read URLs every time. Consider the easy-to-confuse nature of URLs — the direction of reading and their legibility. Take "https://account·example·com" and "https://example·account·com" — they are entirely different domain authorities. Consider "https://login·facebook·com" and "https://login-facebook·com" — they are completely different entities run by different owners. It is hard to link a URL to a particular brand, given that brands use a variety of domains and URLs, and that you do not know the true URL of a brand ahead of time — it is an appraisal and a guess when looking at a URL. Take the URL for Metro Bank in the UK — "https://www·metrobankonline·co·uk". With IDN homograph attacks which use non-Latin alphabets like Cyrillic and Greek to use replacement letters that look identical to the A-Z Latin equivalents, a masquerading URL can be visually indistinguishable from the authentic URL. Some platforms transform IDN URLs into their actual technical versions (Punycode) but not in all cases.
  • There are no secure tools to check a link is safe, especially while preserving privacy and security with links that are for password resets. Users would be cautious about pasting a link into Google or a third party checker because they don’t want to compromise potential account security, rather than ensuring that they are actually communicating with the official website.
  • Phishing campaigns while wildly common, can be relatively rare for an individual, which makes the danger more real for someone receiving a phishing email, because they are more likely to consider it legitimate.
  • Misplaced confidence over time. If people aren’t phished they build confidence with what they have always done, disregarding or oblivious to advancements in technologies and attackers, and not knowing about best practices to avoid phishing. While they might have been lucky so far, it only takes one successful attack to be phished.
  • People who are not digital natives can be more susceptible to phishing attacks as they have grown up with retail and brick-and-mortar, not the internet as the Wild West.
  • Even digital natives and people with high tech literacy are vulnerable because phishing exploits our trust biases that we have developed in our upbringing and lived experience.
  • Economy of scale. A marketing-like method and rigour allows them to hone their approach over time. By analysing the rate of email opens, link clicks and form submissions for their campaigns across thousands and millions of targets, they can continuously iterate with A/B tests and tune their messaging and sites to minimise counter-phishing efforts and maximise attack success rates.
  • Industrial scale of phishing with black market providers providing commercial phish-as-a-service.
  • User impression of state of anti-phishing technology and maturity of internet is that in 2022 technology should be eradicating phishing.
  • Anti-phishing software and email filters are not keeping up. Current anti-phishing software integrated in browsers, mail exchanges and corporate networks still lets considerable levels of phishing through. They predominantly work on a reactive blocklist model which cannot cope with the rising tide of phishing and its emergent effects as hackers evolve their strategies. People are often left to make trust decisions, and sadly with the effect of compelling social engineering, too often the wrong decisions.
  • The internet is hardly policed, and when it rarely is, not policed well. It is a space of freedom and a frontier land where anyone can make anything, but there are no effective checks and balances, so it is the Wild West. Governance of the internet is challenging and is a stalemate across multiple stakeholders in steering organisations and governments.

What about passwordless?

Passwordless, that will solve everything, and phishing will be a thing of the past, right?

With FIDO security keys they are cryptographically bound to the website identity and websites only get the public key of a user, the private keys stay on the security device.

  • Firstly, passwords are here to stay for a long time yet. They are an entrenched solution and removing them and their legacy from all systems will take a considerable amount of time. Passwordless solutions are harder to integrate and need care to get them right. Passwords are likely to remain the authentication model for many small and medium businesses, and certainly will remain in corporate internal systems and intranet sites.
  • With FIDO, WebAuthn and U2F keys, they have been found to have security vulnerabilities in the past. No security technology is perfect and immune from attacks.
  • Passwordless authentication often has a device-vendor account at its root that is password protected, or needs flows to reset and reclaim an account in the event of lost devices and keys, and these flows tend to rely on a password-backed account like an email inbox. Phishing actors can target other accounts and different flows in their campaigns.
  • With passwordless authentication, malicious actors will try to target third party application and OAuth flows, which are token-based and rely on the security of the providing website. Actors will try to get you to authorise your trusted account with their third party site, to obtain information, tokens, and potentially obtain modification and account administration privileges. You may have not used a password and only used your security key with the official site, but another site, one that is malign, has convinced you to authorise a connection with the official site.
  • Even if the age of truly zero-password arises, phishing and social engineering will still be a threat, so knowing that you are on a legitimate and official website will still be important. Bad actors will evolve their techniques and methods will emerge like multi-level and multi-actor social engineering to try to extract personal information from you and use it against you with platforms and staff from the official service.