Phishing is a long-standing social engineering technique used by cybercriminals to trick people into giving up sensitive information (e.g., credit card details, login credentials, phone numbers, addresses, etc.) for financial gain. The victim is not even aware their information has been compromised, given that there’s no provided consent or approval. According to the Anti-Phishing Working Group (APWG) reports, in Q4 of 2022, the number of phishing attacks worldwide set a record of over 4.7 million attacks. That translates to a growth rate of more than 150% per year since 2019, with the financial sector the most targeted.
Attackers use these electronic means to distribute persuasive text and images to earn the victim’s trust by convincing them about the legitimacy of the communication. This kind of scam comes in many forms, including telephone phishing, smishing (SMS phishing), phishing emails, and phishing websites.
A common way to approach potential victims is by delivering legitimate-looking phishing links (URLs) via email that lead to malicious websites. Even messages sent on social networking sites and apps, like Facebook, WhatsApp, and Instagram may contain phishing links, along with a reason to click on them — all the while claiming it will redirect the user to the official page of something they recognize. In addition, it’s also common to find malicious links among benign ones as part of search engine results.
It's important to note that malicious links can be very similar to the actual URL that the attackers are attempting to impersonate. A common example of those phishing URLs would be something like www.faceb00k.com — the camouflaged version of the real www.facebook.com. The very similar appearance between URLs brings another security gap that can be taken advantage of by attackers since users can mistype letters when they enter a URL address in their internet browser. These nearly identical URLs can be taken by a phishing website. In the wild, we can find examples of phishing URLs with a completely different appearance from the actual one, and they seem to be a shortened version of very long URLs, like the ones generated by Google URL shortener.
Phishing websites can be hard to identify. Hoping to trick victims into giving up personal information, many sites look convincingly like the ones they’re imitating. In some cases, fake websites are poorly constructed by attackers, and it’s evident that the page looks distorted. Like a poorly rendered version of the original one or there are unexpected elements on the page (page footers, menus, or panels). There could also be some textual elements that include mismatched typography and/or language.
Nevertheless, since most of the source code of any webpage is accessible through an internet browser, it’s fairly easy to create phishing webpages that look identical to the legitimate ones, which makes identifying a malicious page, via a visual assessment or “user intuition,” very challenging to do accurately.
Phishing emails are typically less successful thanks to advances in classifying them as spam. However, some phishing emails and links still manage to slip into inboxes. Nevertheless, attackers are becoming more and more creative in the way they distribute malicious URLs. For instance, scammers can share them during phone calls, or by sending large numbers of SMS messages — tricks to hitting specific groups of people. This can range from posting malicious URLs in videos of popular YouTubers to deceptive apps for authentication, showing the user a QR code that contains a phishing site with a credential stealer installed. Below you can find two examples of recent phishing campaigns.
Phishing continues to be a leading attack method because it allows cybercriminals to target people at scale. Usually, they distribute phishing scams under the pretense of being representatives from major companies where the intended targets have accounts. Banks, governmental institutions, e-shops, e-mail service providers, and telecommunication companies are the most attractive businesses for phishing attacks — due to their high number of clients and the sensitive data involved.
Some of the modern phishing websites are reasonably easy to highlight in the wild due to the evident disparities to legitimate sites. Nowadays, cybercriminals use toolkits to create phishing pages in a short time, without the need for expert knowledge in website construction. Below you can find an example of such an attack, where visual differences reveal the fakeness of the site.
In the previous Facebook login pages, we can see some changes that lead us to doubt the authenticity of the website, like a bigger logo, typographic differences, the absence of the footer text, the “Create new account” button in a slightly different green tone, and among others.
Nevertheless, there are extremely deceptive phishing sites. In those cases, attackers put a lot of effort into making them look like the real thing. In the examples below, you can see how similar a phishing site looks compared to its authentic counterpart.
In the login pages shown above, we can spot small details that differentiate the phishing site from the actual login page. The phishing version is a near duplicate of the original one, where the changes are very subtle and discrete intentionally to go unnoticed by the victim, i.e., the footer text has a different alignment, there are missing elements in it, or they are not displayed correctly.
Phishing sites have greatly evolved over the years to become convincing counterfeits. Some even use HTTPS, giving users a false sense of security when they see the green padlock.
The minor flaws in a phishing website might appear obvious when positioned alongside a legitimate page, but not so noticeable alone. But think about the last time you saw the login page for a service you frequently use. Chances are, you’ll struggle to recall all the details, which is exactly what phishing scammers are hoping for when they design their pages.
Historically, the most common way to spread phishing websites has been via phishing emails, but they’re also spread via paid advertisements that appear in search results. Other attack vectors include a technique called clickbait. Cybercriminals typically use clickbait on social media by promising something, such as a free phone, to encourage users to click on malicious links.
Like nearly all modern cyberattacks, phishing is used for financial gain. When users give up login credentials to a phishing site, cybercriminals can abuse them in several different ways, depending on the type of site used to phish. Many phishing attacks imitate financial institutions, such as banks or companies like PayPal, and aim to yield significant financial rewards for cybercriminals.
If a cybercriminal tricks a user into giving up their credentials to a shipping website, such as UPS or FedEx, they’re unlikely to profit from accessing the account. Instead, they may try to use the same credentials to access other accounts with more valuable information, such as an email account, knowing that people often use the same passwords across multiple services. Another way for cybercriminals to profit would be to sell the stolen credentials on the dark web, a deeper part of the internet where private networks do business anonymously without disclosing identity information.
This is a “spray and pray” attack method. Many outdated WordPress sites on the web can be hacked and used for phishing campaigns at a very low cost. Generally, the price to deploy a phishing kit is approximately $25, making it very affordable and still profitable for the attackers. Another disadvantage of phishing – for the potential victim - is that the attacks have a short time to live (TTL), and the URLs frequently change inside one campaign making standard detection methods, like creating blocklists of suspicious URLs, ineffective against zero-day attacks.
Time often varies between a successful phishing attack – when the cybercriminal acquires the credentials, and when they use them. The quicker we’re able to mitigate the threat, the more potential victims we’re able to protect. Once a user’s credentials are stolen, there’s not much they can do other than change those credentials as soon as possible.
In 2024, cybersecurity researchers found evidence that there are also new techniques to bypass various spam filters, even the best ones on Google. For example, attachments are sent as PDF files, which do not contain any text, to redirect users to other Google services, such as Google Docs. In addition, other non-standard phishing attachments are used, such as calendar invitations, where URLs linking to phishing sites are also included in the event description.
Below, here’s a checklist to help prevent you from falling victim to one of the most successful forms of a cyberattack:
Author: Javier Aldana Iuit, PhD. AI/ML Researcher of Visual Phishing and Scam Cyber-threats Detection, GEN