Phishing is one of the oldest techniques of cybercrime - it actually showed up first in 1995. Every day millions of people are targeted in a phishing attack. Losses incurred due to phishing are in billions of US dollars, and despite how old the phishing is, thanks to its ever-evolving nature, its impact is growing year-over-year[1].

While in 2006 we recorded for the first time 100K phishing domains in one year, in August of 2020, we recorded the same number of new phishing domains in just one month.

In the early days, phishing attacks were mainly deployed in the so-called "spray and pray" fashion, where the attacker generates thousands of identical e-mail messages, distributes them to potential victims, and waits for those who will fall prey to his lure. The initial primary attack vector was email since there is practically no cost to automate and generate thousands of these emails when needed.

While these techniques are still heavily used even today, more advanced techniques have appeared (big thanks to social networks where people publicly share many details from their lives). These entail customized attacks targeting a group (spear-phishing - for example, aiming at employees in the finance dept.) or even a single person (whaling, e.g., targeting C-level executives or upper managers). In these messages, content is adjusted and personalized to improve the perception of authenticity and increase the chance of success. Publicly available information ail the attacker to gather relevant knowledge about his potential victim - one example of this form of attack is so famously known Business Email Compromise (BEC).

BEC was the cybercrime causing the highest losses across all categories[2]. BEC showed up first-time in the FBI IC3 report from 2014 with the attributed loss of $60M against ≈1500 victims; a year later, in 2015, the number of victims rose to ≈8000, and the losses ≈250M USD. In 2018 the losses passed the 1B USD mark, with the actual figure being ≈1.3B USD, with ≈20K victims. Since then, the number of victims has stayed around 20K, but the amount keeps growing. In 2019 the losses were ≈1.8B USD, ≈1.9B USD in 2020, ≈2.4B USD in 2021, and more than 2.7B USD in the last year, 2022. These are horrific numbers. Only last year has the investment scam taken the number one spot from BEC, which held this position since 2015.

One of the early adjustments that helped phishing websites appear genuine was the use of HTTPS. This resulted in showing a small padlock in the address bar - which was misleading visitors to believe the page is secured and authentic, and this, unfortunately, still works on the potential victim in the same way today. That's also a reason why since 2020, more than 80% of phishing sites use HTTPS[1].

In the last few years, we have also seen an increased use of other e-channels than email for phishing attacks - more specifically, voice or SMS. Voice phishing (vishing) and SMS phishing (smishing) - their first instances date back to 2004. Voice phishing gradually - as per the last year's report from FBI IC3 - caused losses of more than 800M USD, of which the majority (almost 600M USD) was linked to elderly(>60 years) victims[2].

Another - future problem linked to vishing - is the use of generative AI to mimic the voice of any selected individual whose voice sample can be obtained. In the media, there are already instances of vishing where the victim believed that he or she is speaking with a family member in distress [3].

Phishing naturally moved beyond email and SMS - to other communication platforms - some connected to social networks like Facebook Messenger, others as standalone apps - like Telegram, WhatsApp, and others. One of the most common type of attack perpetrated via social networks is the Confidence/Romance scam which amounted to more than 700M USD in 2022 and impacted almost 20K victims.

Though the mimicking and spoofing e-commerce companies (eBay, PayPal, etc.) started already in 2003, today there are complete tools - phishing kits - which can generate selected websites from templates (e.g., SocialPhish, ShellPhish, King-Phisher, Zphisher, and others).

Websites have their registered domains, and they are designed as a hierarchy, where the highest hierarchy visible to users is Top Level Domain (TLD). The most common TLD is [com]; you might also be familiar with a few other gTLDs like [net], [biz], [org]. Since early May this year, Google released 8 new TLDs - [dad], [phd], [prof], [esq], [foo], [nexus], [zip], and [mov]. Especially the last two - [zip] and [mov] have been heavily criticized by the cyber security community as they can be weaponized by cybercriminals for phishing. And they were pretty right as the first instances of these new domains were detected as early as the 13th of May - [hxxp://microsoft-office.zip] followed in a few days by [hxxps://google-drive.zip], [hxxp://tax-return-2022.zip] and [hxxp://newdocument.zip]

Phishing attacks using phishing webpages deploy various techniques to hide or obfuscate the actual domain. From the use of UNICODE characters that appear similar or the same as ASCII characters, through the use of IP address instead of a domain name, to Typosquatting, where the attacker registers a very similar-looking domain to the one imitating(e.g., amozon.com or microsofl.com). One of the amazing tools are URL shorteners (bit.ly, tinyurl.com, and many others) which hide the actual phishing domain behind an unreadable hash [4]. 

And last but not least and also another amazing tool that helps hide the phishing domain is QR code. QR codes are essentially a perfect weapon in the hands of the cybercriminal deploying phishing attack as they are unreadable by humans and, as such, extremely hard to spot or classify as suspicious. And recently - with a bit of help from generative AI - there are even amazingly looking QR codes, which will surely be used for phishing attacks [5].

And here, our journey ends. All of the above is not an exhaustive list of changes and techniques used in the phishing attack. Phishing is truly a phenomenon about which books can be written. But I believe that the above points showcase the versatility and efficacy of various phishing techniques and their evolution throughout the years.

Looking at the number of phishing victims, I wish for you never to fall victim to phishing and ask you to spread awareness, as that is one of the core countermeasures in the fight against it.

References:

[1] docs.apwg.org

[2] ic3.gov

[3] washingtonpost.com

[4] https://blog.knowbe4.com/new-tactic-shortened-linkedin-urls-are-now-used-as-phish-hooks

[5] https://mp.weixin.qq.com/s/i4WR5ULH1ZZYl8Watf3EPw

[5] qrbtf.com 

[5] https://twitter.com/AlexAIDaily/status/1666902617446907905