Nick Kael, CTO at Ericom, discusses how phishing is gaining sophistication and what it means for businesses.

Hackers are upping their game, using an approach I call “Deep Sea Phishing,” which is the use of a combination of the techniques described below to become more aggressive. To keep pace, cybersecurity innovators have been working diligently to develop tools, techniques and resources to improve defenses. But how can organizations fight against evolving threats that have yet to be launched—or even conceived of?

For example, in February, 10,000 Microsoft users were targeted in a phishing campaign which sent emails purporting to be from FedEx, DHL Express and other couriers which contained links to phishing pages hosted on legitimate domains, with the goal of obtaining recipients’ work email credentials. Use of legitimate domains allowed the emails to evade security filters, and people’s pandemic-related reliance on delivery services and habituation to similar messages boosted success rates.

And in May, attackers launched a massive, sophisticated payment-themed phishing campaign. The phishing emails urged users to open an attached “payment advice” – which was, in fact, not an attachment at all but rather an image containing a link to a malicious domain. When opened, Java-based STRRAT malware was downloaded onto the endpoint and via a command-and-control (C2) server connection, ran backdoor functions such as collecting passwords from browsers, running remote commands and PowerShell, logging keystrokes and other criminal activity.

Phishing is no longer the basement-brewed, small-scale nuisance of cyber lore, either. Today, nearly 70 percent of cyberattacks – like like those cited above – are orchestrated by organized crime or nation-state affiliated actors. With many recovery tabs running into the millions, organizations need a solution that can safeguard them from attacks that have not yet been engineered — i.e., zero-day attacks that can cause the most damage.

But before we tackle the issue of defense, let’s first take a look at just what we’re defending against. The types of phishing tactics noted below are listed in ascending order of sophistication.

Types of Phishing