Email phishing is by far one of the most prevalent forms of phishing. However, there are a number of lesser-known phishing techniques that are often overlooked or underestimated yet increasingly being employed by attackers. Let’s take a brief look at some of the main ones:
- SEO Poisoning
There are literally thousands of new phishing websites popping up every month, many of which are optimized for SEO (search engine optimization) for easy discovery by potential victims in search results. For example, if one searches for “download photoshop” or “paypal account” chances are they will encounter a fake lookalike website made to trick users into sharing data or accessing malicious content. Another lesser-known variant of this technique is hijacking a Google business listing. Scammers simply hijack the contact details from legitimate businesses on Google, leading unsuspecting victims to reach out under the pretext that they are communicating with an authorized representative.
- Paid Ad Scams
Paid ad scams are a popular technique with hackers and scammers. Attackers use display advertising, pay-per-click advertising, and social media advertising to promote their ads and target users, leading victims to visit malicious websites, download malicious applications or unwittingly share credentials. Some bad actors even go to the extent of embedding malware or a trojan inside these advertisements (a.k.a. malvertising) to phish users.
- Social Media Phishing
There are a number of ways threat actors target victims on popular social media platforms. They can create fake accounts, mimic trusted contacts, celebrities or politicians, in hopes of luring users to engage with their malicious content or messages. They can write comments on legitimate posts and encourage people to click on malicious links. They can float gaming and betting apps, surveys and quizzes, astrology and fortune-telling apps, finance and investment apps, and others, to collect private and sensitive information from users. They can send messages to direct users to login to malicious websites. They can create deepfakes to spread disinformation and sow confusion.
- QR Code Phishing
So-called “quishing” is the exploitation of QR codes. Scammers have discovered innovative ways to exploit this contactless technology. Attackers affix malicious QR codes on posters, menus, flyers, social media posts, fake deposit slips, event invitations, parking meters and other venues, tricking users into scanning them or making an online payment. Researchers have noted a 587% rise in quishing attacks over the past year.
- Mobile App Phishing
Mobile app phishing is a type of attack that targets victims through the use of mobile apps. Basically, scammers distribute or upload malicious applications on mobile app stores and wait for victims to download and use them. This can be anything from a legitimate-looking application to a copy-cat application that steals personal data or financial information; even potentially used for illegal surveillance. Researchers recently identified more than 90 malicious apps on Google Play that had over 5.5 million downloads.
- Call Back Phishing
As the name suggests, call back phishing is a social engineering technique whereby attackers encourage users to dial back to a fraudulent call center or a helpdesk. Although typical call back scams involve the use of email, there are a number of variants where attackers use devious ways to get people to call back. For example, attackers used Google forms to bypass phishing filters and deliver phishing messages to victims. When victims open these benign-looking forms, they see a phone number they’re supposed to call. Scammers are also known to send SMS messages to victims, or leave voicemail messages to encourage victims to call back.
- Cloud-based Phishing Attacks
As organizations increasingly rely on cloud-based storage and services, cybercriminals have begun exploiting the cloud to execute phishing and social engineering attacks. There are numerous examples of cloud-based attacks – attackers sending phishing messages to users on Microsoft Teams and Sharepoint, using Google Drawings to trick users into clicking malicious links; they exploit cloud storage services like Amazon and IBM to host websites containing spam URLs and distribute them via text messages, abusing Microsoft Sway to deliver phishing QR codes, etc.
- Content Injection Attacks
Software, devices, applications and websites commonly suffer from vulnerabilities. Attackers exploit these vulnerabilities to inject malicious content into code or content, manipulate users to share sensitive data, visit a malicious website, make a call-back request or download malware. For example, imagine a bad actor exploits a vulnerable website and updates hyperlinks in the “contact us” page. Once visitors complete the form, they encounter a message and follow-up actions that include links to a harmful download or present a phone number controlled by hackers. In the same manner, attackers utilize susceptible devices (such as IoT) to exploit their messaging and notification capabilities in order to send phishing messages to users.
The extent to which attackers engage in social engineering and target users is alarming. With the addition of AI tools to their arsenal, these attacks are expected to become more intense and sophisticated. Only by providing ongoing security training and implementing regular awareness programs can organizations develop the resilience needed to defend against these social engineering scams, ensuring that employees remain cautious and capable of protecting sensitive information, financial assets, and the reputation of the business.
