Connect with us

Hi, what are you looking for?



Understand More About Phishing Techniques to Reduce Your Digital Risk

According to, the practice of phishing started around 1995. Nearly 25 years later, phishing is still used by attackers of all levels of sophistication.

According to, the practice of phishing started around 1995. Nearly 25 years later, phishing is still used by attackers of all levels of sophistication. The 2018 Verizon Data Breach Investigations Report (VDBIR) ranks it as the third most common technique used in incidents and confirmed breaches and finds that 70 percent of breaches associated with nation-state or state-affiliated actors involved phishing. However, even low-level hackers are using phishing with success thanks to a rich ecosystem of threat actors on cybercriminal forums and messaging applications sharing tips and tools. 

Here are just a few examples of the techniques this wide swath of actors can choose from when executing their phishing campaigns.

Social media: The Sony Pictures Entertainment attack, the Bangladesh bank heist and the WannaCry outbreak all involved highly proficient, state-backed attackers using a variety of pretexts to convince targets to click on the link in their phishing emails. Pretexting involves masquerading as another entity to obtain the information desired from the target. In these campaigns, the phishing emails appeared to be official notification emails from Facebook or Google and the attackers also sent messages directly through social media sites like LinkedIn.

Expert assistance: Less sophisticated threat actors have access to a wide variety of forums and groups where they can learn the latest phishing techniques, as well as purchase step-by-step tutorials and phishing templates to conduct their own campaigns. Novices don’t even have to venture into the dark web to get access to these illicit tools – they are readily available on the surface web on well-known sites. 

Spoofing: Individuals are more likely to open an email when they believe it is from a legitimate sender, so attackers often choose to spoof or forge the email header in their messages to increase their chances of success. Spoofing is often used in Business Email Compromise (BEC) and can be quite convincing, as evidence by the fact that BEC and Email Account Compromise have cost organizations billions of dollars in losses over the last five years. Tutorials on spoofing techniques include everything from how to create, compromise or find a Simple Mail Transfer Protocol (SMTP) server from which to send the spoofed emails, to how to prevent emails from ending up in spam folders or the hosting IP from ending up on blacklists.

Cloning websites: More sophisticated actors tend to use platforms such as Metasploit or Social Engineering Toolkit (SET) to create a clone of a legitimate website and an impersonating URL. For aspiring phishers, a website cloning or mirroring service known as XDAN CopySite makes it easy. All they need to do is enter the domain of the website they want to clone, and within seconds they have a static version of the site – enough to be convincing at first glance. Phishers will then host the html file, or series of files, on a website using an acquired domain. Sophisticated actors also have a few shortcuts available. For example, Metasploit includes a credential harvesting script and will even host the web server for the attacker. 

While barriers to entry continue to fall and techniques become more advanced, individuals are not taking the bait as frequently. The 2018 VDBIR says on average only four percent of people in any given phishing campaign will click. Still, attackers need only one person to click to accomplish their mission.

So, what can organizations do to further mitigate their digital risk from phishing attacks? These five steps can help:

Advertisement. Scroll to continue reading.

1. Limit what information your organization and its employees share online, including on social media sites such as Facebook and LinkedIn. The most successful phishers will perform detailed reconnaissance on targets, so they can craft the most effective emails and social engineering lures.

2. Monitor for registrations of typo- or domain-squats that can be used by attackers to impersonate your brand, send spoof emails and host phishing pages.

3. Implement additional security measures such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC) and DomainKeys Identified Mail (DKIM). These can make the spoofing of your domain more difficult.

4. Protect your accounts in case phishers do manage to steal user credentials. Two-factor authentication measures should be mandated across the organization and implemented wherever possible.

5. Train your employees how to spot phishing emails and alert security teams to suspected phishing attempts. Eventually, a phishing email will fall through the net. Employees need to know how to report these quickly without fear of repercussions of being the victim of a social engineering attack.

Although phishing is now in its third decade, organizations must remain vigilant. Threat actors rely on tried and trusted methods; as long as there is even a four percent chance that phishing techniques will be successful, they will continue to use them. Furthermore, with little to no learning curve, we can expect more threat actors will jump on board. Fortunately, by continuing to prioritize the right controls and training policies, organizations can reduce their chances of being reeled in.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...


The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...