Phishing - what is it, how to protect yourself from phishing attacks and emails. Part 1

Ruslan Rakhmetov, Security Vision

Classical cybersecurity has long been built on the basis of the principle of layered defense, similar to medieval fortresses, in which in order to get to royal treasures, attackers first had to overcome a moat with water, an earthen rampart, high walls and, finally, open the door to the treasury. But the entire multi-level defense system of the castle will be useless if some of its inhabitants accidentally or with malicious intent himself opens the main gate of the castle and launches enemies inside. In the next two articles, we will discuss phishing - a popular way to carry out cyber attacks, in which an unsuspecting user, by clicking on a seemingly harmless link from an incoming e-mail, can become an involuntary accomplice in a cyber attack. Today is the first part of the phishing story, here we go!

In one of the previous articles, we talked about social engineering - one of the most effective and simple vectors of cyberattacks used by cybercriminals and scammers against companies and individuals. Various forms of phishing (English phishing, distorted fishing - translated means hacker fishing, "fishing" for data from the victim) are becoming ways to implement social engineering:

1)   Mail phishing (E-mail phishing): the most common type of phishing, in which an email is sent containing a link to an Internet site or attachment. Guided by the methods of social engineering, attackers manipulate social attitudes, cognitive distortions and other features of the human psyche - for this, the text of a phishing letter may contain threats, an urgent request, and an awakening of interest from the victim. The sender will allegedly be a manager, colleague, employee of a government/banking institution or technical support - all the same in order to arouse feelings of fear, trust, interest in the victim.

If the user opens the file attached to the phishing email (for example, "urgent request from the tax office"), then a viral infection will follow - while for plausibility, some insignificant document can still be shown to the victim.

If the user follows the link from the phishing email, then different options are possible:

   ·   The victim of phishing will be on a fake web page, where there will be a form for entering a login and password (which will immediately "leak" to hackers);

   ·   The user's browser will be attacked by an exploit kit (a set of exploits for different versions of different browsers, a Drive-by attack), which can lead to a viral infection of the entire device;

   ·   A web attack will be performed on the website using the user's browser (for example, XSS or CSRF);

   ·   The user's browser will automatically download a file that, in accordance with the "instructions" on the phishing web page, will need to be opened, which will lead to a virus infection.

Mail phishing has a number of varieties:

1.1)   Targeted phishing (Spearphishing): a carefully planned attack with preliminary intelligence about the company and position, the circle of communication and the interests of the victim employee, the purchase of a domain (mimicking the spelling for legitimate), the creation of a high-quality phishing website, careful study of the subject and text of the letter using the current agenda and context. For example, targeted phishing will be an e-mail message allegedly from the tax inspectorate in which the organization is actually served, on the eve of the close of the tax period, using the name and position of a real tax inspector in the signature.

1.2)   Phishing phishing attack (Whaling phishing): a targeted attack on a top manager of a company or a top official, which is distinguished by excellent thoughtfulness and attention to trifles. For example, it can be a fake e-mail message to the operating director allegedly from the owner of the partner company with a request to provide internal information (for example, a joint sales plan). Another example: a fake message from the executive director, in which he instructs the accountant-treasurer to transfer funds to the specified details as a matter of urgency; such an e-mail message can be amplified by a subsequent phone call allegedly from the executive director using a deepfake.

1.3)   Compromise of business correspondence (BEC, Business Email Compromise): this attack is carried out either by hacking into the existing email account of a company employee with "wedging" into the correspondence and creating "responses" to some real old letters, or a carefully verified fake mail account is created from which a message is sent to an employee of the company. The result of an attack is most often the transfer of money to the attackers' accounts (for example, by forging an invoice for payment indicating false details) or the attackers receiving confidential data and documents.

According to the MITRE ATT&CK classification, phishing can be used in three tactics:

   -   Intelligence: phishing is used to collect data necessary to prepare for an attack - for example, credentials (logins, passwords, MFA codes, cookies, access tokens, etc.) and useful information (for example, system configuration data or SIS);

   -   Primary penetration: phishing is used to infect user devices in the attacked infrastructure - for example, backdoors are installed, various RAT Trojans (Remote Access Trojan, remote access Trojans), specially reconfigured programs for unauthorized remote access (AmmyyAdmin, TeamViewer, AnyDesk, etc.);

   -   Horizontal movement: Internal Spearphishing is used after compromising a device or email account in the attacked infrastructure to develop an attack, send messages to colleagues or partner companies - due to greater trust in colleagues in a "secure" work environment, such further phishing will be successful.

Despite the good awareness of users about the presence of a phishing threat, according to the Verizon Data Breach Investigations Report (2025 Data Breach Investigations Report), phishing confidently holds the third place in popularity of primary penetration vectors for attackers. In addition, attackers often exploit the habit of workers to check personal mail on a work PC - by sending a phishing message to a person during working hours, attackers get a chance to infect the infrastructure of the entire company.

2)   Smishing (SMS phishing, phishing via SMS and messaging applications): attackers often try to compromise the victim's personal or work mobile device by sending phishing messages via SMS or through various mobile applications (WhatsApp, Telegram, Signal, FaceTime, etc.). SMS phishing was popular in the 2010s and was convenient for attackers due to the ability to fake the sender's number of an SMS message: special services and marketing systems allow you to specify an arbitrary combination of letters and numbers in the sender's field, which makes it possible to specify an arbitrary phone number and imitate a message from a friend. In addition, some smartphone models display link previews by default and open sent files from SMS/MMS messages, which makes it easier for attackers. However, the control of cellular operators over the purity of SMS/MMS traffic has reduced the productivity of this technique for attackers. Most often, attackers now send phishing messages through various mobile applications, which, thanks to traffic encryption, reduce the effectiveness of network SSIs, and, due to the developed functionality, allow hackers to find new vulnerabilities and attack vectors. In applications, you can install an arbitrary avatar and specify any username - this is often used by cyber fraudsters when calling supposedly from the "boss" or "from the bank."

By analogy with mail phishing, the Smishing technique can be used for reconnaissance (luring credentials and information), for primary penetration (for example, if the attacked smartphone is connected to the company's Wi-Fi network), as well as for horizontal movement - i.e. attack development: for example, by "hijacking" a Telegram account, fraudsters can analyze the user's correspondence, from sent voice and video messages using deepfake technology to create a fake "story" about a difficult life situation and a request to friends for material assistance using the specified details.

3)   Vishing (Voice phishing): attackers use phone calls over the cellular network and VoIP, as well as through instant messengers to lure information or induce any action. Technologies for number spoofing and creating voice and video deepfakes allow fraudsters to impersonate any person. The Vishing technique can be used for reconnaissance, as well as for horizontal movement - by calling the company's office and "getting in the wrong place," an attacker can kindly ask an employee to transfer a call to the victim of an attack, who, when answering an incoming call, will see his colleague's extension number on the landline screen, and not the original external number of the fraudster.

4)   Quishing (QR phishing, quishing): these attacks involve sending phishing messages with QR codes leading to fraudulent or malicious sites. A QR code can contain text (maximum 4296 alphanumeric characters) and a binary code (2953 bytes), while most often the QR code contains links indicating various protocols or URI schemes. Attackers use QR codes for quishing attacks: victims receive phishing e-mails that contain QR codes leading to malicious or fraudulent resources instead of regular text phishing links. In order to bypass mail security solutions that detect images with QR codes, attackers can use the method of rendering QR codes using special unicode characters. In addition, posting or pasting QR codes in public places or on Internet resources can also be used by attackers to direct users to fraudulent resources or to carry out attacks such as QRLJacking.

There are other types of web attacks that use social engineering techniques:

5)   Watering hole attack: hackers break into popular sites for their target audience (for example, web resources for accountants, lawyers or personnel officers) and place forms on them to enter credentials (supposedly to participate in a profile conference), malware (under the guise of updating the browser), malicious JavaScript, exploit kits for browsers.

6)   SEO Poisoning: Attackers increase the rating of a malicious site in search engine search results, which allows a fraudulent resource to be displayed prominently in keyword search results. As a result, users looking for legitimate software or an online store inadvertently end up on a malicious site, trusting the site's rating in a search engine.

7) Malvertising ("malicious advertising"): attackers buy contextual advertising, which allows them to display a fraudulent resource prominently in a search engine or on popular sites. As a result, users looking for legitimate software or an online store inadvertently end up on a malicious site, trusting advertising. In addition, attackers can hack the entire advertising network and replace all harmless legitimate ads with malicious ones - for example, urging the user to "update the browser plugin." Similarly, even on popular sites, announcements may appear that the user's device is infected and will soon fail, so you urgently need to contact the "technical support operator" (fraudulent scheme "Fake technical support").

8) Typosquatting ("capturing typos") or URL hijacking ("hijacking URL"): attackers register domains that are similar in spelling to legitimate web resources and post malicious content on them. Attackers expect that a certain percentage of Internet users will make a typo when entering a domain in the address bar of the browser and end up on such a malicious site.

9)  Pharming (from a combination of the words phishing and farming): redirecting users to malicious sites by changing DNS translation settings (for example, by changing the hosts service file, spoofing the DNS server, poisoning the DNS records cache).

10)  Clickjacking: attackers create invisible elements on the site in such a way that the user accidentally clicks on malicious links or does not see the address of the site that displays the data entry form. For example, in this way you can fake the login/password input form or get the user to accidentally press the "Transfer money" button.

11)  Cryptojacking: Attackers post JavaScript code on the site that mines cryptocurrency using the user's browser while it is on the infected site.

12)  Open redirect: A legitimate website may contain a vulnerability that could allow attackers to create links like https ://www [.] goodsite [.] com/url? q = https ://www [.] badsite [.] com that will redirect users to a malicious site. As a result, URL validation systems will only see the legitimate domain and will not block such a link.

13)  Phishing through social networks (Angler phishing): victims write messages describing the problem or asking for help in groups of banks, telecom operators or retailers, but scammers who read the message and impersonate a company representative come into contact with them. As a result, the user can install malicious applications "to solve a technical problem," transfer money or provide their personal data to a fraudster. Social networks are also actively used by scammers to collect primary information about the victim: for example, a profile of a pretty girl is created that sends friend requests to all male employees of various IT companies - the ensuing correspondence can lead to the fact that a young IT specialist who has lost vigilance from an office PC will follow the link that a new friend will send during working hours.

14) Phishing through Man-in-the-Middle attacks: various man-in-the-middle attacks can also lead to phishing - for example, using Sniffing and Wiretapping attacks, you can spoof traffic to legitimate websites, inject various malicious scripts into their pages and steal credentials in fake input forms.