In the first blog post in this four part series, we explored the ten most common email phishing tactics and what makes each of them unique and challenging threats. For part two, we explore both legacy and trending phishing techniques targeting businesses of all sizes, as well as governments, nonprofits and individuals across the globe.

Let me first begin by explaining the difference between an email phishing tactic and an email phishing technique as we see it. In truth, tactics and techniques are often talked about interchangeably, as the distinction between them is small and rather unimportant most of the time. But for the purposes of this analysis, we consider techniques as extensions or variations of a tactic.

For example, business email compromise (which we will talk more about later in this article) is ultimately a spear-phishing technique. BEC attacks fit within the definition of spear-phishing, but have distinctive elements, such as the absence of a malicious payload, that make it unalike from what is commonly recognized as a traditional spear-phishing attack.

While the number of phishing tactics can be counted on both hands, the number of phishing techniques is quite vast, and growing on a regular basis. That’s because attackers are always seeking out new methods to defeat both human and technical anti-phishing controls. This game of cat and mouse has been ongoing for nearly two decades, and adversaries’ relative success in bypassing email security protocols suggests that the evolution of phishing techniques is here to stay.

The 13 most common email phishing techniques

Business Email Compromise (BEC) – One of the most common and successful types of cybercrime, BEC attacks leverage socially engineered messages as a means to commit financial fraud. The goal is to trick email recipients into taking an action, such as wiring money, paying a bill or providing confidential credentials that can then be exploited for financial gain. Since BEC attacks typically do not leverage malicious URLs or malware attachments, they easily bypass signature-based prevention mechanisms, such as secure email gateways, and human controls. BEC attacks cost organizations nearly $1.8 billion in 2019, according to the FBI

• Domain Phishing – A type of spoofing email in which an attacker sends a malicious message from a fraudulent domain that is an exact match to the spoofed brand’s domain (Example: TimCook@apple.com). These messages are detectable by many anti-phishing technologies since the sender domain can be easily identified as false.
• Extortion – Extortion phishing scams leverage scare tactics, including blackmail, threats or coercion, to intimidate victims into paying a ransom or providing them with a specific service. These types of scams, which are increasing in frequency, often threaten to spread sensitive information such as private photos and videos (whether or not the attackers actually have this compromising info).
• Fake login pages – These nefarious, yet often highly realistic looking website pages, are an increasingly common technique deployed by attackers seeking to obtain a person’s login credentials to a legitimate website in order to harvest personal or company information and commence with illegal activity, such as credit card fraud, identity theft and more. Adversaries are able to bypass both human and technical controls by exploiting inattentional blindness. Last year we identified more than 200 major brands significantly impacted by fake login pages in the first half of the year.
• Hidden Text/Zero font ­– This technique implements hidden text with a font size of zero within a phishing email. Since a human reader cannot detect the zero-width characters, these malicious emails often appear legitimate to unsuspecting users. Invisible characters are also capable of bypassing legacy email security defenses, which is why the best way to defend against this type of attack is to turn to AI-powered email security tools that use natural language processing and computer vision to detect anomalies.
• Impersonation – A type of spoofing attack, with or without a payload, in which adversaries take on the persona of a colleague, vendor, partner, friend or family member in order to achieve a specific objective. Such attacks can be used for quick financial gains, or deployed as part of an advanced persistent threat (APT) in which reconnaissance is the main objective.
• Polymorphism – This phishing technique occurs when a malicious actor implements slight but significant changes to an email’s artifacts, such as its content, copy, subject line, sender name or template in conjunction with or after an initial attack has deployed. This strategic approach enables attackers to quickly develop phishing attacks that trick signature-based email security tools that were not built to recognize such modifications to threats. With the ease associated with the development and delivery of polymorphic attacks, it is no surprise that 42% of all phishing attacks are polymorphic.
• Smishing – Delivered via SMS, smishing text messages are phishing attack techniques containing malicious URLs that attempt to lure recipients into visiting risky websites, downloading malware onto their mobile devices or sharing login credentials. These text messages can sometimes appear to be from trusted senders, such as banks and online retailers, making them a real threat to people who are only accustomed to look for phishing attempts via email attacks.
• Spoofing – Email spoofing occurs when an attacker sends a malicious message with false sender address in an effort to steal personal information, infect computers with malware or leverage extortion to steal money. There are four primary types of spoofing attacks, including exact sender name impersonations (the most common), similar sender name impersonations, look alike/cousin domain spoofing and exact domain spoofs.
• Typosquatting – Also known as URL hijacking, typosquatting preys on inattentional blindness by leveraging small deviations in domain names to lure them into visiting malicious websites. These deviations include scrambled letters, wrong domain endings and other typographical errors that can easily lure victims to fake websites and fake login pages. Once lured, typosquatters have an easy opportunity to harvest personal and financial information to make quick money.
• Unicode Domain Phishing – As a result of the internationalization of the World Wide Web and the rise of internationalized domain names (IDNs), cybercriminals have the opportunity to exploit Unicode domains to make dangerous websites appear as safe and authentic. Unicode domain phishing replaces characters in the domain with similar characters from a foreign language, allowing the fraudulent website to bypass web browser protections and legacy email security tools.
• Vishing – This type of phishing attack technique tricks victims into giving up sensitive personal information over the phone, such as credit card numbers and passwords. By relying on social engineering to prey on human emotions such as greed or fear, unsuspecting victims can easily be duped into giving attackers exactly what they’re looking for. The FBI has reported that the vishing technique is increasing with great frequency.
• Whaling/VIP Impersonation – Directed at senior executives at mostly large corporations, Whaling/VIP Impersonation attacks are targeted spear-phishing campaigns aimed at tricking high-level executives and organizational leaders into sharing confidential or proprietary information that can be used for financial fraud and other forms of exploitation. According to our research, VIP impersonations penetrate SEGs about 20% of the time.

Phishing techniques add to the complexity of email security

If we are to revisit this blog in 12-18 months from now, it’s likely that we would be able to add another 2-3 trending techniques to the list, if not more. The reality is that phishing remains the number one driver of cyberattacks and so, as defenses ramp up, cybercriminals are already scheming their next moves.

Now that you know about all of the most important and problematic phishing tactics and techniques, we’ll begin to talk about risk mitigation in the third part of this blog series. Specifically, we’ll dive into the various email authentication standards and protocols and make it clear about the very specific roles these technical controls play in the email security ecosystem. For a sneak preview, check out our blog series on DMARC or download one of our recent reports.