Don't take the bait: Recognize and avoid phishing attacks - ITSAP.00.101

Types of phishing

Phishing attempts are often generic mass messages that appear to be legitimate messages from a trusted source (for example, a bank, online retailer, courier service, or utility company). Threat actors often take advantage of crises, conflicts or world events to launch phishing attacks against individuals, financial institutions, governments and critical infrastructure sectors.

The are several types of phishing.

Deceptive phishing

Deceptive phishing is one of the most common types of attack and occurs when a cybercriminal pretends to be a legitimate company to steal your personal information or login credentials. The threat actor may send you a link to a fraudulent website that closely mimics an official site, using deliberate misspellings that look almost identical to a legitimate URL. Threat actors may also send a quick response (QR) code, which makes it more difficult for potential victims to spot the attack.

Common deceptive phishing techniques include:

• homograph exploits: threat actors use characters from different alphabets (for example, Cyrillic or Greek) that look almost identical to standard Latin letters but are coded differently, for example in “www.аррle.com” the “a” and “p” are from the Cyrillic alphabet, but look like their Latin counterparts
• typo squatting: threat actors register domain names that are common misspellings of well-known websites, exploiting typing errors so that potential victims are not always aware that they are on the wrong website
• legitimate-looking subdomains: threat actors take control of a subdomain that is no longer actively used by its legitimate owner or create subdomains that mimic legitimate ones (for example, “login.google.com.example.com” instead of “login.google.com”), often using names, logos or branding elements that are similar to legitimate ones

Spear phishing

Spear phishing is a personalized attack that targets a specific individual, company or organization. The message includes personal details about the potential victim, such as interests, recent online activities or purchases.

Whaling

Whaling is a personalized attack that targets a big “phish” like a CEO or executive. A threat actor chooses these targets because of their level of authority and possible access to more sensitive information or large amounts of money.

Quishing

Quishing is a phishing attack that uses QR codes. The threat actor may send a QR code via email, cover a legitimate QR code with a malicious QR code or place a malicious QR code in a public, high-traffic area. The victim scans the QR code, which redirects them to a malicious website. Quishing can bypass email security protection that scans for malicious links and attachments.

Smishing

A smishing attack uses deceptive short message service (SMS), also known as text messages, to manipulate victims into divulging sensitive personal information such as bank account details, credit card numbers or login credentials.

Vishing

Vishing is short for “voice phishing” and involves defrauding people over the phone and getting them to divulge sensitive information. A threat actor can fake or spoof their caller ID information or use a voice changer to make victims believe they are legitimate. Voices generated by artificial intelligence (AI) can sound like family members or friends.

A vishing scheme may also target the victim’s voice. In this instance, the threat actor collects a sample of the victim’s voice to conduct fraud (for example, to use the sample for voice authentication to access an account).

Angler phishing

Angler phishing is an emerging cyber threat that leverages social media platforms to post attractive but false information to “lure” targets into initiating contact. Threat actors may impersonate legitimate companies or brands through fake accounts, posts, direct messages or ads. They often create fake customer support profiles or use social media interactions (for example, responding to complaints or questions) to convince users to click on malicious links, visit counterfeit websites or share personal details.

This is a powerful attack because the target initiates contact with the threat actor—bypassing trust concerns—and provides an immediate and active interaction, rather than a passive and delayed interaction.

Catfishing

Catfishing is typically conducted through online platforms like dating websites. The threat actor fakes an identity or creates a persona to gain the target’s trust and defraud or extort them. The threat actor, or catfish, generally makes excuses to avoid in-person interactions. One of the more common forms of catfishing involves tricking the victim into an online romantic relationship.

Pharming

Pharming is a more advanced technique in which cybercriminals try to redirect users to fake websites that look identical to legitimate ones, like online banking sites, e-commerce platforms or social media networks. The goal of these attacks is to trick users into providing sensitive or personal information, such as usernames, passwords or credit card numbers.

While phishing relies on emails or messages to trick users into providing personal information, pharming uses malware or manipulates domain name systems (DNS) to redirect users to fraudulent websites designed to capture their personal information.

Artificial intelligence and phishing

AI is rapidly reshaping the cyber security landscape, introducing enhanced capabilities for defence and new avenues for exploitation. One concerning emerging threat is the use of AI to automate and refine phishing attacks. AI enhances the effectiveness of phishing attacks and reduces the time and effort needed for threat actors to conduct these attacks.

Recent advances in generative AI make it more difficult for users to identify phishing attempts. Generative AI can be used to produce highly realistic content, including text, images, video and audio. The content is enhanced and is more realistic, making it harder to distinguish between fraudulent and legitimate communications.

AI also enables threat actors to gather and analyze publicly available data on potential targets, allowing them to craft highly personalized spear phishing and whaling messages.

These messages can be tailored to reflect individual interests, online activity, familial connections or professional relationships—substantially increasing the likelihood of victims engaging with the threat actor.

AI is also playing a critical role in strengthening our cyber defences. Sophisticated AI-based intrusion detection systems can analyze large volumes of data, assess user behaviour, examine metadata and message content, and identify anomalies that may indicate a threat. These systems enable faster, more accurate identification and mitigation of phishing attempts and other cyber risks. As the threat landscape evolves, organizations must continue to invest in both AI technology and AI awareness to stay ahead of increasingly sophisticated attacks.

How to identify a phishing attack

Phishing attacks can be delivered in many ways, but they all play on trust, urgency and other aspects of human psychology. Fear, excitement, authority, curiosity and trust could all be reactions to a phishing message. Phishing attacks typically follow a similar sequence. Knowing how to identify these steps can help protect your organization against phishing.

Step 1: The bait

As described above, there are many ways that the threat actor can set the bait. They may craft a message that appears to come from a well-known bank or service provider. They use spoofing techniques and send the message to numerous recipients in the hope that some will take the bait.

In spear phishing and whaling attacks, the threat actor first gathers details about the target. For example, they harvest information from social media profiles, company websites and Internet activity to create a customized message.

In vishing attacks, the threat actor might use a computerized auto-dialler (known as a robocall) or an AI-generated voice of a known person to deliver the fraudulent message to many victims.

Step 2: The hook

The hook occurs when the victim believes the message is from a trusted source and the message contains information that entices the victim to take immediate action. For example, the message may ask the user to resolve an urgent issue with their account.

If the victim clicks the link in the message, they will unknowingly be redirected to the threat actor’s fake version of the real website. The victim provides sensitive information, such as login credentials, which is sent to the threat actor. If the victim opens an infected attachment, their device may become infected if the malicious code executes.

Step 3: The attack

Threat actors can use stolen user credentials to access the victim’s accounts. They may use an infiltrated email account to send more phishing emails to the victim’s contacts. If the victim has privileged access (for example, to an organization or company account, system or network), the threat actor could gain access to sensitive corporate data and critical systems.

If a threat actor successfully deploys malware to your organization’s network or systems, they can use it to gain control of devices, steal data or deny access to files—for example, by encrypting them—until a ransom is paid.

Phishing characteristics

Although AI is making it hard to detect certain phishing characteristics, such as poor spelling or a robotic tone, there are other signs to be aware of.

Something may be phishy if:

• the sender makes an urgent request with a deadline
• the sender requests your personal or confidential information
• the sender asks you to log in via a provided link
• the offer sounds too good to be true
• the communication is unsolicited and includes:
  • attachments
  • links to websites or web forms (these may be spoofed)
  • QR codes
  • login pages
  • a claim to be government or bank officials
• you don’t recognize the sender
  • remember, addresses can be spoofed
  • a known sender isn’t necessarily a trusted sender

How to protect your organization from phishing

You can protect your organization’s information and infrastructure from phishing attacks by:

• using trusted anti-phishing technology, such as the Canadian Internet Registration Authority (CIRA) Canadian Shield DNS resolver
• using anti-phishing software that aligns with the Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy
• backing up information so that you have another copy
• applying software updates and patches
• blocking IP addresses, domain names and file types that are known to be malicious
• favouring in-person interactions, using cash and meeting in the office whenever possible; threat actors will try to find ways to avoid in-person interactions
• establishing protocols and procedures for your employees to verify and report suspicious communications internally
• using multi-factor authentication (MFA) on all systems, especially on shared corporate media accounts
• updating your organization’s incident response plan to include steps to take in response to a successful phishing attack

Your employees can reduce their risk of falling victim to a phishing attack by:

• remaining calm; phishing depends on creating a sense of urgency
• avoiding sending sensitive information by email or text
• reducing the amount of personal information they post online
• enabling a spam blocker in their mobile device application settings
• avoiding using any form of simplified contact response, such as clicking on hyperlinks, loading QR codes or replying to suspicious texts
• filtering spam emails (unsolicited junk emails sent in bulk)
• verifying the sender’s legitimacy by contacting the sender through a separate channel, for example:
  • if they receive a call from their bank, hanging up and visiting or calling their local branch
  • if they receive an email from their Internet service provider, contacting the service provider through their web form
  • if they receive a text from a company or provider on their phone, responding by email from their computer
• avoiding SMS over the air, flash call (a near-instant dropped call that is automatically placed to a mobile number) and SMS as an MFA method

Training and awareness

Employees should understand the importance of protecting their personal information and the organization’s information. Employees who are unaware of the signs of a social engineering attack might reveal information, whether sensitive or not. They may also unknowingly infect organizational devices, systems and networks.

Phishing attacks are less likely to be successful when your workforce is informed and has received training on how to handle personal information, such as privacy awareness training, and on cyber security best practices. Organizations should also conduct internal phishing simulations to enhance employees’ understanding of the risks. This will help employees detect and avoid phishing attacks in a safe environment.

Organizations can discuss smishing and vishing protection mechanisms with their telecommunications providers. Often, mobile network operators are better positioned to block attempts before these attempts reach users.

Learn more

• Tips for backing up your information (ITSAP.40.002)
• How updates secure your device (ITSAP.10.096)
• Protect your organization from malware (ITSAP.00.057)
• Secure your accounts and devices with multi-factor authentication (ITSAP 30.030)
• Spotting malicious email messages (ITSAP.00.100)
• Implementation guidance: email domain protection (ITSP.40.065 v1.1)
• Security considerations for QR codes (ITSAP.00.141)