As the threat landscape continues to evolve, cybercriminals are relentlessly refining their phishing tactics. This means that many of the tips and tricks organizations have told their employees to use in the past to spot a malicious email are no longer as effective in safeguarding their digital environments.
Here, we dissect three commonly cited phishing detection strategies and unveil their limitations in the face of advanced cyber threats.
“Hover over a link in an email before clicking”
In 2023, phishing emails with malicious URLs ranked among the top three causes of security incidents in organizations. Therefore, it comes as little surprise that employees are often warned to hover over links before clicking to ensure they are not being redirected to a malicious site or unwittingly downloading malware onto their device. Hovering triggers an action to display the underlying link, so if the title link and the target URL do not match, this could suggest the email is suspicious.
Whilst this advice can work in some circumstances, here are four reasons why inspecting a link, pre-click, may not protect users every time:
- The advice assumes that all employees will be able to identify a malicious link if presented with one, disregarding the diversity of technical proficiency throughout an organization.
- It’s a game of probabilities – if 50 people are encouraged to hover over a link, the probability increases that one of them will click, whether that’s from habit or an accidental fat finger error.
- When an organization utilizes an anti-phishing tool with link-rewriting functionality, sometimes the hovering technique is not effective as the URL does not show the end destination, but instead displays the re-written link.
- Hovering over a link becomes ineffective if the target URL is well-disguised. Cybercriminals have evolved to counter this tactic, with 55.2% of phishing emails in 2023 employing advanced obfuscation techniques. One key method involves hijacking hyperlinks to host malicious payloads or masking the ultimate destination. This means that a target hyperlink will appear legitimate, reducing suspicion. Recently, the Egress Threat Intelligence team detected a sophisticated campaign using a variation of this tactic, where attackers concealed their malicious URL with a 'notifications.google' redirect. Not only did this allow the attack to get past perimeter detection technologies, such as Microsoft’s native controls and secure email gateways, but if recipients were to hover over the title link, they may have perceived the email as legitimate due to the use of a trusted google service, enhancing confidence in its authenticity.
“Look out for spelling and grammatical errors”
Historically, phishing attacks were often identifiable by their poor spelling and grammar. These errors, whether intentionally included by the attacker to target those deemed 'gullible' or stemming from English not being the attacker's first language, served as a telltale sign of a malicious email.
Currently, many businesses will utilize some form of spellcheck for email so it seems unlikely that an employee will receive a poorly worded business communication from a legitimate source. Consequently, staying vigilant to spelling and grammatical errors appears to be a logical method for spotting phishing attacks, especially since these types of inaccuracies trigger most spam filters.
However, as cybercriminals increase their use of generative AI, over-reliance on identifying grammatical errors in emails may prove futile. Threat actors are now able to quickly and easily rectify mistakes using tools such as ChatGPT and other large language models (LLMs).
In addition, AI can ensure phishing emails are crafted with a convincingly professional tone and be used to carry out open-source intelligence (OSINT) searches on individuals, pulling from platforms like their social media, to make attacks more personalized.
Ultimately, not only will these more sophisticated attacks bypass traditional detection technologies that look for the conventional signs of phishing such as poor grammar and common key phrases, but threat actors can now effortlessly produce targeted and personalized attacks at scale. A recent Egress study has revealed that the use of AI in this way is keeping Cybersecurity leaders awake at night, with 61% losing sleep over AI chatbots being leveraged to create phishing campaigns.
“Double check the sender address is correct”
One of the ways to determine an email’s legitimacy can be to check the sender address to make sure it originates from the expected source. Cybercriminals have long utilized the tactic of email spoofing to deceive the recipient into believing they are receiving a communication from a credible or trusted sender.
A key tactic to achieve this is by creating near-identical sender addresses that have small typographical errors in the domain or display name, and often masking them behind an impersonated display name. A cybercriminal’s hope is, if a recipient sees a name they trust or an organization they communicate with on a regular basis, they won’t think to scrutinize the sender address further.
Therefore, employees are warned not to trust a display name alone, especially if it is a brand-new communication with a request or link that seems unusual. Instead, they should always look at the full address to determine the source, keeping a watchful eye for small discrepancies or public domains (like ‘@gmail.com’).
Without question, this is sensible advice, but it does not take account of two scenarios:
- With the rise of flexible working, 66% of employees have revealed they use a mobile phone to access their emails outside of work. Due to screen size limitations, small devices make it difficult to identify an incorrect address, as usually only the display name is shown. This also takes advantage of the fact that employees who need to check their email on a mobile are likely away from their desk and may not be in a security aware mindset - making it less probable they will click into a display name to verify its legitimacy.
- Checking the sender address is useless if the attack comes from a legitimate but compromised account. In 2023, 47% of Cybersecurity leaders were most stressed about account takeover (ATO) within their organization and 52% about phishing attacks coming from compromised accounts in their supply chain. These sophisticated attacks frequently evade security measures like secure email gateways that are reliant on reputation-based detection technologies, and it is virtually impossible for an employee to identify the email as malicious based on the sender address alone.
The Egress approach to detection
Long gone are the days of easily identifiable phishing attacks, sent from dodgy-looking domains and filled to the brim with grammatical errors. Instead, we are faced with advanced attacks that can easily evade traditional security solutions. Threat actors are leveling up, adeptly circumventing common detection techniques and technologies once relied upon.
While it's essential to remain vigilant and continue scrutinizing emails for discrepancies in spelling, grammar, and sender authenticity, it's equally crucial not to rely solely on these indicators. Therefore, organizations owe it to their employees to embrace intelligent security solutions that can adapt to evolving threats.
Seamlessly integrating with Microsoft 365, Egress Defend uses AI, including pre-generative models, to detect advanced inbound threats. Inspecting every email before it lands in a user’s inbox, Defend utilizes linguistic, contextual, and behavioral analysis to identify threats, including zero-day and emerging attacks. Additionally, Defend uses dynamic heat-based banners to alert users to risk, providing in-the-moment training to enhance security awareness.