The problem with cybersecurity is that the bad guys never sit still. Just when we think we’ve put all necessary steps in place to thwart their efforts, they come up with new ways to fool us again. In today’s blog post, we’re going to explore how bad actors are combining traditional phishing techniques with domain spoofing to fool you in new and surprisingly simple ways. Don’t worry, we’re also including ways you can help protect yourself going forward!
What is phishing? According to Wikipedia:
“Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication.”
In more human terms, phishing is usually an email or social media request for your personal information or network login credentials by somebody pretending to be somebody you trust. Once you give those details to bad people, they use them to hack your company network, access your credit card details, and a whole bunch of other illegal and troubling things.
What are the impacts of phishing? Phishing is nothing new. According to COFENSE, the first Phishing attack happened in 1995, the good ol’ days of dial-up internet. Fast forward to 2020 and the statistics around phishing are alarming:
- 32% of network breaches in 2020 were thanks to phishing. (source)
- 88% of companies globally have experience phishing attacks. (source)
- Nearly 40% of people fail phishing tests (source)
- The average corporate data breach caused by human error costs $3.5 million per incident. (source)
Why do people fall for phishing? You likely know somebody who fell prey to a phishing scam, or maybe you’ve even done so yourself. One of the biggest misconceptions is that people who fall for such schemes are dumb or naïve. Not so fast. I want to illustrate the psychology of how your brain, in its cleverness, can be exploited. Have you ever heard of Leetspeak? Essentially, it is the use of alternate keyboard characters to type out words. Here is an example. It will be hard to read at first and then quickly become quite easy:
7H15 M3554G3 53RV35 7O PR0V3 H0W 0UR M1ND5 C4N D0 4M4Z1NG 7H1NG5! 1MPR3551V3 7H1NG5! B3 PROUD! (source)
How is this phenomenon used in phishing? Our brain’s desire to fill in the blanks predisposes us for scams and into trusting those we shouldn’t, and phishing is just a relatively new way to take advantage of this age-old truth. It is a numbers game. Phishing scams won’t fool everyone all the time, but it fools enough people some of the time to be very lucrative for criminals taking advantage human nature.
What is domain spoofing and how is it used in phishing attacks? Bad actors take advantage of this psychological weakness for filling in the blanks is domain spoofing. According to Baracuda, domain spoofing occurs when:
“- an attacker appears to use a company’s domain to impersonate a company or one of its employees.”
The spoofed domain is then used by sending email requests for information which appear strikingly legitimate, or by setting up websites with slightly altered characters that read as correct to fool people into filling out false forms to acquire credentials and data.
How effective is domain spoofing in phishing attacks? People at your company wouldn’t fall for this, right? Think again:
- Scammers send 3.1 billion domain spoofing emails EVERY DAY. (source) They wouldn’t do so if it wasn’t working.
- In 2018 URL/domain phishing detections increased 269% from the year prior (source)
I’m going to use our own company domain as an example: www.tigrepaw.com Oops. I meant to type www.tigerpaww.com Wow, this is harder than I thought. I meant to type www.tigerpaw.com. All fun aside, think about your own domains. Because our brains fill in the blanks, if it’s close enough we are likely to miss the fact that it’s not the right domain.
Doesn’t software take care of this problem? The short answer: Sometimes but not always. Cyber security software and email traps alone are never enough for comprehensive threat detection and avoidance, at least not yet. Even good email security takes time to update phishing threats and you may get hit before a threat is logged and shared. There are some cool advances happening right now in the world of Artificial Intelligence which will help with that, and I’ll be blogging about that soon, so stay tuned!
What else can I do to lower my company’s risk? For now, we must remain vigilant and be creative and comprehensive in how we protect our intellectual property from threats. Good cybersecurity awareness training combined with good security software can help. Another easy way to improve your protection is to simply buy up the domains that are similar to your official one. In the example used above for www.tigerpaw.com we have done that. Maybe you should too. Are there variations of your domain that might pass casual inspection by somebody on your team without a second thought? If a bad actor was to buy the domain and use email or domain spoofing to illicit a response from one of your people, what would the damage be? Are you confident that they’d catch it? Domains are cheap, but network breaches thanks to domain spoofing combined with phishing never are.
We trust that you found this article useful and that you have left with some new tactics to better deal with modern phishing threats. Now it’s your turn! Do you have examples of somebody using a similar domain to fool a customer (or you??)? Do you already practice the above tips? Do you have more to offer fellow readers to help even more? Share your comments and be sure to visit us at www.tigerpaw.com/contact/ to have a dialogue with us directly. Now if you’ll excuse me I’m going to head out and do a little bit of the good kind of fishing…😊