Perfect Phishing Attack: A Penetration Tester’s Perspective

Even if your company uses top-notch security solutions to keep malicious actors at bay, these efforts are half-baked as long as the employees keep clicking phishing links. Cybercriminals know it is easier to manipulate humans than to game technology. Unsurprisingly, the issue has escalated dramatically in light of the COVID-19 crisis that spawns fears and thus gives attackers an extra advantage in creating “mental payloads” for effective hoaxes.

Here are some statistics to give you the big picture. According to a recent APWG study, the number of reported phishing attacks doubled during 2020. The average fraudulent wire transfer request is seen in business email compromise (BEC) scams increased from $48,000 in Q3 to $75,000 in Q4 of the year. Verizon says 36% of all confirmed breaches in 2021 involved phishing.

One of the best ways to build reliable defenses is to think like a phisher. Penetration testing gives white hats actionable insights into the top tricks that get users on the hook, and this knowledge can form a foundation for security awareness training that works. That said, here is a summary of phishing email elements that play a major role in making the recipient slip up.

The Decoy for a Sure-Shot Scam

Generally speaking, every phishing email is geared toward persuading a user to click a booby-trapped link or download a harmful attachment. During a classic pentesting exercise, security professionals send employees messages with a link leading to a credential phishing page or a Microsoft Office document that contains toxic macros.

In most scenarios, the bait is benign and only allows white hats to track every instance of clicking the link or opening the enclosed file. But sometimes, the trial attack is truer-to-life and the macro-based payload gives researchers remote access to a target computer. Not only does the latter tactic shed light on the recipients’ security hygiene, but it also gives pen-testers an idea of how reliable the organization’s automatic real-time defenses are.

A hugely important thing on the to-do list of the undercover “phisher” is to make the fraudulent email look as realistic as possible. Its narrative has to fit the context of a specific objective.

If the attack is aimed at accessing the correspondence of senior management, the ideal message will impersonate a coworker or partner whose status in the business hierarchy is high enough to evoke the would-be victim’s interest and trust.

If the goal is to gain a foothold in a computer used by an employee from the accounting department, then the email will typically mimic some kind of a financial report or instructions from their boss to check wire transfer credentials.

Most phishing emails pressure users into doing something immediately. This feigned urgency causes the target to lose vigilance and make hasty decisions. Proofreading the email is important, too. Misspellings and other inaccuracies make some employees suspicious, and this can ruin the whole conspiracy in a snap.

Pentesters’ Key Findings

Most trial phishing campaigns show that employees are more inclined to open email attachments than hand over their sensitive information via a web form. Moreover, some users open these files without a second thought mere moments after receiving the message.

The most effective email subjects are related to corporate perks such as employee discounts and bonus programs from affiliated businesses. About a third of recipients engage with messages like that in some way. Emails that instruct staff to read new corporate policies and other documents associated with enterprise culture come second.

The success of the attack increases significantly if it is aligned with current events or breaking news. For instance, the December shopping spree is fertile ground for scams advertising fake promos and freebies. The same period is also ideal for sending files disguised as an updated work schedule for the holidays. The spring of 2020 gained notoriety for massive phishing outbreaks revolving around the coronavirus emergency.

The more targeted the email is, the higher the chance that does its thing. A little bit of open-source intelligence (OSINT) can reveal enough details to create a spear-phishing message that pulls the right strings. In pentests, personalized emails that zero in on one to three employees often have a 100% success rate. As the range of intended recipients grows, the subject is, obviously, more general and the effectiveness goes down.

Sadly, pentests show that phishing awareness of most employees remains low despite the unprecedented risks. They often overlook red flags such as unfamiliar senders, requests to disclose credentials, and typos in the domain name of the impersonated company.

How to Stay Safe from Phishing?

In most cases, it isn’t hard to make phishers frown. Some attacks are sophisticated enough to fly below the radar. One way or another, company executives should keep the following things in mind:

• Every employee needs to take email security seriously and think twice before clicking a link or downloading a file that may contain a virus, even if it looks trustworthy.
• An organization can’t go wrong with a reliable Secure Email Gateway (SEG) solution that identifies and blocks most phishing emails.
• Security awareness training for personnel using tools like TSAT is a must.
• Corporate IT teams should inform employees about the latest phishing tactics and rogue email templates currently in rotation.

Written By: David Balaban

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.