For decades, the "Nigerian prince" scam has been working its way through spam filters...
"Dear Sir, I'm reaching out to you from the Royal Inheritance Commission. As the last surviving heir, your inheritance has been transferred to a Western Union account. As the senior settlement manager, I can deliver the US$2,000,000 directly to you. All I need to perform the transaction is a small cash advance..."
- the "Nigerian Prince"
Once the victim takes the bait and gets more invested, it all starts to go wrong, and more funds are needed for some "unforeseen circumstance". As the victim falls deeper into the trap, they are susceptible to the "sunk cost fallacy". This is a phenomenon where someone convinces themselves, often beyond logic, to continue doing something because they have already put in time, effort or money.
While this scam still exists, modern phishing attacks have evolved and adapted to targets who are increasingly more aware of online swindles. To fool victims, phishing attacks are now targeted, personalized and use a variety of psychological techniques to manipulate and exploit their victims.
What You'll Learn In This Article.
- The psychology behind why humans fall for phishing.
- How and why phishing has become the most common cyber-crime in 2023
- The top 5 battle-tested phishing campaign ideas from the experts at CanIPhish.
- How you can use simulated phishing to train employees.
Why Phishing Is So Popular
In recent years, the volume, quality, and severity of online scams have reached new heights. These phishing campaigns target individuals and businesses alike. Cyber criminals love phishing because it's relatively low risk, difficult to trace, highly effective, commonly yields high rewards, and there are limitless potential targets.
It’s no surprise that phishing remains the most common form of cyber-crime in 2023.
According to the Australian Financial Review, in 2022, there were 74,000 reported phishing attacks in Australia alone, with financial losses of more than AUD$24.6 million. To make matters worse, the Australian Competition and Consumer Commission (ACCC) estimates that only 13% of attacks were reported!
So, how do we combat the constant barrage of phishing attacks? Well, we do a bit of phishing ourselves!
Simulated phishing campaigns are a powerful tool for raising an organization's security awareness and improving its overall information security posture. Crafting a well-designed phish, along with realistic payloads, that offers immediate feedback and security awareness training can educate employees on the dangers of phishing and equip them with the knowledge and ability to recognize attacks.
The Top 5 Phishing Campaign Ideas For 2023
Here are some phishing campaign ideas to help keep your employees sharp and turn your organisation from a target, into a phish finding fortress.
1. Spoofing Emails From Well-Known Companies
A common strategy is to leverage a well-known brands familiarity and strong reputation to fool victims.
Tech companies that operate globally, like Amazon, Microsoft, and Google are particularly common companies to spoof. Their emails are expected daily, so it's not a surprise when we receive one.
When an attacker combines a familiar looking email that appears to come from a known company, that looks and feels legitimate and uses social engineering tactics, such as embedding the victim's name in the content, distinguishing the real from the fake can be difficult!
2. Using Human Psychology
Any good salesperson would attest to the fact that in order to sell, one must harness and take advantage of human psychology. Phishing scams use similar techniques with nefarious intent to create a sense of urgency, authority, scarcity, and curiosity to manipulate and deceive their targets.
- Urgency: Phishing emails often create a sense of urgency to get the recipient to act quickly and bypass rational thinking. They may claim there has been a security breach and the recipient's account has been compromised, making the victim believe that immediate action is required to mitigate further loss. These phishing emails will usually lead to a fake website masquerading as the real one, where the victim is asked to enter their credentials in order to update their account details.
- Authority: Phishing emails often use the logos and branding of well-known companies or organizations to create a sense of authority and legitimacy. It’s common to see trusted sources such as banks or government agencies used to make the recipient feel like they can trust the email.
- Scarcity: Phishing scams create a sense of scarcity by claiming that the victim has won a prize that is only available for a limited time or available to a limited number of customers. This creates the feeling that the victim needs to act quickly before they miss the opportunity. This time pressure can lead to poor judgment.
- Curiosity: Curiosity is an emotion that scammers use to get clicks. Email subject lines and content are carefully crafted to pique your interest. Some powerful words/phrases to evoke curiosity are "spoiler", "secret", "be the first", the user's name, "earn $2,000 a day at home", "guaranteed," and so on.
3. Spear Phishing
Spear phishing is a type of phishing attack that is highly targeted to an individual or company.
In a spear phishing attack, you will usually see personalized information that appears to be from a trusted person or company.
The attacker will often conduct extensive and meticulous research beforehand, gathering information from public sources such as Facebook, Instagram, and LinkedIn.
Spear phishing attacks have a high success rate because they are tailored to the victim's interests, concerns, relationships, and can appear more legitimate than generic phishing attempts.
4. Obfuscated Sender Profiles
- Using a display name that is different from the email address: Attackers may use this technique to mislead victims who are not paying attention. They may use the name "HR Employee Benefits" as the display name, but the actual email address has nothing to do with your employer.
- Spoofing the sender's email address: Attackers can create a fake email address that closely resembles the legitimate one. For example, they may use "googel.com" instead of "google.com" or "playstatlon.com" instead of "playstation.com". This makes it difficult for the victim to recognize that the email is not actually from the legitimate sender.
- Domain spoofing: An advanced phishing campaign idea is to employ domain spoofing. This is when the attacker will masquerade as a legitimate domain by taking advantage of vulnerable SPF and DMARC configurations. Domain spoofing is a powerful weapon for cyber criminals, and when paired with a legitimate-looking email or message, an attacker can craft a phish that can easily fool unsuspecting victims. Unlike most phishing simulators, CanIPhish supports both domain spoofing and customized sender profiles. Check out the CanIPhish knowledge base article for more information on how you can utilize these advanced features.
5. Executive Phishing (Whaling)
This is a type of phishing attack that targets high-level executives, such as CFOs or CEOs.
This is a common and effective phishing campaign idea where the attacker sends a targeted phishing email that appears to come from a trusted organization, partner, government agency, or fellow executive in the business. The email is designed to trick the victim into taking a specific action, such as providing confidential information or making a large payment.
The success of a whaling expedition relies on the attacker using multiple phishing techniques to craft a convincing message. Attackers may also use tactics such as social engineering and research to achieve this.
To prevent whaling, it’s important that organizations train employees within the business, including C-level executives, to identify and report suspicious phishing emails.
Curious to learn more about whaling? Check out CanIPhish's page dedicated to executive phishing.
The success of a phishing campaign doesn't rely on just one factor. It's the aggregation of knowing your target, understanding their vulnerability, and utilizing real-world techniques such as domain spoofing to make a phish appear as realistic as possible.
Once phished, it's then crucial to provide immediate feedback to the victim in a non-threatening and constructive manner. This is usually done by redirecting the victim to an educational page that alerts them they have fallen for a phish and what they can do in future to spot the ruse.
Organisations with excellent IT security posture often pair this immediate feedback loop with security awareness training for maximum effect.
So don't wait any longer. Give these ideas a try with a free CanIPhish account and in doing so, empower your employees to become cyber-savvy superheroes! Remember, when it comes to cybersecurity, prevention is always better than cure!