What makes for the most deceptive phishing attacks?

Padlock with fishing hook next to it

Businesses can splash out on security software, security appliances and secure new hardware, but often pay too little attention to their biggest vulnerability: their employees. While exploits and targeted attacks hone in on weaknesses in hardware or software, phishing and ransomware attacks often prove more effective in exploiting human error to capture credentials or gain a foothold on the corporate network. Sometimes, it only takes one click on a bad link to initiate a breach – and getting that click is just a numbers game.

Earlier this year, OpenText Security Solutions and Opinium Research surveyed over 2,000 employees of UK businesses of between 25 and 999 employees. Forty-two percent of them were unable to identify a scam email claiming to be from the Royal Mail. What’s more, the study exposed a lack of up-to-date cyber security knowledge. Fifty percent had never heard the term DDoS (distributed denial of service) and 60% had no knowledge of what BEC (business email compromise) meant. In fact, 29% had never completed any form of cyber-risk training whatsoever.

What makes this situation so serious is that the criminals have never been so sophisticated or so deceptive in disguising their phishing attacks. Phishing has always been based on deception – on convincing users to enter credentials or install malware in the belief that an email, social media post or website came from someone they knew, someone they trusted or someone with authority.

Previously, some simple actions were all you needed to dispel the illusion. Hovering over a link would reveal that it didn’t link to the purported source, but a completely different URL. The branding, logos or colours in a website wouldn’t match those of the real deal, while any messaging would be riddled with basic grammatical errors. You could tell a fake website from an authentic website because it wouldn’t have an HTTPS prefix in the URL or a padlock icon in the address bar.

Sadly, cyber criminals have learnt how to cover these tell-tale signs or work around them. And when employees are already struggling to spot existing phishing attacks, what chance do they have with the newest and most deceptive?

New levels of deception

Nearly all phishing attacks take the same basic approach, manipulating users so that they click on a bogus link, download a malicious file, or enter their credentials in a bogus form. They may use curiosity (click to see more), opportunity (click for free goodies) or even fear (enter your username and password to find out who has ordered something expensive through your PayPal account.

Even most new phishing attacks still follow this same behaviour, creating a sense of urgency to prevent their targets from thinking twice about what they’re being asked to do. What’s changing is that the more deceptive attacks are playing things more intelligently and getting smarter about hiding the usual indicators that something is awry.

For example, we’re seeing more attacks that target a specific business, with emails where the sender assumes the identity of the CEO, CIO or some other senior IT or business decision maker. The faked senders can even be external. Last year, UK businesses were hit by scam emails claiming to be from Lindy Cameron, chief executive of the National Cyber Security Centre. Other scam emails or websites use fake celebrity endorsements or the branding of government services, including HMRC and the NHS. Not coincidentally, the NHS is one of the UK’s biggest targets for malicious emails – Comparitech reports that NHS Digital received an average of 89,353 per employee in 2021.

Attackers are also growing more ingenious in hiding attacks within what seem routine business communications. As remote work has become mainstream, phishing attacks disguised as automated emails from Google Drive, OneDrive, SharePoint or Dropbox have become more common, the email acting as a lure to pull users towards a fake Office 365 or Google Workspace login page. SMS texts have also become key vehicles, with messages impersonating banks, postal services and delivery companies and featuring links that are significantly more difficult to check.

To make things worse, attackers are also using new ways to allay suspicion and circumvent protective measures. They might mix legitimate links with their own links, taking users to the real contact page for an organisation in the hope that they will then, say, click on a spoof link purporting to be the login page for their account. They might also blend normal code with malicious code, taken from the genuine website, to fool spam and malware filtering solutions, or use shortened URLs to hide the real URL from security tools.

Meanwhile, although they’re still not common in the wild, browser exploits threaten to make it harder for users to perform basic anti-phishing checks. Here the spoof website replicates a browser window within the browser, using the same design as a legitimate sign-in pop-up. The same technique can also give a fake page a legitimate SSL certification and a ‘safe’ HTTPS domain, or ensure that the act of hovering over a link to reveal the true address no longer works. Instead, the browser window within the browser window reports the spoofed URL back. Ploys like this mean that, not only are untrained users more likely to get tricked, but even users who have been trained in the past could believe the link is trustworthy.

Changing threats need new training

So, how can businesses address evolving threats? Hardware and software security solutions have an obvious role to play, but equally important is addressing employee weakness through education and regular, effective training. Security training can’t be a ‘one and done’ deal; it needs to be continuous and delivered in a way that employees find engaging, so that they actually understand and follow it. And as new threats emerge and evolve, so must the training, keeping users abreast of the latest scams and attacks. This transforms employees from a weakness into the first line of defence.

Here, holistic, ongoing training offerings like Webroot Security Awareness Training can provide businesses with the continuous education their employees need. Delivered as a SaaS offering from the cloud, they enable businesses to simulate existing and emerging phishing attacks and use them to drive not just awareness but safe behaviour.

Short, engaging courses encourage employees to pay attention and think before they click; more than 60% of Webroot’s sessions take under ten minutes to complete. And with consoles and learning management tools to track participation and test performance, it’s easier to check who’s undergone training and how well it’s working.

Crucially, Webroot Security Awareness Training makes sure that employees stay up to date on the latest attacks, with over 200 phishing simulations and more being released every month. What’s more, the built-in template editor allows businesses to create their own email lures to simulate CEO and BEC attacks. It’s an approach that works. In customer campaigns carried out in 2020, OpenText Security Solutions found that click rates on phishing emails dropped by up to 50% after just 12 lessons.

Phishing attacks are evolving, and the training to combat them must evolve to match so that businesses can remain cyber resilient.

Find out more about emerging threats and Webroot Security Awareness Training


ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.