What are the most common types of phishing attacks and how can you protect yourself?

First, it's important to highlight that, as most of European countries, Luxembourg doesn't have a comprehensive overview of the actual volume and nature of Phishing attacks. This is mostly because the incidents are only partially detected, and on those, a limited number are actually reported to different public bodies. Moreover, the word "phishing" is covering a broad range of criminal activities, depending on at least three variables:

Who is the victim?

• Is it an individual? A small organization such as an SMB? A large corporation? A governmental entity? etc.

Who is the perpetrator?

• Is it a single and possibly unsophisticated person?
• Is it a resourceful criminal organization?
• Is it a government related group?

What is the intent of the perpetrator?

• Is he/she in for a quick "smash and grab", in which case it won't be really targeted and will most likely be heavily automated?
• Is it to get a significant financial gain from a given company?
• Is it to get access and subsequently harm or steal from a specific organization, or category of organizations? Depending on these dimensions, the modus operandi and persistence of the attacker will greatly change. This will have a significant impact on the type of security measures and corresponding resources to put in place.

It's however possible to have some sense of the prevalence of Phishing in Luxembourg by accessing the cybersecurity threat observatory created by the NC3 (https://nc3.lu/pages/observatory.html), which gives some quarterly insights on the trends through its bulletin. The NC3 Observatory will soon have a specific bulletin on SPAMBEE reports analysis, aimed at presenting trends on phishing and spamming as reported by Luxembourg residents. Some incidents specific data are also available, through the Open Statistics of CIRCL, the CERT of the Economy (https://www.circl.lu/opendata/statistics/#ticketing-system-statistics).

Depending on the targeted entity, there will be different types of requirements, even if we could also highlight some generic ones.

If the target is an individual or a non-regulated entity, there are mostly "good practices" that are advised. The purpose is to increase detection through awareness. Email or social networks users are advised to focus on a few points

Is there anything unusual with the message if it comes from a known sender?

• • Is the content consistent with the usual style and topics coming from this sender.
  • Is the actual sender address the same as usually?
  • Are there unusual files attached to the message (PDF, Office documents, Images...)?
• Does the message create an unusual sense of urgency?
• Does the message ask to click on a link that is not belonging to the organization supposed to have send it?

Different type of awareness campaigns at national or organizational level, can help to reduce the exposure to social engineering technics usually implemented by attackers in order to lure their victims through phishing attacks. Some security companies offer fake phishing campaigns to their customers, in order to help employees to have a better sense of what it means to be targeted, and to develop an experience in detecting the most common phishing tricks.

In order to better authenticate the sender of a message, organizations that have enough resources can implement all or some of the following standards:

• DKIM (Domain Keys Identified Mail) - https://dkim.org/
• SPF (Sender Policy Framework)
• DMARC (Domain-based Message Authentication, Reporting & Conformance) - https://dmarc.org/

Their main purpose is to improve the resistance of the original email protocol to forgery and impersonation.

Another set of measures is intended to reduce the risk of victimization by making the exploitation of the phished data more difficult.

It's mostly through the use of a second factor of authentication, which is deemed strong because being usable only for one transaction and available through a channel that is difficult if not impossible for the "phisher" to take control of.

The "token" provided by a bank to its customers is an example of such a second factor of authentication.

Another way to reduce victimization is to take down identified phishing websites. This is mostly done by organizations reporting to host providers which pages are fraudulent. Users can also contribute by reporting URL's of suspicious website to a service such as "URL Abuse" (https://www.circl.lu/urlabuse/). Reporting emails through SPAMBEE (spambee.lu) is another way for an end-user to ensure suspicious looking pages are checked and if confirmed fraudulent, are taken down.

Tools such as SPAMBEE, but also browsers themselves, are able to warn users when they access a web page already assessed as being a phishing. A visual warning is going to allow them to not proceed with this page.

For regulated entities, there will be obligations set by a Regulation Authority, to use or implement specific security mechanisms. They are usually chosen among those listed above. In Luxembourg, an example could be the “Circulaire CSSF 15/603”, which mandates payment providers to use strong customer authentication for internet payments. Another important point regarding regulated entities is that they often have to undergo regular operational risks' audits on behalf of the Regulation Authority, and this means they have to implement a robust risk management framework, which should encompass internet related operations. This usually leads them to implement proper security controls reducing the exposure of their customers to attacks such as phishing.

Initially, most of the phishing attacks were occurring through email, and "Spear-phishing" was one of them. The main characteristics of "Spear-phishing" is not the communication channel it is using but it's the nature of the target that is defining it. It is indeed targeted at a given individual, or a category of individuals, in a given organization. In a company, a spear-phishing attack may for example be directed at the accounting department, with the purpose of luring at least one of the accountants into providing credentials that can be later used for triggering fraudulent bank transfers. As any targeted attack, spear-phishing requires reconnaissance work before the actual attack, in order to identify the people who could be targeted, what are their interests, their possible motivation or any other personal information that will help to build trust and manipulate them.

Whaling is an attack that usually targets a key decision maker in an organization. For instance, it could be the CEO or the CFO of a company. It's a specific type of "Business Email Compromise" (BEC), which requires a significant preparatory work by the attackers, in order to be able to identify the best approach to lure the victims into either revealing sensitive information, or installing malware on their computer.

The angler attack consists in posing as customer support employees of a known company on a social network, in order to lure complaining users of the said service to disclose personal information and possibly credentials. It relies on the fact that customers are aware that companies often respond more quickly to issues raised on social media, as it's more visible and may lead to brand reputation issues in case of non-responsiveness.

A smishing attack is a phishing scam using SMS's as a communication channel for delivering its harmful content. As it is a written and asynchronous communication medium, it resembles a lot to traditional phishing attacks based on email. It was actually one of the first "innovations" of phishing gangs when they realized that email based operations were becoming less successful due to the positive impact of awareness trainings.

Vishing is a phishing attack that takes place on a voice channel. It can be a phone call, or a call through one of the numerous "Voice over IP" (VoIP) communications tool or messengers. It can be targeted or "blind". The social engineering mechanisms behind are the same as for any other type of phishing. It's not uncommon to see sophisticated attacks, such as "BEC" starting with emails and then moving to direct calls.