Phishing emails change over time as cyber criminals seek to change their approaches to improve their success rates and achieve better outcomes. That means that the type of phishing emails schools and their staff have to contend with have changed over time. As such I would like to share some observations on the changes I have observed.
Lets go a few years, but not too many, so maybe 6 – 10 years. At this point I remember receiving phishing emails however finding them reasonably easy to recognise. The below for example was an Apple based phishing email.
The identifiers are reasonably clear in the spelling and grammatical errors and in the lack of branding, not to mention the email address. I note it conveys a sense of urgency, an important tool in a cyber criminal’s arsenal, however it relies, due to being from a known organisation, on being believable, which to most users I don’t believe it was. That’s not to say that some people wouldn’t fall for it, as we are all susceptible to errors or momentary lapses in concentration.
Fast forward a few years and the cyber criminals got much better at making their phishing emails believable, branding their email appropriately and even copying the styles of common productivity suites and other commonly used tools. The below are just two examples:
Although these malicious emails were successful for a while, the issue here is that they have become common and therefore users in general are more cautious around them. Again some people will click on links, etc, but most now either ignore or treat with great care. Now the common nature of these type of emails may be part of the story as to why I don’t believe we fall for these emails quite as often, however I also acknowledge that phishing awareness training materials have increasingly focused on these types of emails, building up an awareness of the need for care. So where next for phishing?
More recently I believe I have seen an increase in very simple emails rather than the branded type. The simple emails are more akin to the emails from 10yrs ago although are actually even simpler and basic. Being simple and basic they remove the grammar and spelling errors as they contain limited text. They also tend to be made to appear to come from known individuals such as colleagues so remove the issue of branding. Additionally, they are, due to their simplicity, different from the big, branded phishing emails so they are less likely to set off users phishing “spider-senses”. The below is just one example:
Here the limited information allows users themselves to mentally fill in the blanks as to why this particular colleague might be contacting them and what this might relate to, and you would be surprised just how many of us can come up with a valid reason for a random colleague, friend or other acquaintance to reach out in this way. It goes right back to the psychology of urgency and also FOMO (Fear of missing out), using this rather than technology to seek to entrap users, a technique that cyber criminals have tended to be good at. In the above case the telling indicators of a phishing email continue to be the email address itself, and the need to look beyond the display name, and also the unexpected nature of the email, which should also be seen as an alarm bell.
For me looking back it would appear that phishing emails evolved from basic emails to more complex and convincing branded constructions. They are however now “de-evolving” back to simplicity, taking advantage of psychology and also of the ever busier worlds we live in, and in education, given the pandemic, I don’t believe things have ever been busier.
I also think it is important to acknowledge that first sentence of this post, regarding cyber criminals “changing their approaches” and seeking to “achieve better outcomes” would be at home in an email or document from a corporation or other organisation seeking to improve its success. Cyber criminals are behaving in an almost business like manner and given this we can only expect their approaches to continual change and adjust as technology, user awareness and user training develops. For the foreseeable future I suspect we will be continually engaged in a game of phishing “whack-a-mole”.
So, what do we do about this?
I continue to believe that user awareness is the key. The more users are aware and vigilant the better. Additionally, users need to be clear on how to report concerns or incidents, and the culture needs to be such that users feel safe in reporting when they get it wrong. My view is we are all likely to get it wrong at some point, if we havent already!
Cyber security and data protection awareness cant be seen as a static program, a set training package or a yearly training session. It is dynamic, ever changing and ongoing, much in the same way the attacks are; We need to see it this way and to seek to deal with it with similarly dynamic and constantly evolving approach.
Technology and Learning