Phishing: An Evolving Threat

You've probably heard of phishing before, maybe attended training on it, and likely received phishing messages yourself, but Cybersecurity Awareness Month is a great time to refresh your knowledge and remind yourself that phishing–like most digital risks out there–is becoming increasingly sophisticated and isn't going away anytime soon. Let’s take a look at what phishing is, how hackers are now leveraging AI to make their phishing attacks more sophisticated, and best practices that you can follow to help you stay safe. 

An Increasingly Sophisticated Threat 

Phishing is one of the top digital security threats faced by many civil society organizations, and, unfortunately, it is becoming more complex and difficult to identify. Phishing takes place when a hacker reaches out over the internet–via email, social media message, or messaging app, or other means such as a phone call–and tries to get you to click on a malicious internet link, download a malicious attachment, or provide sensitive information. As part of their attacks, hackers often create fake versions of real websites to convince users to enter their passwords or other sensitive information, which is then received directly by the hacker and used to hack into the victim’s account. Fake websites created by hackers conducting phishing campaigns now frequently ask not only for a user’s password, but also for their two factor authentication code in order to get around commonly-used forms of two-factor authentication.

Recent developments in broadly available AI technologies have also increased the risk that phishing poses to organizations. AI chatbots make it easier than ever for hackers to send more phishing messages with more convincing text content. AI has also increased the risk of phishing over voice and even video call, as widely available AI voice and image technologies allow anyone to convincingly clone your voice or likeness based on short clips of audio or video. For example, one type of deepfake phishing attack that has resulted in losses to many organizations involves a hacker impersonating one of the leaders of your organization on a video call with perfectly cloned video and audio and asking an employee to transfer money to a hacker’s account. 

What can you do to stay safe?

Luckily, there are some simple steps you can take to protect yourself against these newer and more sophisticated phishing attacks. If you’ve received phishing training in the past, many of the techniques you may have learned still apply: always scrutinize the content of messages and be cautious of urgent requests, offers that seem too good to be true, unfamiliar senders, and suspicious links. Hackers often disguise links in emails by embedding a hyperlink to a different website behind what appears to be a normal link. You can check the actual destination of these links by hovering over the link on a computer or long pressing and holding your finger on the link for several seconds on a mobile device. You should also avoid opening email attachments, since malware can be sent in this form. It’s also critical to turn on two-factor authentication (2FA) for your accounts, and to be careful about not sharing your 2FA code with untrusted sources or unexpected or urgent requests, which may be phishing attempts. The best rule to remember is if a message looks like phishing, avoid clicking on any links or downloading any attachments and immediately report the message to your organization’s IT team. 

What about deepfake phishing?

What if you receive a call from a relative in their voice asking for help, but the request doesn’t sound quite right? Or an urgent video message from your boss asking you to transfer money to an unknown account? In cases like these, paying attention to the content of the message is key, and instead of responding immediately, follow the time-tested tactics of reaching out to the person by another means of communication to check if it’s really them, or if necessary, ask the person questions only they would know the answer to. Another option, if your organization is at particularly high risk for this type of attack, it can help to establish a shared password ahead of time. To do this, agree on a shared word or phrase that you can all remember easily–such as an inside joke, or an object or symbol that is well known inside your organization but not outside of it –that you will use to identify each other in case there is any doubt.

What if I’m still not sure?

What should you do if, after examining the message and thinking through all of the above, you still aren’t sure if the message is legitimate or phishing? If the message is instructing you to change your password, for example, the best thing to do is to avoid clicking any links. Instead, you can log into your account  the way you normally would (e.g. by going to the website directly rather than via a link), and change your password from there. If the message appears to be from a colleague or friend, you can contact that person through a separate means of communication to confirm. When in doubt, treat the message as phishing, and ignore it, report it, or delete it.