By John E. Dunn

Forget vanilla phishing attacks – cybercriminals today have much more interesting tricks up their sleeves.

MFA Fatigue Attacks 

When push notification via smartphone first appeared, it looked as if the industry had finally found a type of MFA that was both easy to use while being more secure than rivals such as SMS one-time passwords (OTPs). Recently, attackers have dented this reputation with a series of simple MFA fatigue attacks. After using stolen credentials, these bombard users with repeat push notifications in the hope a few will agree to make the barrage stop. Several large companies have been successfully targeted this way.  The mitigation is a combination of education – few users have even heard of MFA fatigue attacks – rate limiting push requests and paying attention when they are declined (a denied push could indicate compromised credentials after all). 

SMS ‘Emergency’ Text Scams 

“Dear mum, I’ve had an accident and need you to send me money please.”  Anyone who is a parent to adult children would find this sort of SMS or WhatsApp message hard to ignore. Attackers know this, which is why it’s becoming an increasingly common social engineering scam. How can attackers overcome suspicion that the message is from an unknown phone number? Simple: “My phone broke so you have to use my new number from now on.” It might not be the perfect impersonation scam, but it doesn’t mean it isn’t highly effective.  

Fake Data Leaks 

Data breaches are bad news, but sometimes completely invented ones can be almost as dangerous.  The technique is ingenious: pick a well-known company that has suffered a data breach in the past and post entirely fictitious reports that they have been breached again. These are picked up by Google Alerts and sent to users by the million, enticing them to visit malware-infested directories on legitimate but hacked websites. A variation on the theme are free prize giveaways. The social engineering here is the user’s blind trust in Google Alerts.  

‘Callback’ Phishing 

The success of mass phishing attacks shouldn’t blind us to the success of other innovations. Callback phishing is one example that is back in fashion. The user receives a personalized email from a known but spoofed contact asking them to call a number to confirm a pending subscription or bill payment. Anyone who is fooled and decides to call is manipulated into giving up account information to execute financial fraud. Alternatively, some ransomware groups have used the technique to persuade people to install their malware. The clever part is that using a phone call is a simple way to bypass software defenses.

Deepfake Phishing 

One for the future perhaps but not that far in the future. In this proposed attack, users would be socially engineered into doing something they would later regret by convincing images or voice notes from their loved ones (culled from social media and processed through an AI engine), work colleagues or even CEOs. An outgrowth of disinformation, this technique has been compared to ‘truth decay’, the sense that anything can be made to appear ‘real’. “While companies are scrambling to defend against ransomware attacks, they are doing nothing to prepare for an imminent onslaught of synthetic media,” said Gartner’s Darin Stewart in 2021. Inevitably, these techniques will be commoditized at which point they will become an everyday hazard.