6min. read

There are many reasons for a successful cybersecurity attack. For example, there could be a misconfiguration in the cloud or an unpatched system. However, the most common and potent source of attack today is social engineering, typically phishing.

Phishing attacks account for more than 80% of reported security incidents, according to CSO, with more than 90% of malware delivered via email. These attacks are popular methods because they are low cost, low risk for hackers and have relatively high success rates.

Unfortunately, the shift to cloud and work-from-home environment caused by COVID-19 has created a dramatic increase in phishing and other social engineering attacks. According to research by Unit 42, early in the pandemic there was a 569% increase in the growth of malicious registrations, including malware and phishing.

Security awareness is usually the first tool cybersecurity teams reach for in our mitigation toolbox. This is a natural instinct and certainly of great value, depending on how well it is supported and deployed. However, how do you predict the themes and language of social engineering campaigns? What will be the best lure? What will cause the lure to change?

Just as fishing in the physical world requires different lures, depending on what type of fish is sought, the same is true in the virtual world of phishing. In fact, the analogy goes quite deep between catching fish and tracking the exploits of those who phish for profit or malice. I know this first-hand, not just as a cybersecurity professional, but as a person who grew up fishing on lakes and streams.

Fishing and Phishing

When I was a child, my grandfather loved to fish. I worshipped my grandfather, so I would eagerly join him on day-long fishing trips. My grandmother would pack lunches and drinks and my grandfather would equip the boat.

One of the most curious items on the boat was the tackle box. It wasn’t until years later that I understood that the curiosities that caught my eye were lures—and why there were so many. I was simply told different lures were used to catch different fish. I heard words like plugs, jigs, spinnerbait, and something called a spoon. I had no idea when to use what lure. However, as I got older, I got to understand that the best lure depended on what attracted the targeted prey.

Now, as I am much older and in the cybersecurity world, those experiences with my grandfather make more sense. We have changed the spelling to “phishing,” knowing the best lure is social engineering, and the prey is, well . . . us.

So how can we use this knowledge to predict the next lure used by the virtual phisher?

Reading Cues, Finding Clues

To start, look at the calendar and watch, read or listen to the news. Talk to people about their concerns. It doesn’t matter whether you want to call it real or fake news. A lure in the world of fishing is fake but it has caught many a prey. The threat intelligence source for predicting the next lure is what is happening in the real world. We in the cyber security world have to be in tune with what is in the log-files-produced human interaction.

The easiest prediction model is the calendar. For example, you always have to be careful around the holidays. There will likely be emails floating about with enticing subject lines such as “free,” “discount coupons,” “last chance,” etc.

Next is the news cycle. This is a bit more intel to sift through but think of the days when we used to have current events in school. Use that same old tactic to pick the top stories and predict what is or will be the next lure.

Here are some examples. When there is a natural disaster: Be ready for appeals to the heart with pictures to prove the dire plight of others. A health crisis: How many people have fallen for COVID-19 lures—vaccines, false info maps, fake testing kits, falsely (and potentially) dangerous personal protection equipment? Elections: Be ready for the echo chamber emails that promise your donation of $25 dollars will help a cause.

Don’t Get Hooked by the Phishermen

Digital transformation has been a great accelerant of phishing, creating fresh waters for phishermen. As organizations increase the use of technology—whether in the cloud or in a hybrid solution—the threat landscape becomes more challenging. Often the transformation is done with little security in mind. The myth that cloud-based systems are safe harbors only adds to the successful phishing attack.

Fake login pages are the new norm of capturing user credentials. Phishermen are using the same “link in the email” to get access, but they have gotten creative in developing login pages with the proper logos and even similar domain names. With the rapid adoption of software as a service (SaaS), users are unsure if they have to login or not.

The confusion of something new, coupled with a lack of training, makes it easier to snatch usernames and passwords. What makes the situation worse is those credentials give attackers access to all the resources in the cloud. With their foot in the door, attackers can use the SaaS program to lure more users in the organization with the eventual result of catching a whale, i.e., someone with global administrative rights.

The phishermen are creative and relentless. If you haven’t already, implement some best practices to avoid becoming the catch of the day:

  • Be wary of emails that ask for your username or password. Credentials theft is on the rise especially as people are working from home. If in doubt, always call your help desk.
  • Never open a file that is attached to an email if there is the slightest doubt of its origin. If you are not expecting an email with an attachment, call the person or send a fresh email to confirm the sender and the intent of the attachment. Never just reply to an email for confirmation.
  • If you are asked for money to give to a charity, stop and confirm the source or, even better, go to the actual site of the charity by typing in the address of the website.
  • Educate users as you move into the cloud.
  • Use the security features of single sign-on solutions and multi-factor authentication.

Always remember that you are in control. You are smarter than a fish and smarter than today’s phishermen. You don’t have to bite at the lures.


Kevin O’Malley is part of Plex Cyber and the Chief Information Security Officer of Lee County, Florida.