In January, cybersecurity firm SlowMist warned the cryptocurrency community about scammers exploiting legitimate platforms such as WalletConnect, De.Fi, CoinTelegraph, and Token Terminal to distribute phishing emails to users. One of the malicious actors who have adopted this scheme had already stolen over $580,000. Unfortunately, these phishing attacks represent only a fraction of the incidents affecting the Web3 space every day. It is necessary to learn about the variations of phishing techniques to be able to protect yourself against phishing attempts.
Read also: CoinGecko Employee Falls Prey to Calendly Phishing Scam
How do spear phishing attacks differ from standard phishing attacks, and what are the distinctions between spear phishing and whaling? What helps protect against spear phishing?
Use this guide to distinguish between different forms of the most popular phishing scam methods and differentiate them from legitimate communication, ensuring your online security and safeguarding your assets.
What is phishing?
To understand the differences between regular phishing techniques and their more specific instances, it is useful to delve deeper into phishing itself.
The goal of phishing attacks
First and foremost, phishing is a form of cyber attack aimed at obtaining confidential information, which can then be used for various malicious purposes. In the cryptocurrency world, phishing attackers are particularly focused on gaining unauthorized access to accounts and wallets, thereby gaining the ability to steal funds.
Identity theft is also a common objective of phishing attacks in the Web3 space. One possible scenario involves gaining access to social media accounts of legitimate blockchain projects, which can then be used to spread malware and financially profit from their numerous followers.
While financial fraud may not be as widespread in the cryptocurrency industry, it remains a popular target of phishing attacks.
How is phishing performed?
Fraudulent communication empowers many phishing attackers. To obtain sensitive information such as personal details, passwords, and credit card numbers, criminals must trick their potential victims, often by disguising themselves as a trustworthy entity.
This communication can take various forms, ranging from sending low-quality spam to large groups of potential victims to building relationships with individual targets.
Disguise is not the only means by which crooks execute phishing attacks. A sense of urgency is commonly implemented as well, causing recipients of phishing content to lower their vigilance and overlook red flags. Threatening subjects with immediate consequences, such as account suspension or loss of funds, is often used to heighten urgency.
Phishing tactics may also exploit the fear of missing out, particularly common in the Web3 space, where novel blockchain projects and cryptocurrency developments often promise significant returns on investment or free airdrops for participation.
Other forms of emotional manipulation, such as exploiting curiosity or sympathy, can also prompt swift responses.
The way phishing attacks are executed is one of the fundamental features used for distinguishing them from other types of attacks.
Other typical features of phishing
In addition to urgency and impersonation of reputable entities through email spoofing (using email addresses and domain names closely resembling those used by legitimate organizations), fake URLs, and websites, there are several other typical features of phishing attacks. Some of them include:
- Generic greetings lacking personalization, such as a reference to the recipient by name;
- Lack of clear contact information or fraudulent contact details in an email;
- Unusual sender addresses resembling legitimate ones but not matching them.
Particularly important features of phishing include the means of obtaining sensitive information. This can involve direct requests for personal information or unsolicited attachments that initiate the installation of malicious software, often malware, on the victim's device.
Spear phishing vs phishing
Spear phishing is one of the most commonly used phishing techniques. Despite falling under the umbrella of phishing methods, it actually has quite the opposite features compared to standard phishing.
How do spear phishing attacks differ from standard phishing attacks?
Spear phishing attacks and standard phishing have obvious differences in targets and methods.
Standard phishing attacks have a broad scope and an indiscriminate approach, aiming to trick as many victims as possible. For this reason, the content they involve is rather generic and suitable for different recipients. They attempt to reach out to as many individuals as they can through various communication channels.
On the contrary, spear phishing attacks are highly focused, usually targeting a specific organization or even a single person. Instead of casting a wide net, attackers invest in collecting as much information about their targets as possible to make the attack highly personalized and convincing.
In the cryptocurrency space, standard phishing attacks usually involve posing as well-known Web3 projects. Meanwhile, criminals working on spear phishing attacks have to be more creative in choosing the proper entity to impersonate or even create a fake identity to establish swift communication with their victims. For that reason, spear phishing emails are much more difficult to detect than emails used in a regular phishing attack.
Spear phishing vs whaling
Now that you understand the difference between phishing and spear phishing, let's explore how spear phishing and whaling differ from each other.
Whaling or whale phishing can be seen as a subcategory of phishing, while some experts may also consider it a form of spear phishing. Indeed, whaling, like spear phishing, is a personalized form of attack, but the level of personalization in this case is particularly high.
However, the level of personalization may not always be a safe criterion to compare spear phishing to whaling. What is more important is the target. In the whaling scenario, the target is a high-profile individual within an organization, such as a CEO.
With whaling, criminals often attempt to gain access to sensitive company information.
Read: Crypto Whale Loses Over $24 Million in a Phishing Scam
What makes spear phishing different from other email phishing schemes?
There are various types of phishing beyond spear phishing and whaling, each with its own distinct characteristics.
Spear phishing vs vishing
Vishing, or voice phishing, utilizes voice communication to deceive potential victims into revealing sensitive information. When compared to spear phishing or whaling, which are categorized based on the level of personalization and the number of targets, vishing should be considered one of the phishing methods. It can be employed by both spear phishing and whaling. Criminals may also combine vishing with email spoofing in their attacks.
For instance, a vishing group might call a wide group of potential victims, posing as a bank representative to obtain credentials necessary for financial theft. Similarly, a vishing attacker can target an individual.
In the crypto space, vishing might not be the primary method for general phishing attacks, especially in airdrop scams or fake financial opportunities. However, malicious actors might make fake regulatory calls, pretending to be representatives from government bodies overseeing cryptocurrency activities. They may claim the victim’s account is under investigation and demand payments to resolve alleged issues or impersonate technical support employees of reputable Web3 platforms.
Smishing
Smishing involves using SMS to deceive recipients. These messages may contain malicious links or urge recipients to share personal information.
Pharming
Pharming attacks manipulate the domain name system (DNS), redirecting users of legitimate websites to fraudulent ones where they may unknowingly provide sensitive information.
Search engine phishing
Search engine phishing is a sophisticated approach where criminals optimize malicious websites for search engines to enhance their appearance of legitimacy. This tactic ensures that users searching for specific topics may easily encounter fraudulent websites.
Other types of threats commonly mistaken for regular phishing and spear phishing attacks
While phishing materials can be challenging to distinguish from legitimate content, other types of attacks and techniques are often confused with phishing.
For example, the term "spoofing" is frequently associated with phishing. Described by cybersecurity firm Kaspersky as "a broad term for behavior where a cybercriminal masquerades as a trusted entity or device to deceive you into doing something beneficial to the hacker — and detrimental to you," spoofing occurs "any time an online scammer disguises their identity as something else."
While many phishing attacks involve spoofing, not all spoofing attacks are phishing. An example could be a distributed denial-of-service (DDoS) attack initiated by IP spoofing, where the source IP address of malicious traffic is forged to appear as if it were coming from a legitimate source. Such attacks aim to overwhelm or disrupt a target’s network, without necessarily tricking users or obtaining their sensitive information.
Malware is also a common component of phishing, aiding attackers in stealing data. However, malware, short for malicious software, encompasses any kind of software with malicious intent beyond personal information theft. For instance, as explained by the cybersecurity firm Malwarebytes, malware can facilitate activities such as launching denial-of-service (DoS) attacks, unrelated to phishing.
Furthermore, malware, even if designed to steal credentials, may not always be distributed through direct interaction with potential victims, a typical characteristic of phishing. Exploiting vulnerabilities in web plugins and browsers is an additional means of malware distribution not typical for phishing attacks.
Finally, social engineering, defined by the online course platform Coursera as "a manipulation technique that deceives individuals or groups to exploit or gain unauthorized access to sensitive information or resources," is often associated with phishing but extends beyond it. For instance, the tech support scam involves convincing computer users of technical issues with their devices and then offering unnecessary services for payment.
Read also: Web3 Phishing Alert: New Trend of Trap Phishing
Phishing emails vs spam
The intrusiveness of unsolicited emails typical for phishing and spam makes these tactics quite similar. Furthermore, spam can also be incorporated into phishing; however, cybersecurity experts still differentiate these methods from each other.
As a rule, the spam tactic is used to promote services or products to a large audience aggressively. For this reason, such emails are often much less personalized than phishing emails. At the same time, spam does not always aim to steal sensitive data or spread malware, which is a component of phishing attacks.
Despite these distinctions, spam can be incorporated into less personalized, large-scale phishing campaigns.
Popular myths about phishing
Now that you have learned a lot about phishing and its types, it is useful to address common misconceptions related to these attacks, which will help you increase your resistance to phishing. Some of these beliefs may have been true for spear phishing campaigns and regular phishing attacks in the past, but they are no more relevant in the case of a modern phishing attack.
Phishing is dangerous only for inexperienced users
While the underestimation of the complexity of phishing attacks makes many cryptocurrency users vulnerable, there is nothing strange about this belief since you will hardly meet a person who has never experienced a flood of low-quality spam.
Unfortunately, such phishing attempts are only a fraction of all types of attacks, which are constantly evolving.
For instance, SlashNext, a multi-channel security solution for communication apps, conducted a survey on phishing, which revealed that "95 percent of respondents underestimate how frequently phishing is used at the start of attacks to successfully breach enterprise networks," while as little as 5% of those surveyed were aware that over 90% of enterprise security breaches are initiated by phishing attacks.
While the survey by SlashNext was conducted in 2018, phishing attacks are still prevalent and evolving, posing persistent threats to individuals and organizations worldwide. For instance, reportedly, there was a 345% increase in the evolution of unique phishing websites between 2020 and 2021, whereas 36% of all US data breaches are empowered by phishing.
It is critical to be aware of the scope of phishing attacks, which are often executed by very skilled malicious actors capable of fooling not only inexperienced cryptocurrency users but also tech-savvy users and even professional developers.
While personalized and effective communication used by spear phishing is particularly sophisticated and convincing, appealing to the emotions, needs, or interests of potential victims, spotting phishing websites can also be rather difficult as they can closely mimic legitimate ones, adopt HTTPS encryption to create an appearance of security, and use spoofed domain names, copied logos, and replicated layouts that closely resemble those of trusted websites.
Phishing is a threat only to consumers
The example of the major phishing threat created by Lazarus Group, a cybercrime group linked to the North Korean government and currently regarded as one of the major threats in the crypto space, debunks the common myth about phishing being dangerous only for consumers.
The group is particularly known for its sophisticated phishing attacks, which also target professionals working in financial systems and undergoing cybersecurity training. Thus, contrary to the myth, cryptocurrency projects and other businesses, organizations, and even government agencies can all fall prey to phishing attacks.
One notable attempt by the Lazarus Group was to steal $1 billion from the Bangladesh Bank by employing deceptive SWIFT messages directed at the Federal Reserve Bank of New York in 2016. Even though the transactions were eventually detected as malicious and intercepted while still in progress, the group managed to successfully transfer $81 million to accounts in the Philippines.
Emails remain a necessary component of phishing
While it may appear that most users, even those without a technical background or security training, have learned how to distinguish phishing emails from legitimate ones, emails remain one of the preferred channels of phishing attacks. However, the ratio of such emails to legitimate ones is not as large as it may appear.
"Phishing email statistics suggest that nearly 1.2% of all emails sent are malicious, which translates to 3.4 billion phishing emails daily," the team behind Astra, a pentest solution, reported in December, adding that statistically only one email in 4,200 emails was part of a phishing attack.
At the same time, criminals are actively exploring other means such as phone calls, instant messages, and social media as ways of conducting phishing attacks. The latter channel is particularly popular for the distribution of a malicious link.
Preventing phishing is easy
Underestimating phishing complexity has also led to the belief in its simple prevention. Unfortunately, the sophistication of phishing attacks requires a combination of preventative measures implemented on different levels of defense, ranging from the deployment of spam filters, firewalls, and antivirus software to education and raising user awareness.
What helps protect from spear phishing?
Urgency and threats, requests for personal information, unsolicited attachments, as well as unusual sender email addresses, generic greetings, poor grammar, and misspelled words are all common red flags of phishing. However, as you now know, spear phishing is much more sophisticated and a spear phishing email is unlikely to have the features of emails used in regular phishing scams. This means spear phishing prevention is not as obvious.
Even if you do not consider yourself an appealing target to send a malicious link in a spear phishing email because you are not an active user of Web3 platforms with significant cryptocurrency savings and neither are you a high-profile company representative, knowing how to prevent spear phishing is critical. Crafty attackers can find ways in which a spear phishing attack on a relatively insignificant person in an organization can give them access to critical information and you can easily become a victim of a business email compromise.
As an employee or a cryptocurrency user, you should develop a habit of assessing emails for anything suspicious, avoiding opening attachments and clicking on links coming from unknown sources, and verifying any unusual requests before fulfilling them. This is a basic step required to prevent spear phishing attacks as it makes it less likely for you to download malware or malicious attachments which can help attackers to steal money or confidential information.
As an employer, you should organize security awareness training for your employees to educate them about following all the procedures mentioned above. It is also recommended to repeat security awareness training regularly to refresh the knowledge of your employees, as some habits not aligned with security measures may persist and resurface soon after training, while spear phishing scammers are continuously developing more sophisticated techniques that may be unknown to the employees.
In addition to employee training focused on regular phishing and spear phishing protection, there are numerous other methods for preventing spear phishing available to employers. Here are some of them:
1. MFA (Multi-Factor Authentication)
MFA helps to prevent spear phishing as it makes it more challenging for malicious actors to gain unauthorized access to systems even if login credentials have been leaked.
2. Data encryption
Encrypting sensitive data, as well as communication in a company, is a good practice that protects information even if it is accessed by criminals and decreases the chances of a business email compromise.
3. Regular software updates
Ensuring that software in the company is updated whenever developers modify it increases the chances of getting an optimized version that lacks vulnerabilities, which may increase the chances of targeted attacks.
4. SPF and DMARC
SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) can help prevent email spoofing, thus preventing your organization from being impersonated by criminals in the first place.
5. Incident response plan
Developing an incident response plan outlines the steps that should be taken if the organization becomes a victim of spear phishing or if it gets impersonated by criminals to perform spear phishing on others. This saves valuable time and offers structured and well-thought-out actions during overwhelming times.
Why are spam filters less likely to stop a spear phishing attack?
As mentioned earlier, less personalized phishing campaigns can rely on spam, which may confuse many users into falsely believing that spam filters can help prevent spear phishing attacks as well as regular phishing.
Generalized phishing emails sent to a large number of users can indeed be identified by spam filters, which can prove effective in stopping such attacks. However, this approach does not work in the case of spear phishing emails. As explained above, such a spear phishing attack is tailored to a specific potential victim, and the spear phishing emails this recipient receives include personal details and take into consideration their preferences and interests. Such a level of personalization can confuse spam filters, making emails appear more credible and relevant.
The mechanisms behind spam filters, which rely on sender reputation, keywords, and frequency of emailing, often fail to distinguish between a malicious message and a legitimate one. This task is made even more challenging if an attacker uses dynamic URLs or email spoofing. For that reason, it is not recommended to rely solely on spam filters for effective prevention of a spear phishing attack.
The recent state of phishing in the Web3 space
Implementation of standard phishing and spear phishing prevention techniques may seem daunting, but it is worth the effort. In January alone, phishing scammers managed to steal over $55 million from 40,700 victims across EVM chains, according to a recent report from Scam Sniffer, the Web3 anti-scam solution. The top seven victims lost $17 million.
"Scammers created more than 11,000 phishing sites, impersonating projects such as Manta Network, Frame, SatoshiVM, AltLayer, Dymension, zkSync, Pyth, Opensea, Optimism, Blast, and others," stated Scam Sniffer on X, adding that phishing attacks surged during events related to popular Web3 projects and airdrops. Most of the thefts occurred after victims signed the ERC20 Permit and increaseAllowance.
"Most victims were lured into phishing websites through comments on impersonated Twitter accounts," Scam Sniffer explained. The Ethereum mainnet, Arbitrum, BNB, Optimism, and Polygon witnessed the majority of thefts.
Phishing vs spear phishing: bottom line
Spear phishing, one of the subcategories of phishing attacks, poses a significant threat due to its personalized nature and ability to bypass traditional spam filters. Unlike standard phishing attacks, which rely on generic content and mass distribution, spear phishing attacks are tailored to specific individuals or organizations, making them more difficult to detect and defend against.
Furthermore, identifying phishing becomes even more challenging for potential victims due to common misconceptions about this type of cyber attack, such as underestimating their complexity and overreliance on spam filters.
To effectively combat phishing and spear phishing, it is essential to understand the differences between these two types of cyber threats and other techniques widely adopted by crypto crooks.
