1.1.

Types of phishing attacks

(Dameff & all, 2023) con los conocimientos necesarios para reconocer y frustrar estos intentos
maliciosos, vamos a desglosar la evolución de las tácticas de phishing en tres épocas distintas: la
antigua, la nueva y la sofisticada. Esto reforzará la postura de ciberseguridad de cualquier
organización.

1.1.1. Traditional Phishing Attacks (Early Forms)

These more traditional types refer to the beginnings of phishing, which started in 1996, when users
were looking for login credentials or free AOL discs. At that time, hacked accounts were posing as
internet service providers so that users with paid accounts would give them their login credentials.
(Shears, 2010) Over time, the old phishing became a much more powerful and damaging practice
than it started out to be. Two subtypes stand out and will be discussed below:

a) Email Spoofing

Early phishing attempts frequently employed email spoofing, where attackers would forge email
headers to impersonate reputable entities. (Shears, 2010: 200) "the primary goal was to lull the
recipient into a false sense of security, enticing them to share sensitive information." Thus, these
spoofed emails were often disguised as communications from banks or other financial institutions,
urging recipients to update their personal data. The simplicity of these attacks allowed for
widespread deployment, casting a wide net to trap unsuspecting individuals.

Despite its crude nature, email spoofing proved significantly effective during the early days of
Internet use, primarily "due to a lack of public awareness and basic email verification mechanisms"
(Shears, 2010: 200).

b) Generic Requests

With the spread of phishing attempts, generic requests for personal or financial information
became an all-too-common tactic. These emails were often riddled with spelling and grammatical
errors, as well as a noticeable lack of personalization, making them easier for the wary user to
identify.

Still, (Aleroud & Zhou, 2017) by disseminating a large volume of deceptive emails, phishers counted
on the option that a small proportion of recipients (which is not the same as number of such) would
fall deeply into the scam and provide the requested information. However, "as security systems
advanced and public awareness increased, the success rate of these basic phishing attempts
decreased quite a bit more" (Aleroud & Zhou, 2017: 181).

1.1.2. New Forms of Phishing Attacks

The new era of phishing is characterized by the introduction of more innovative methods such as
smishing (based on SMS text messages) and vishing (based on phone calls). In addition, spear
phishing has also emerged, which is based on the vast amount of information available in different
public areas of the web, especially social networks.

a) Spear Phishing

The emergence of Spear Phishing unfortunately represented a significant advance in the

sophistication of phishing tactics. Unlike generic phishing, (Parmar, 2012) which involves sending
highly personalized emails targeted to specific individuals or organizations, such unique emails often
include the target's name, job title, and other more personal details. All this represented a
significant advance in the sophistication of phishing tactics, as phishing represents a more serious
threat, based on the attacker's willingness and ability to invest time and resources in executing a
more stealthy and targeted attack. As such, personalization in spear phishing makes it considerably
more difficult for individuals to detect and for security systems to filter. This level of personalization
requires a prior process of recognition and preparation which, as indicated above, marks a clear
difference with generic phishing.

b) Smishing and Vishing (generic aspects)

In cybersecurity, SMiShing and Vishing are social engineering techniques that seek to trick
people to obtain sensitive information such as passwords, credit card numbers or personal data.
Despite being long-known scams, they remain a persistent threat in the cybercrime landscape
(Mishra & Soni, 2023).

Affordability in the implementation of these attacks is a key factor contributing to their prevalence.
The low barrier to entry allows even novice criminals to launch attacks with relative ease, extending
the reach of these malicious practices. In addition, the automation of attack processes has greatly
simplified the execution of phishing campaigns, requiring little technical knowledge on the part of
the attackers.

It is also important to note that despite evolving security measures and public awareness, SMiShing
and Vishing remain effective, especially when targeting mobile devices and people less familiar with
cyber threats. Fraudsters employ a variety of strategies to trick users, either through fraudulent
phone calls or deceptive text messages, with the ultimate goal of fraudulently obtaining confidential
information.

Phishing is not limited exclusively to emails; on the contrary, SmiShing and Vishing have gained
significant presence with the widespread adoption of mobile devices. In order to provide clearer
information, each modality will be developed individually.

b.1) SMiShing

It is a variant of phishing that employs short messaging services or text messages on mobile
devices and smartphones (Jain & Gupta, 2019). The term SMiShing is derived from Short Message
Service (SMS) technology. To implement it successfully, SMiShing scammers mainly resort to two
methods:

• The victim receives a text message appearing to be from a trusted source, such as a
bank or system administrator.
• The victim receives a critical text message regarding identity theft or account
freezing, prompting them to visit a website or call a provided number for
verification.

In both scenarios, the goal is to deceive the victim into divulging sensitive information, which can
lead to unauthorized access to accounts or the installation of malware on the victim's device. This
malware can then grant scammers access to various aspects of the victim's phone, including
contacts, messages, and applications, potentially allowing them to take control of the device.

IRS scams often peak in popularity from January to April each year. An example occurred during the
COVID pandemic relief checks distribution, offering $1200. Other IRS scams involve threats of audits,
unclaimed refunds, back taxes, or issues with refunds. The mention of 'IRS' typically grabs attention,
and the promise of $1200 may tempt individuals to click links. If you receive any communication
regarding the IRS, it's advisable to visit the official IRS website for information. Avoid clicking on any
links in the messages, even if they seem to lead to a legitimate IRS website.
 b.2) Vishing

The term Vishing refers to the practice of taking advantage of IP-based voice messaging
technologies (mainly Voice over Internet Protocol, or VoIP) to socially manipulate the intended
victim and obtain personal, financial or other sensitive information in order to obtain a financial
reward. This form of scam combines elements of voice and phishing, "taking advantage of the trust
that people usually have in the telephone service" (Román & Plaza, 2023: 2). Generally, the victim
is often unaware of the fraudsters' ability to use techniques such as caller ID spoofing and advanced
automated systems to commit this increasingly common type of scam.

c) Clone Phishing
The fundamental principle of a cloning phishing attack is the attacker's ability to replicate a
message to which the target has already been exposed. Or put another way, (Chaudhuri, 2013) a
cloning phisher could replicate a mass mailing sent by a brand. Alternatively, a fake follow-up email
could be used to attack someone who is known to be expecting a product. The attacker copies
exactly one email or another message after thoughtfully and strategically choosing which one to
copy. This involves copying the exact words and graphics and spoofing the sender's address to make
it appear to be the real sender.

The figures below will display some examples of cloning a legitimate email and how it works.
 1.1.3. Modern and Advanced Phishing Attacks

This type of phishing has been boosted by the COVID-19 pandemic (Al-Qahtani and Cresci, 2022),
causing a substantial increase in phishing attacks in Spain (as well as in other countries). How are
these two phenomena related? Modern phishing attackers exploit human weaknesses, such as that
caused by pandemic uncertainty, to circumvent advanced security measures such as multi-factor
authentication (MFA). These attacks include messages and emails powered by artificial intelligence
to make them appear even more realistic. Add to this factor the undesirable habits of some users
and you have an ideal scenario for a phishing attack. In the following lines we will discuss the
different types of sophisticated phishing.

a) Business Email Compromise (BEC)

Business Email Compromise (BEC) is a sophisticated fraud that has been responsible for substantial
financial losses worldwide. In this regard, (Al-Qahtani and Cresci, 2022), cybercriminals pose as
executives or suppliers and try to trick employees into transferring funds or confidential
information. These frauds require a deep understanding of organizational hierarchies and
operations, often forcing practitioners of these techniques to conduct extensive reconnaissance and
even infiltrate the organization's email system to understand the dynamics of its internal
communication. The devastating financial consequences of BEC schemes underscore the critical
importance of robust verification procedures for financial transactions and the exchange of
confidential information within organizations.

The following figure shows the process of this terrifying phenomenon.

b) Whaling

Whaling extends the principles of Spear Phishing by targeting high-profile individuals within an
organization, such as executives or board members. These attacks often involve extensive research
to craft highly credible messages. Sadly, (Kalaharsha & Mehtre, 2021) a single successful spear
phishing attack of this phishing modality can result in significant financial or data loss, making it a
priority concern for cybersecurity teams.

//////

Whaling is a scam similar to spear phishing in the sense that it is a "targeted attack (...), but in
this case, the target is senior executives who have privileged access to information or resources
within an organization" (Gusev, 2022: 393). This type of attack is carried out through malware that
provides attackers with access to the organization or deploys keyloggers. Since this is a targeted
attack, the attacker will spend more time elaborating their attack vectors, whether by email or eFax,
to increase the chances of success of the victim clicking on a link or downloading an attachment
containing malware.
 This practice is used as a preemptive strategy to a later malicious attack called business email
compromise (BEM). Compromised email from a senior executive, such as the CEO, is used to instruct
the CEO's subordinates to make unauthorized bank transfers.

Business email compromise (BEC) scams often begin with a message that creates a personal
connection between the sender and the recipient, such as "I need a personal favor..." This type of
communication establishes a relationship between the sender and the recipient, causing the
recipient to think "Wow, the CEO is directly asking me to help him!" and quickly take action.

On the other hand, certain emails may include an overdue invoice that must be paid
immediately, requiring the recipient to settle an outstanding invoice as soon as possible, usually by
bank transfer. Emails with embedded links often ask the recipient to log in with their credentials to
open or view the document, allowing attackers to steal sensitive information. These deceptive
tactics are increasingly used in BEC scams to manipulate victims and steal money or data.
 c) Pharming

Pharming is a malicious technique that imperceptibly redirects users from legitimate websites to
fraudulent sites, often through the poisoning of domain name servers (DNS). This tactic manipulates
domain name resolution to divert users, eliminating the need to send deceptive emails (Parmer,
2012). Malicious redirection can result in significant data breaches as users, believing they are on a
legitimate site, enter their credentials or financial information, which is subsequently collected by
malicious actors for fraudulent use.

The technical sophistication required for Pharming attacks, coupled with imperceptible
redirection, makes them a formidable threat. This underscores the importance of strong DNS
security and the need for individuals to carefully verify website URLs before entering sensitive
information. It is crucial to be alert to possible discrepancies in URLs and not to rely on links provided
in suspicious emails or messages. Keeping security software up to date and using secure connections
(HTTPS) also helps to mitigate the risks of this type of attack.

//////////////////////////////////////

Pharming is a type of design-friendly hacking in which criminals direct victims looking for a specific
website to a fake one. These spoof locations aim to "infect the victim's computer with pharming
software or obtain personally identifiable information (PII) from such, such as passwords, account
numbers, government-run retirement numbers" (Villon et all, 2019: 672). Pharmers often target
financial websites such as banks, online payment gateways, and online merchant destinations to
obtain PII, as these sites contain sensitive and valuable data that can be used to commit fraud or
identity theft. Pharming is achieved by manipulating domain name system (DNS) settings or
infecting the victim's computer with malware, which silently redirects the user to a fake website
without their knowledge. Once on the fake site, criminals can steal sensitive information such as
login details, credit card numbers or other valuable personal information.

d) Phishing through social networks

Phishing through social networks has emerged as a significant concern in the cybersecurity
landscape (Hernández Domínguez & Baluja García, 2021). Although email has traditionally been the
primary medium for phishing attacks, social networking platforms have opened up new
opportunities for cybercriminals. These "public" environments have become highly effective venues
for fraudsters to develop sophisticated phishing campaigns, especially targeting prominent figures
such as politicians and the military.

Some studies (such as the one by Bossetta, 2018, which will be developed below) have made it
possible to make visible that approximately 25% of all phishing attacks target state actors. This
phenomenon highlights the vulnerability of key figures in the public sphere to this type of attack.

An illustrative example of the disastrous consequences of phishing through social networks was the
2016 US presidential election. In this case, John Podesta, Hillary Clinton's campaign manager, and
Colin Powell, former Secretary of State, fell for fake phishing ads, allowing a Russian hacker group,
Fancy Bear, to steal their credentials. The leak of all emails between them and Hillary Clinton on the
WikiLeaks website clearly illustrates the devastating impact that a successful phishing attack
through social networks can have (Ruiz & Borrero, 2023).
Undoubtedly, it seems crucial to highlight that these types of threats not only affect state actors,
but also pose a risk to the general public who, in many cases, may lack the necessary protection to
deal with these sophisticated social engineering tactics. Therefore, awareness, education and the
implementation of robust security measures are critical to mitigate the risks associated with
phishing through social networks and protect both individuals and organizations from potentially
devastating consequences.