What Are Phishing Lures?

Phishing continues to be one of the most common cyber threats facing organizations and individuals alike. According to their most recent Phishing Activity Trends Report, the Anti-Phishing Working Group (APWG) observed 1,097,811 total phishing attacks in Q2 2022, found that business email compromise is getting more expensive, and confirmed that social media threats are continuing to rise. Similarly, Phishlabs’ and Agari’s joint Quarterly Threat Trends & Intelligence Report found that the total volume of phishing sites rose by 6% in Q2 2022 compared to the previous quarter. The report also found that social media attacks increased by 20.3% in that same span.

What’s even more troubling than the sheer growth of phishing in and of itself is that the ways in which victims are getting “hooked” is growing in variety and sophistication. In a way, phishing lures, the way in which cybercriminals draw in their targets and convince them to share sensitive information, can be thought of as the bait attackers use to fool their victims.

Phishing lures shouldn't be confused with different forms of phishing like email phishing, spear phishing, and vishing (voice phishing). Going by the fishing analogy, these can be thought of as different fishing rods. Phishing lures, on the other hand, are what goes at the end of the fishing line. If the bait isn’t tempting or convincing enough to draw in the target, the phishing campaign won’t be effective no matter what kind of “rod,” or method, is used.

Ideally, organizations should prioritize implementing periodic phishing awareness education as a means of preventing their employees from taking the bait. With that in mind, here's some brief insight into how potential victims can spot some of the most common phishing lures.

Deadlines & Urgent Requests

Phishing campaigns very frequently utilize some form of social engineering to hook their targets and forcing those targets to make a quick decision has been one of the most tried and true methods. For example, victims may receive a call from their "financial service provider" saying that there’s been unusual activity coming from their account. Before allowing the victim to confirm or deny that the supposed suspicious activity came from them though, the threat actor may ask for sensitive information to confirm the victim's identity first. In reality, the threat actor on the phone is using the “suspicious account activity” to create urgency in their target and force them to decide quickly whether or not to divulge sensitive information connected to their real account.

Creating urgency like this can just as easily be accomplished over email by threatening account closure, for example. In a work setting, a victim may receive an email that looks like it's coming from their employer, saying they're required to complete training by a certain time. In reality, the link to the "training" actually leads to a fake page where the target inputs their credentials. Regardless of the situation, if you sense that you’re being asked to provide sensitive information in an urgent manner, take a moment to determine whether or not the request is unusual.

Impersonating a Trusted Person

Some phishing attacks are highly targeted, particularly in the workplace, and many of those targeted attacks utilize impersonation. In a spear phishing attack where a lower-level employee is targeted, for example, the threat actor may pose as a c-suite executive in an email asking for login credentials. Or in the case of whaling, a c-suite executive may be fooled by someone posing as a business partner or someone else that works closely with them.

While some phishing attacks aim to establish urgency in their victims to “hook” them, impersonation scams often leverage trust instead. If you receive an email from someone you know and trust in the workplace that seems suspicious, make sure their email address matches the one you have in your contact list and make sure any links they include in the email lead to trusted sites.

Impersonating a Trusted Entity

While it’s always good practice to make sure your friend or coworker is whom they say they are when they’re asking for sensitive information, threat actors won’t always impersonate an individual in a phishing campaign. Impersonation also extends to trusted entities as well.

For example, you may receive an email out of the blue from your organization’s human resources department saying that the deadline to complete your “training” is due soon. Or perhaps you receive an email outside of work from your doctor’s office asking to follow a link to log in to view your medical results even though you haven’t been to the doctor in a while. You may even receive a message on social media from a page you think is from your favorite clothing brand saying you’ve won a prize or gift card when, in reality, it’s from a fake page. Whatever the case may be, if you’re asked to follow a link, hover before you click. If you’re on the phone with someone you think could be posing as a trusted entity, consider hanging up and calling back using the phone number listed on the entity's website.

Camouflaging

Camouflaging isn’t quite the same as impersonation, as phishing campaigns that use camouflage aim to blend in with legitimate content rather than imitating someone or something. Phishing campaigns that use camouflage are often much more passive than active or targeted. Types of phishing that utilize this kind of lure include content spoofing and search engine phishing.

Similar to impersonation, however, camouflage generally relies on trustworthiness to some extent. Search engine phishing, for example, relies on people’s trust in sites that appear on search engine results pages. Content spoofing—when parts of a legitimate website are altered to redirect to malicious sites—relies on people’s trust in a website they may already be familiar with along with the links it contains. The best rule of thumb to avoid these traps is to check URLs for inconsistencies before clicking.

Leveraging Social Media Growth and Following

Social media in and of itself is far closer to being the “rod” in the context of phishing rather than a lure. And in fact, impersonation scams are commonly used lures in social media phishing campaigns that often lead to stolen credentials. But even so, social media is unique in that some of its components can double as lures as well. Specifically, threat actors can leverage a promise of social media growth to draw in victims.

It isn’t exactly uncommon these days to see influencers with the blue check mark and tens to hundreds of thousands of followers, and while many choose to build that following organically, some opt instead to pay their way toward verification and/or a larger following. Unfortunately, many who claim to provide others with verification or followers, regardless of cost, are often only after credentials or financial information. Our recommendation is simply to simply not engage with people online making these false promises.