Phishing email shown with external and spam marking shown.

How phishing emails work


Hackers primarily target your organization in one of two ways: they jiggle millions of “doorknobs” per second or engage in a targeted attack. One targeted attack method is a phishing or BEC (business email compromise) attack. CISOs are well-acquainted with these attacks but don’t understand how phishing emails work and bypass their software. Can BEC attacks be stopped? 

According to Jim Stickley, the face of LifeLock, the answer is yes. Stickley is a White Hat hacker and has been featured on The Today Show, CNN, FoxNews, NBC, and CNBC. He explained to me the most direct way to stop phishing and BEC attacks is to remove the hacker’s primary tool to breach your defenses: the lookalike domain killer. 

How do phishing emails work? Hackers buy lookalike domains, age the domain, and launch their attacks when the their email filtering tools, the same ones you have, tell them the domain is clear.

Why lookalike domains aren’t caught by spam filters

Nefarious actors buy numerous lookalike domains that resemble your own with a subtle mispelling an ususpecting employee won’t notice (like the two errors you may have just missed in this sentence.) The objective is to trick a rushed employee into giving up key information. But this isn’t so easy. ISPs and web hosts are suspicious of new domains, so hackers use a workaround. Patience. 

Threat actors get around this by allowing their lookalike domains to age. They simply place harmless content on the lookalike site, and then wait—sometimes a year or more. As nefarious lookalike domains get legitimate clicks on their website, web hosts and ISPs start to reclassify these domains as safe. 

When the website gains legitimacy that’s when things take a turn.

Threat actors know when their email will pass through your defenses because they have the same email filtering tools you own racked and stacked in their labs. 

Once the hackers notice their domain is considered “safe” they launch their BEC or phishing attack. Web hosts don’t flag it as nefarious because US registrars like GoDaddy, NameCheap, and Network Solutions don’t know the intent of a lookalike domain. Your tools don’t block it either, because the sites aren’t technically nefarious until they act. These tools depend on proof because many domains that appear to be lookalikes are completely innocent.

The window between a domain being recognized as “innocent” and a bad actor is small, but it only takes minutes for a bad actor to achieve their goal. If one of your employees clicks or replies to an email sent from a lookalike domain your entire network can be compromised. Successful lookalike domain attacks fool employees into wiring money, giving up passwords, and revealing account numbers. They can also open the door to a ransomware attack. 

Last month someone in the security space told us they fell for this very attack. After receiving an email from what they thought was a legitimate contractor, they forwarded the email to their AR person. The AR person received an official email, and made an adjustment to the bank account info. They caught it moments later, but not until they lost an entire paycheck for an employee.

Analyzing how phishing emails work is helpful, but solutions are better. Here’s how the industry is working to stop BEC attacks.

Manually stopping phishing attacks

To stop a phishing attack, some cyber teams take a hands-on approach. These teams work diligently to proactively take down lookalike domains in-house. Their teams investigate and chase down lookalike sites, building cases to present to registrars. We’ve noticed this is only achievable for larger organizations with large pools of resources for obvious reasons: it’s labor-intensive, time-consuming, and quite costly.

To put this in perspective, in September of 2021, Palo Alto’s Unit 42 discovered over 26,000 new strategically aged domains being created EVERY DAY! That’s a staggering number to chase down manually. 

We know how phishing emails work, but the problem is this: who has the time and resources to fight back, and how do we stop phishing attacks? Yes.

How to prevent phishing: the AI/ML use case

To prevent phishing and BEC attacks, new domain protection tools are using AI and ML to monitor the host domain. These tool automatically block domains exhibiting lookalike behavior. This technology also simultaneously builds a case for reporting to registrars. This is available today.

Hackers quickly learn their significant time investment targeting you, is dangerous for business. It takes them quite a bit of time to mature a domain, only for your company to easily block and report them. Hackers quickly wipe your name off their list and move on to an easier customer, when they realize any attempt just digs them into deeper hole.

Related Posts

remote worker on the couch with her cat
What’s the benefit of SASE?

SASE was created to address two primary concerns. Organizations using SD-WAN solutions needed...

hacker using keyboard
Who’s holding you hostage: Cybersecurity companies or hackers?

It’s a serious headline. Although most CISOs, CIOs, and CTOs teams have the...