Few cyber threats are as prevalent and costly as phishing attacks. In 2019, Sonicwall documented a 27% increase in encrypted threats through email, which masquerade as legitimate products or services but actually carry malicious payloads that steal credentials and compromise IT integrity.
To no surprise, the rise of phishing attacks continues to trend upward and is wreaking havoc for businesses alike. Even as companies implement automated defences intended to keep phishing attacks out of employee inboxes, many inevitably make their way through.
A recent survey found that nearly half of respondents reported malicious emails reaching employee inboxes every week, and 20% indicated that they experienced a data breach as a consequence of a phishing vulnerability. In fact, Sonicwall's 2020 Cyber Threat Report commented that most cyberattacks begin with a phishing scam.
To maintain an edge, hackers are continuously evolving their strategies and improving their attack methods, making their efforts increasingly difficult to detect. In other words, employees may not be fooled by phony emails from a foreign leader or celebrity, but they could be compromised by a call or IM from their manager or CEO. It is becoming more evident that businesses need to have a Managed Cyber Security solution in place.
The CMI team outlines four of the latest phishing attack trends that you’ll want to know in order to protect your business.
1. Increased Personalisation
The past several years have seen billions of records compromised, and the consequences far exceed the immediate media scrutiny and consumer backlash that follows in the wake of breach. Cybercriminals are repurposing exposed information to craft sophisticated phishing campaigns that are camouflaged with authentic-looking information purportedly from known and trusted sources.
For example, there have been many reports of construction employees transferring funds to a fraudulent bank account in response to a spear phishing campaign that contained a legitimate invoice amount from one of the city’s construction contractors. Similarly, Italian precision engineering companies are facing a slew of phishing attacks that seem to originate from potential clients.
Such emails will include company and sector-specific details and be embedded with a Microsoft Excel document that hosts malicious, credential stealing code.
2. Multi-platform Approaches
Phishing scams are commonly associated with email messages, but today’s cybercriminals are taking advantage of diverse communication platforms to deliver messages in our various inboxes.
Often hackers leverage SMS and social media accounts to reach their victims. SMS phishing attacks, colloquially known as “smishing,” are targeting users’ reflexive instinct to trust and respond to text messages on their phone. Targeting users on their social media is no different and can have a similar result. In 2019, Facebook was the most impersonated social media platform, with a 176% year-over-year increase in phishing URLs.
To be effective, hackers rely on the perception of authenticity, and reaching users on these familiar platforms can trick unsuspecting victims into handing over the keys to their accounts.
3. HTTPS Encryption
In addition to reaching users in familiar territory, hackers are deploying the internet’s sign posts of security to elicit the trust of their victims. Specifically, cybercriminals are manipulating HTTPS, the internet protocol that denotes encryption and security, to trick users into a false sense of security.
It’s estimated that 58% of all phishing campaigns use HTTPS, which both makes it less likely that users will identify the fraudulent website and that internet browsers will flag the unsecured connection. This tactic has become so prevalent that the government is urging people to take special care to evaluate their digital communications for intent rather than relying on traditional representations of internet security.
4. Dynamic Business Email Compromise Campaigns
Between the treasure trove of data available on the Dark Web to the information readily published on company websites, hackers can effectively impersonate higher-ups or IT administrators with staggering effectiveness. Business Email Compromise scams rely on personalisation, and today’s hackers dialogue directly with their victims to gain trust.
Once achieved, hackers send a simple request, like editing a document or filling out a form that ultimately directs victims to a phishing website. To increase their efficacy, many cybercriminals include these links in attachments, which makes them both harder to detect by software and less likely to be identified by readers.
Staying one step ahead
It’s evident that phishing scams will continue. However, there is a silver lining.
Unlike other cyber attacks, phishing scams are only effective if they are acted upon, and companies can mitigate such threats with regular, comprehensive awareness training to their employees.
With the right solutions provider, you can equip your employees to stay abreast of emerging threats, report potential misuses of data, and transform themselves into the first and best line of security against cybercriminals. Whether you’re a small business or large enterprise, you have the power to stop phishing attacks from stealing employee credentials or proprietary information.
CMI’s phishing training program simulates phishing attacks and conducts security awareness training campaigns to educate your employees, making them the best defence against cybercrime. Find out more in our Cyber Security section.