Few cyber threats are as prevalent and costly as phishing attacks. In 2018, Microsoft documented a 250% increase in phishing campaigns, which masquerade as legitimate products or services but actually carry malicious payloads that steal credentials and compromise IT integrity.
To no surprise, the rise of phishing attacks continues to trend upward and is wreaking havoc for SMBs and enterprises alike. Even as companies implement automated defenses intended to keep phishing attacks out of employee inboxes, many inevitably make their way through. A recent survey found that nearly half of respondents reported malicious emails reaching employee inboxes every week, and 20% indicated that they experienced a data breach as a consequence of a phishing vulnerability. In fact, Verizon’s 2019 Data Breach Investigations Report concluded that ⅓ of all cyberattacks begin with a phishing scam.
To maintain an edge, hackers are continuously evolving their strategies and improving their attack methods, making their efforts increasingly difficult to detect. In other words, employees may not be fooled by phony emails from a foreign leader or celebrity, but they could be compromised by a call or IM from their manager or CEO. Follow along as the ID Agent team outlines four of the latest phishing attack trends that you’ll want to know in order to protect your business.
#1 Increased Personalization
The past several years have seen billions of records compromised, and the consequences far exceed the immediate media scrutiny and consumer backlash that follows in the wake of breach. Cybercriminals are repurposing exposed information to craft sophisticated phishing campaigns that are camouflaged with authentic-looking information purportedly from known and trusted sources.
For example, we recently reported on an Ocala City employee who transferred $640,000 to a fraudulent bank account in response to a spear phishing campaign that contained a legitimate invoice amount from one of the city’s construction contractors. Similarly, Italian precision engineering companies are facing a slew of phishing attacks that seem to originate from potential clients. Such emails will include company and sector-specific details and be embedded with a Microsoft Excel document that hosts malicious, credential stealing code.
#2 Multi-platform Approaches
Phishing scams are commonly associated with email messages, but today’s cybercriminals are taking advantage of diverse communication platforms to posit messages in our various inboxes.
Often hackers leverage SMS and social media accounts to reach their victims. SMS phishing attacks, colloquially known as “smishing,” are targeting users’ reflexive instinct to trust and respond to text messages on their phone. Targeting users on their social media is no different and can have a similar result. In 2019, Facebook is the most impersonated social media platform, with a 176% year-over-year increase in phishing URLs.
To be effective, hackers rely on the perception of authenticity, and reaching users on these familiar platforms can trick unsuspecting victims into handing over the keys to their accounts.
#3 HTTPS Encryption
In addition to reaching users in familiar territory, hackers are deploying the internet’s sign posts of security to elicit the trust of their victims. Specifically, cybercriminals are manipulating HTTPS, the internet protocol that denotes encryption and security, to trick users into a false sense of security.
It’s estimated that 58% of all phishing campaigns use HTTPS, which both makes it less likely that users will identify the fraudulent website and that internet browsers will flag the unsecured connection. This tactic has become so prevalent that the FBI issued a public warning this summer urging people to take special care to evaluate their digital communications for intent rather than relying on traditional representations of internet security.
#4 Dynamic BEC Campaigns
Between the treasure trove of data available on the Dark Web to the information readily published on company websites, hackers can effectively impersonate higher-ups or IT administrators with staggering effectiveness. Business Email Compromise (BEC) scams rely on personalization, and today’s hackers dialogue directly with their victims to gain trust.
Once achieved, hackers send a simple request, like editing a document or filling out a form that ultimately directs victims to a phishing website. To increase their efficacy, many cybercriminals include these links in attachments, which makes them both harder to detect by software and less likely to be identified by readers.
Staying one step ahead
It’s evident that phishing scams will continue to keep IT admins up at night for years to come.
However, there is a silver lining. Unlike other cyber attacks, phishing scams are only effective if they are acted upon, and companies can mitigate such threats with regular, comprehensive awareness training to their employees.
With the right solutions provider, you can equip your employees to stay abreast of emerging threats, report potential misuses of data, and transform themselves into the first and best line of security against cybercriminals. Whether you’re a small business or large enterprise, you have the power to stop phishing attacks from stealing employee credentials or proprietary information.
Our BullPhish ID™ program simulates phishing attacks and conducts security awareness training campaigns to educate your employees, making them the best defense against cybercrime. Click the link to get started: https://www.idagent.com/bullphish-id.