Cyano66 | iStock | Getty Images
Phishing is on the rise, and anyone using email, text messaging, or other forms of communication is a potential victim.
These attacks, in which a cybercriminal sends a deceptive message aimed at tricking a user into revealing sensitive information such as credit card numbers or launching malware on the user’s system, can be extremely effective if executed well.
These types of attacks are becoming more sophisticated – making them more dangerous – and more common. An October 2022 study by messaging security provider SlashNext analyzed billions of link-based URLs, attachments, and natural language messages across email, mobile, and browser channels over a six-month period and found more than 255 million attacks. That’s a 61% increase in phishing attack rate compared to 2021.
The study found that cybercriminals are shifting their attacks to mobile and personal communication channels to reach users. It showed a 50% increase in attacks targeting mobile devices, with fraud and credential theft topping the list of payloads.
“What we are seeing is an increase in the use of voicemail and text as part of two-pronged phishing and BEC [business email compromise] campaigns,” said Jess Burn, senior analyst at Forrester Research. “The attackers leave a voicemail or send a text over the email they send, which either lends credibility to the sender or increases the urgency of the request.”
The company receives many inquiries from customers about BEC attacks in general, Burn said. “With geopolitical unrest disrupting the activities of ransomware gangs and cryptocurrencies – the preferred method of ransom payment – imploding recently, bad actors are reverting to old-fashioned scams to make money,” he said. “So BEC is on the rise.”
Criminals use phishing attacks based on tax season, shopping offers
One of the iterations of phishing that people should be aware of is spear phishing, a more targeted form of phishing that often uses topical baits.
“While not a new tactic, the themes and themes could evolve with global or even seasonal events,” said Luke McNamara, senior analyst at cybersecurity consultancy Mandiant Consulting. “For example, as we are in the holiday season, we can expect to see more phishing lures related to shopping deals. Similarly, during regional tax season, threat actors may attempt to exploit users filing their taxes with phishing emails containing tax topics in the subject line.”
Phishing topics can also be generic, such as an email that appears to be from a technology vendor asking for an account reset, McNamara said. “More productive criminal campaigns might use less specific topics, and conversely, more targeted campaigns by threat actors involved in activities like cyber espionage might use more specific phishing lures,” he said.
What people should do to fend off phishing attempts
Individuals can take steps to better defend themselves against phishing attacks.
Be vigilant when giving out personal information, whether to an individual or on a website.
“Phishing is a form of social engineering,” Burn said. “This means that phishers use psychology to convince their victims to do something they normally wouldn’t do. Most people want to be helpful and do what an authority figure tells them to do. Phishers know this, so they tap into those instincts and ask the victim to help with a problem or take immediate action.”
If an email from a particular sender is unexpected, if it’s asking someone to do something urgently, or if it’s asking for information or financial details that aren’t usually provided, step back and take a good look at the sender on, said Burn.
“If the sender looks legitimate but something’s still wrong, don’t open attachments and don’t hover your mouse or cursor over hyperlinks in the body of the email and look at the URL that the link points to,” said Burn. “If it doesn’t seem like a legitimate target, don’t click on it.”
If a suspicious-looking message comes in from a known source, contact the person or company through a separate channel and ask if they sent the message, Burn said. “They save themselves a lot of trouble and alert the person or company to the phishing scam if the email didn’t come from them,” he said.
It’s a good idea to keep up to date with the latest phishing techniques. “Cybercriminals are constantly evolving their methods, so individuals need to be vigilant,” said Emily Mossburg, global cyber leader at Deloitte. “Phishers take advantage of human error.”
Another best practice is to use anti-phishing software and other cyber security tools to protect against potential attacks and protect personal and business information. This includes automated behavioral analysis tools to identify and mitigate potential indicators of risk. “Employee use of these tools has increased significantly,” Mossburg said.
Another technology, multi-factor authentication, “can provide one of the best layers of security to protect your email,” McNamara said. “It provides another layer of defense should a threat actor successfully compromise your credentials.”
Comments are closed.