cyan66 | iStock| Getty Images
Phishing is on the rise and anyone using email, SMS and other forms of communication is a potential victim.
These attacks, in which a cybercriminal sends a deceptive message designed to trick a user into providing sensitive information such as credit card numbers or to launch malware on the user’s system, can be very effective if done right executed.
These types of attacks are becoming more sophisticated, making them more dangerous, and becoming more common. An October 2022 study by messaging security provider SlashNext analyzed billions of link-based URLs, attachments, and natural language messages across email, mobile, and browser channels over a six-month period and found more than 255 million attacks. That is a 61% increase in the number of phishing attacks compared to 2021.
The research found that cybercriminals are shifting their attacks to mobile and personal communication channels to reach users. It showed a 50% increase in attacks against mobile devices, with scams and credential theft topping the list of payloads.
“What we’ve seen is an increase in the use of voicemail and SMS as part of two-pronged phishing and BEC [business email compromise] campaigns,” said Jess Burn, senior analyst at Forrester Research. “The attackers leave a voicemail or send a text message about the email they sent, lending credibility to the sender or increasing the urgency of the request.”
The company gets a lot of questions from customers about BEC attacks in general, Burn said. “With geopolitical strife disrupting ransomware gang activity and cryptocurrency – the preferred method of paying ransom – imploding lately, bad actors are resorting to good old-fashioned fraud to make money,” he said. “So BEC is on the rise.”
Criminals using phishing attacks based on tax season, shopping deals
One of the iterations of phishing that people should be aware of is spear phishing, a more targeted form of phishing that often uses topical lures.
“While not a new tactic, the topics and themes can evolve with world or even seasonal events,” said Luke McNamara, principal analyst at cybersecurity consulting firm Mandiant Consulting. “For example, since we are in the holiday season, we can expect more phishing lures related to shopping deals. During regional tax seasons, attackers may similarly try to exploit users while filing their taxes with phishing emails that contain tax themes in the subject line.”
Phishing themes can also be generic, such as an email purporting to be from a technology vendor about an account reset, McNamara said. “More prolific criminal campaigns can use less specific themes, and conversely, more targeted campaigns from threat actors involved in activities such as cyber espionage can use more specific phishing lures,” he said.
What people should do to fend off phishing attempts
Individuals can take steps to better defend themselves against phishing attacks.
One is to be vigilant when giving out personal information, whether to an individual or on a website.
“Phishing is a form of social engineering,” said Burn. “That means phishers use psychology to convince their victims to do something they normally wouldn’t do. Most people want to be helpful and do what an authority tells them to do. Phishers know this, so they chase those instincts and ask victim to help with a problem or to do something right away.”
If an email is unexpected from a specific sender, if it asks someone to do something urgent, or if it asks for information or financial details that are not normally provided, take a step back and look closely at the sender, Burn said.
“If the sender looks legitimate but something still doesn’t make sense, don’t open any attachments and don’t mouse or hover over hyperlinks in the body of the email and look at the URL the link points to,” Burn said. “If it doesn’t seem like a legitimate destination, don’t click on it.”
If a suspicious-looking message comes in from a known source, contact the person or company through a separate channel and inquire if they sent the message, Burn said. “You save yourself a lot of trouble and alert the person or company to the phishing scam if the email isn’t from them,” he said.
It’s a good idea to keep up to date with the latest phishing techniques. “Cybercriminals are constantly evolving their methods, so individuals need to be on the alert,” said Emily Mossburg, global cyber leader at Deloitte. “Phishers prey on human error.”
Another good practice is to use anti-phishing software and other cybersecurity tools to protect against potential attacks and to keep personal and business information safe. This includes automated behavioral analysis tools to detect and mitigate potential risk indicators. “Use of these tools among employees has increased significantly,” Mossburg said.
Another technology, multi-factor authentication, “can provide one of the best layers of security to secure your emails,” McNamara said. “It provides an extra layer of defense in case a threat actor manages to compromise your credentials.”