Evolving Phishing Attack Trends: A Nightmare for Security Solutions

Phishing has been one of the most widespread cyber threats and a significant challenge for security solutions for almost three decades. According to this phishing report, in 2021, 35% of all data breaches included scams trying to rob users of their sensitive information and login credentials. Over the past year, phishing attacks have increased by 29% globally. The menace of phishing poses a threat to organizations worldwide.

Though there are advanced anti-phishing tools available today that can counter these threats to some extent, threat actors have continued to up their game and make their modus operandi more sophisticated to lure end-users into divulging critical information. Furthermore, like ransomware-as-a-service, phishing-as-a-service models are coming up, allowing even those with limited technical knowledge to leverage phishing kits to target users. The following sections discuss these trends in detail.

Phishing Targets in 2020/21

Phishing attacks have disrupted technological industries and economies worldwide; however, some countries saw a significant rise in phishing attacks.

The US has been the most targeted country for years, followed by Singapore and Germany. While the US has seen a 7% increase in phishing attacks in 2021, the growth of phishing attacks in Singapore and Russia has been astute, with 829% and 799%, respectively.
Among industries, retail and wholesale organizations witnessed a whopping 436% jump in phishing attacks in 2021, ahead of manufacturing industries. Threat actors exploited the increase of consumer goods due to the pandemic, thus compromising such industries.
Government and finance organizations saw over a 100% increase in phishing attacks in 2021.
Phishing is also carried out through impersonation or imitation of popular brands by taking advantage of public trends to fraud consumers.
Among the impersonated brands, Microsoft was the most imitated brand in 2021, comprising over 31% of phishing attacks.
Illegal streaming websites accounted for 13.6% of attacks, while COVID-themed attacks gauged around 7.2% of phishing frauds. Such websites have a lower threshold to entry as users are not familiar with such sites, and thus, threat agents can spoof such domains without raising any concern markers.

Types of Phishing Attacks

Phishing attacks can be classified in various ways and involve multiple attack techniques. While email remains one of the most recognizable formats, various other methods are growing as the threat actors adapt their attack approaches. Typically phishing scams are carried out by urging users to render information or download malware filled applications through:

Links: Users open malicious links to a phishing site or install malware-laden applications.
Prompts: Users get prompted to submit sensitive details that might result in theft.
Attachments: Users click on attachments that make way for malware pieces of software.

There are 21 basic types of phishing attacks highlighted in the report, namely:

Angler phishing attack
Baiting phishing attack
Browser-in-the-browser (BitB) attack
Business email compromise(BEC) attack
Chat or IM phishing attack
Clone or spoofing
Doc clouding
Email phishing
Evil twin phishing attacks
HTTPS scams
Malicious advertising
Man-in-the-middle(MITM) attack
DNS cache attack
Search engine phishing attack
Smishing or SMS phishing attack
Spear phishing
Tailgating phishing attack
USB phishing attack
Voice phishing attack or Vishing
Watering hole phishing attack
Whaling

Apart from these basic types, there are 11 most common phishing scams:

Cloud scams
Consumer scams
Commercial scams
Corporate scams
Dating scams
Financial services scams
Government scams
Job offer scams
Browser scams or push notifications
Social media scams
Technical scams

Evolving Trends in Phishing Attacks

With organizations’ adaptation of security solutions, the attackers are also adopting innovative measures to evolve their phishing attack tactics. Some of these evolving trends in phishing attacks are:

Facilitating safe domains and trustworthy platforms:
Threat actors use external websites that redirect victims to phishing sites. Attackers use trusted domains to misdirect and manipulate the users by using tactics such as buying advertisements on search engines or corporate posts in the marketplace. This includes business and marketing automation tools that allow threat actors to generate phishing campaigns.
Phishing as a Service (PhaaS):
Threat agents are importing specialized services, including phishing campaigns, malware, and ransomware, to strengthen their attack portfolio. Some groups are selling pre-built phishing offerings that make attacks much easier. Phishing campaigns are created and deployed using the skills of social engineering experts. The two most famous phishing-as-a-service operations are phishing kits and open-source frameworks. These are pre-built operations ready to be deployed and can wage a full scale and a very potent attack.

Apart from these major evolving trends, a few more trends are gaining momentum in waging phishing attacks, such as smishing or SMS phishing attacks, man-in-the-middle attacks, COVID-19 scams, and crypto-related phishing.

Key Measures to Prevent Phishing Attacks

Organizations and individuals need to equip themselves adequately to protect against the attacks mentioned above. While it’s increasingly difficult to eliminate all the risks associated with phishing attacks, users can practice some security measures to manage the risk and limit it to a minimum. Some of the key measures are:

To understand the risks to inform policy and decisions better
To leverage automated tools and intel to reduce attacks
To build security awareness and promote user reporting
To simulate phishing attacks to identify vulnerabilities

Additionally, some security controls can provide further protection, such as,

Email scanning
Reporting
Multi-factor authentication
Encrypted traffic inspection
Antivirus software
Advanced threat protection
URL filtering
Regular patching
Zero trust architecture
Threat intel feeds

Final Words

Phishing attacks are carried out through various methods such as email spoofing, poisoned links that can transfer credentials from the victims, or malicious software. Organizations have constantly been suffering from such menace, and it is getting increasingly difficult to counter phishing threats as threat actors have become more creative and tactile in their approach.

While it is evident that it is challenging to eliminate such attacks, users should equip themselves with preventive measures to mitigate the risks of such attacks. As the attackers grow innovative in their operations, organizations and individuals must strengthen their defenses through awareness and practical solutions, eliminating vulnerabilities and entry points that malicious actors can exploit.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.