Phishing has been one of the most widespread cyber threats and a significant challenge for security solutions for almost three decades. According to this phishing report, in 2021, 35% of all data breaches included scams trying to rob users of their sensitive information and login credentials. Over the past year, phishing attacks have increased by 29% globally. The menace of phishing poses a threat to organizations worldwide.
Though there are advanced anti-phishing tools available today that can counter these threats to some extent, threat actors have continued to up their game and make their modus operandi more sophisticated to lure end-users into divulging critical information. Furthermore, like ransomware-as-a-service, phishing-as-a-service models are coming up, allowing even those with limited technical knowledge to leverage phishing kits to target users. The following sections discuss these trends in detail.
Phishing Targets in 2020/21
Phishing attacks have disrupted technological industries and economies worldwide; however, some countries saw a significant rise in phishing attacks.
- The US has been the most targeted country for years, followed by Singapore and Germany. While the US has seen a 7% increase in phishing attacks in 2021, the growth of phishing attacks in Singapore and Russia has been astute, with 829% and 799%, respectively.
- Among industries, retail and wholesale organizations witnessed a whopping 436% jump in phishing attacks in 2021, ahead of manufacturing industries. Threat actors exploited the increase of consumer goods due to the pandemic, thus compromising such industries.
- Government and finance organizations saw over a 100% increase in phishing attacks in 2021.
- Phishing is also carried out through impersonation or imitation of popular brands by taking advantage of public trends to fraud consumers.
- Among the impersonated brands, Microsoft was the most imitated brand in 2021, comprising over 31% of phishing attacks.
- Illegal streaming websites accounted for 13.6% of attacks, while COVID-themed attacks gauged around 7.2% of phishing frauds. Such websites have a lower threshold to entry as users are not familiar with such sites, and thus, threat agents can spoof such domains without raising any concern markers.
Types of Phishing Attacks
Phishing attacks can be classified in various ways and involve multiple attack techniques. While email remains one of the most recognizable formats, various other methods are growing as the threat actors adapt their attack approaches. Typically phishing scams are carried out by urging users to render information or download malware filled applications through:
- Links: Users open malicious links to a phishing site or install malware-laden applications.
- Prompts: Users get prompted to submit sensitive details that might result in theft.
- Attachments: Users click on attachments that make way for malware pieces of software.
There are 21 basic types of phishing attacks highlighted in the report, namely:
- Angler phishing attack
- Baiting phishing attack
- Browser-in-the-browser (BitB) attack
- Business email compromise(BEC) attack
- Chat or IM phishing attack
- Clone or spoofing
- Doc clouding
- Email phishing
- Evil twin phishing attacks
- HTTPS scams
- Malicious advertising
- Man-in-the-middle(MITM) attack
- DNS cache attack
- Search engine phishing attack
- Smishing or SMS phishing attack
- Spear phishing
- Tailgating phishing attack
- USB phishing attack
- Voice phishing attack or Vishing
- Watering hole phishing attack
Apart from these basic types, there are 11 most common phishing scams:
- Cloud scams
- Consumer scams
- Commercial scams
- Corporate scams
- Dating scams
- Financial services scams
- Government scams
- Job offer scams
- Browser scams or push notifications
- Social media scams
- Technical scams
Evolving Trends in Phishing Attacks
With organizations’ adaptation of security solutions, the attackers are also adopting innovative measures to evolve their phishing attack tactics. Some of these evolving trends in phishing attacks are:
- Facilitating safe domains and trustworthy platforms:
Threat actors use external websites that redirect victims to phishing sites. Attackers use trusted domains to misdirect and manipulate the users by using tactics such as buying advertisements on search engines or corporate posts in the marketplace. This includes business and marketing automation tools that allow threat actors to generate phishing campaigns.
- Phishing as a Service (PhaaS):
Threat agents are importing specialized services, including phishing campaigns, malware, and ransomware, to strengthen their attack portfolio. Some groups are selling pre-built phishing offerings that make attacks much easier. Phishing campaigns are created and deployed using the skills of social engineering experts. The two most famous phishing-as-a-service operations are phishing kits and open-source frameworks. These are pre-built operations ready to be deployed and can wage a full scale and a very potent attack.
Apart from these major evolving trends, a few more trends are gaining momentum in waging phishing attacks, such as smishing or SMS phishing attacks, man-in-the-middle attacks, COVID-19 scams, and crypto-related phishing.
Key Measures to Prevent Phishing Attacks
Organizations and individuals need to equip themselves adequately to protect against the attacks mentioned above. While it’s increasingly difficult to eliminate all the risks associated with phishing attacks, users can practice some security measures to manage the risk and limit it to a minimum. Some of the key measures are:
- To understand the risks to inform policy and decisions better
- To leverage automated tools and intel to reduce attacks
- To build security awareness and promote user reporting
- To simulate phishing attacks to identify vulnerabilities
Additionally, some security controls can provide further protection, such as,
- Email scanning
- Multi-factor authentication
- Encrypted traffic inspection
- Antivirus software
- Advanced threat protection
- URL filtering
- Regular patching
- Zero trust architecture
- Threat intel feeds
Phishing attacks are carried out through various methods such as email spoofing, poisoned links that can transfer credentials from the victims, or malicious software. Organizations have constantly been suffering from such menace, and it is getting increasingly difficult to counter phishing threats as threat actors have become more creative and tactile in their approach.
While it is evident that it is challenging to eliminate such attacks, users should equip themselves with preventive measures to mitigate the risks of such attacks. As the attackers grow innovative in their operations, organizations and individuals must strengthen their defenses through awareness and practical solutions, eliminating vulnerabilities and entry points that malicious actors can exploit.