Phishing is a constant in the digital security landscape. “It’s almost as old as the internet itself and is still a very effective way to attack individuals and businesses,” says Ondrej Kubovic, ESET Security Awareness Specialist. Despite this threat has been around for so long, phishing can surprise employees, managers, IT admins, and professionals. Here’s what you should know about recent developments in phishing.
Phishing filters can’t prevent all attacks
Even though many companies are using phishing filters, campaigns still make it through. While awareness might have improved in some areas, many people still fall for phishing. “People get lured to click malicious links, fill out seemingly trustworthy forms, or input their credentials on fake login pages. Part of the problem is that they can’t tell a fake URL from a legitimate one,” summarizes Ondrej Kubovic. At the same time, attackers have improved their methods of attack, relying on techniques such as impersonation and reply-chain attacks. Due to enhanced translations, poor grammar and style are increasingly a thing of the past, making it more difficult for employees to spot phishing messages.
As summed up by Ondrej Kubovic: “You cannot train every employee to identify every phishing attack. Attackers only need a few employees to make a mistake and divulge the information they need to launch a serious cyberattack. Several of the recent high-profile breaches, such as in the case of Dropbox, have been tracked back to a single person’s mistake.”
The top detection in 2022 was a phishing form
According to ESET telemetry, in 2022, the leading global detection was HTML/Phishing.Agent with almost 19% of attacks. These numbers grew in the first three months of 2023, reaching 37.5%.
As hybrid work became the norm for many companies, cybercriminals adapted and started imitating tools used for remote work. Popular phishing themes range from DHL and WeTransfer to DocuSign, Microsoft Office, and Microsoft Outlook. An effective phishing ruse is fake messages from your IT department asking employees to change their passwords. “Some attackers even use parts of the company’s claim or misuse the official branding, to make the attack look trustworthy,” warns Kubovic.
Phishing is old, but not to be underestimated
Even though phishing might seem outdated and discussed a tad too frequently, it should not be underestimated. The takeaway for IT specialists? “Inform your employees if there’s an ongoing phishing campaign against the company, and make sure they know how to report any suspicious content and behavior. If there has been an incident, analyze whether there was a human error at the beginning of the attack, and, if so, use it as training material,” recommends Kubovic. The earlier you detect a phishing attack, the better the company’s chance of avoiding data loss and financial damage.
A company with limited resources can consider outsourcing its IT security. “Companies that lack internal security capacities can hire a Managed Service Provider (MSP) that will take care of their digital security, or at least, some parts of it,” says Kubovic. MSPs can offer a higher standard – but only if responsibilities and specific aspects of the service are set up correctly in the contract.
As MSPs become increasingly popular targets – such as the enterprise tech firm Kaseya in 2021 – your company could become an indirect victim of a supply-chain attack. Thus, it is crucial to verify what the MSP is doing to prevent such a scenario, and the plans, in case it happens. “Before choosing your MSP, identify your business-critical data and systems, and ensure the contract covers their protection and potential recovery,” suggests Ondrej Kubovic, from ESET. “In the end, MSPs are responsible for their and your security. As a crucial partner, they should be just as reliable as your internal experts.”