You might think that phishing is an old issue that everyone knows about. Unfortunately, the threat continues to evolve, and people continue to fall for it. Being informed is key: What does phishing look like in 2022 and how do you protect your business from it? Do your employees know? And do you?
Phishing has been with us ever since the 1990s. Much has been said about this common threat – how to recognize phishing, how to train your employees to protect their own as well as their employer’s devices, and much more. Nowadays, both companies and individuals have largely become aware of the issue, but the number of phishing attacks continues to rise, making it apparent that even today, cybercriminals view it as a productive way of getting what they desire. How is that possible?
1. Phishing adapts to the global situation
To achieve their goals, cybercriminals need to ensure that their victims will cooperate with their demands – and if they decide to hide their malicious intentions behind the context of the moment, it is more probable that they will succeed. Throughout a calendar year, cybercriminals make use of various events: for instance, at the beginning of a school year, they send phishing e-mails to parents, pretending they are official messages from educational institutions.
For instance, dramatic events of the last 2-3 years have been abused by cybercriminals to hide their aims and appeal to the human sense of fear, panic or desire to help those in need. ESET’s T1 2022 Threat Report explains that “the war [in Ukraine] has been noticeably exploited by spam and phishing threats. Immediately after the invasion on February 24, scammers started to take advantage of people trying to support Ukraine, using fictitious charities and fundraisers as lures.”
Apart from the war, “other phishing lures mention updated COVID-19 travel restrictions, an approved regional aid map for Greece, and a Regulation of the European Parliament and of the Council.” Using these issues as themes in their phishing attempts, cybercriminals try to lure those who are distressed by the situation, who want to help, or who simply believe that criminals wouldn’t go as far as using other people’s trauma for their own benefit.
2. Phishing changes its mask
Cybercriminals continue to change the type of websites they use as cover for their phishing attempts. According to ESET’s T1 2022 Threat Report, “websites masquerading as email services and gaming platforms were on the rise this period, the former increasing by 54% and the latter by a remarkable 291% in numbers of URLs seen. […] Although not placing in the top 10 categories, there was a notable 126% increase in travel-themed phishing URLs. These were almost exclusively represented by Airbnb copycats […].”
Additionally, phishing attempts at .com domains often use famous and trustworthy names in order to confuse and lure victims. Amongst the 10 most common .com domains used for phishing, Cofense names Google, Adobe or (Microsoft) SharePoint. When users see these trusted companies or products, they may be quick to believe in their legitimacy.
3. More sophisticated forms of phishing are on the rise
Many people still don’t realize that phishing does not equal e-mails with poor grammar. Phishing can have many forms and be quite sophisticated. Additionally, new forms of phishing continue to surface. Here are a few phishing types to be aware of in 2022:
Voice phishing attacks start with a phone call that urges the person on the other side of the line to share their personal details with the attacker. This makes it more difficult to stop vishing by usual security measures. The best way to protect your business from this threat is to continuously educate your employees, showing them the different types of phishing they may encounter and ensuring them that email is no longer the only place where these attacks take place.
The attacker may act in the name of a trusted company or a vendor and address the victim in a way that makes it seem like the communication is legitimate. Spear phishing includes Business Email Compromise (BEC) attacks – in these cases, cybercriminals hide behind the e-mail address of the victim’s employer or a business partner and trick the phishing recipient into giving their money away.
Smishing targets victims through SMS and texting and often hides itself behind services that would usually communicate through text messages, such as food and package delivery companies. Similarly to vishing, this type of attack may circumvent traditional anti-phishing solutions and its success depends largely on the recipient’s education and awareness.
Whaling attacks mainly target high-profile employees (the “big fish,” hence the name) in order to steal sensitive information from a company. Since these attacks focus on designated individuals and adapt the content of the messages to fit their target, they may be rather difficult to detect and prevent.
The pandemic led to an increased usage of QR codes, for instance by restaurants that wished to avoid possible virus transmission by paper menus. Cybercriminals swiftly made use of this occurrence and started creating their own QR codes, hoping to force people into unknowingly handing over their banking or personal information.
Security systems are taught to recognize certain types of phishing emails. But when the cybercriminals change one small thing, the e-mail may manage to get through the system. That is exactly what happens with polymorphic phishing attacks – cybercriminals simply keep sending the same message while adjusting different parts of it ever so slightly. Once they get their first victims, they then use their credentials to target others, making their attempts appear more trustworthy and confusing the automated security systems even more.
SMP may take many different forms. For instance, cybercriminals may share unsafe links on stolen profiles, infecting those who click on them by a malware. Or they may steal a profile, contact someone from the friends list and ask for their mobile number or other data, which they will then use to hack the person’s profile. SMP also includes angler phishing attacks targeting unhappy customers of various businesses. In this case, cybercriminals disguise themselves as a customer service site and contact the unhappy customers, either asking for information or sharing a link containing malware.
Cybercriminals are now often using the help of outside specialists who are called Initial Access Brokers. This is a specific type of hacker that only focuses on getting the initial breach into a network or company account. The increasing use of these experts in their field makes phishing attacks even more dangerous and difficult for users to detect.
4. Old threats continue to work
As the previous point suggests, the evolution of phishing makes it necessary for potential victims to keep up with the new trends and continuously improve their education on the variety of threats they may encounter. But still, even the traditional forms of phishing, which may shock you with their apparent deceit, continue to lure new victims.
At the beginning of 2022, Tripwire shared: “In 2022, it is somewhat unbelievable that ‘Nigerian Prince’ response-based attacks have increased by 3.3%. The fact that this decades-old scam still exists is almost breathtaking. Prior to the internet, these scams were transmitted via fax machines. Unfortunately, the [Agari and PhishLabs] report does not indicate the success rate of these scams, but their continued existence would suggest that they are still effective.” This seemingly humorous reminder proves that until security technology and efficient education work together, even the most rudimentary threats will represent a risk to digital safety.