Phishing attacks are increasing and getting more sophisticated

Phishing is on the rise, and anyone who uses email, text messaging, and other forms of communication is a potential victim.

These attacks, where cybercriminals send deceptive messages designed to trick users into giving out sensitive information such as credit card numbers or launch malware on users’ systems, can be very effective if done well.

These types of attacks are becoming more sophisticated – more dangerous – and more common. An October 2022 study by messaging security provider SlashNext analyzed billions of link-based URLs, attachments, and natural language messages across email, mobile and browser channels over six months, and found more than 255 million attacks. It is a 61% increase in the level of phishing attacks compared to 2021.

The research shows that cybercriminals are turning their attacks to mobile and personal communication channels to reach users. This shows a 50% increase in attacks on mobile devices, with fraud and credential theft at the top of the load list.

“What we’re seeing is an increase in the use of voicemail and text as part of two-pronged phishing and BEC. [business email compromise] campaign,” said Jess Burn, senior analyst at Forrester Research. “The attackers leave voicemails or text messages about the email they send, giving credibility to the sender or increasing the urgency of the request.”

The company receives many inquiries from clients about BEC attacks in general, Burn said. “With geopolitical disputes disrupting the activities of ransomware gangs and cryptocurrency – their preferred method of ransom payment – to the end, bad actors will turn to ancient scams to make money,” he said. “So the BEC goes up.”

One iteration of phishing that people should be aware of is spearphishing, a more targeted form of phishing that often uses topical baits.

“While it’s not a new tactic, topics and themes can evolve with world events or even seasonally,” said Luke McNamara, principal analyst at cyber security consulting firm Mandiant Consulting. “For example, when we are in the holiday season, we can expect to see more phishing lures related to shopping transactions. In the regional tax season, threat actors also try to exploit users in the tax filing process with phishing emails that contain tax themes in the subject line .”

Phishing themes can also be common, such as emails that appear to be from technology vendors about resetting accounts, McNamara said. “More prolific criminal campaigns may use less specific themes, and more targeted campaigns by threat actors engaged in activities like cyber espionage may use more specific phishing baits,” he said.

Individuals can take steps to better defend themselves against phishing attacks.

One is to be careful when giving out personal information, whether to people or on websites.

“Phishing is a form of social engineering,” Burn said. “This means that the phisher uses psychology to convince the victim to do something that they would not normally do. Most people want to help and do what they are told by someone in authority. The victim to help with a problem or do something directly.”

If the email is unexpected from a certain sender, if it asks someone to do something urgently, or if it asks for information or financial details not usually provided, take a step back and look closely at the sender, Burn said.

“If the sender looks legitimate but something seems dead, don’t open the attachment and mouse or the letter on any hyperlink in the body of the email and look at the URL it goes to,” says Burn. “If it doesn’t look like a legitimate destination, don’t click.”

If a message that looks suspicious comes from a known source, contact the person or company through a separate channel and ask if they sent the message, Burn said. “You’ll save yourself a lot of trouble and you’ll alert people or companies to phishing scams if the email doesn’t come from them,” he said.

It’s good to stay up on the latest phishing techniques. “Cybercriminals continue to evolve their methods, so individuals need to be vigilant,” said Emily Mossburg, global cyber leader at Deloitte. “Phishers prey on human error.”

Another good practice is to use anti-phishing software and other cyber security tools as protection against potential attacks and to keep personal and work data safe. It includes automated behavioral analytics tools to detect and mitigate potential risk indicators. “The use of these tools among employees is growing,” Mossburg said.

Another technology, multi-factor authentication, “can provide one of the best layers of security for securing your email,” McNamara said. “This provides another layer of defense if a threat actor successfully compromises your credentials.”