Opinions expressed by Entrepreneur contributors are their own.
In our recent Consumer Cybersecurity Trends report, RAV researchers delved into the threats facing consumers over the last year. It was relatively unsurprising when once again, phishing took the top spot for cybercriminal activity.
There are various types and various ways for threat actors to pull off a phishing attack. Let’s dive into the most prevalent, and also the sneakiest, of ways that phishing is currently threatening the cybersecurity landscape for consumers today.
It may sound like old news by now, but phishing attacks by email don’t seem to stop coming — and it’s surprising how many people still fall victim to them.
This February, Reddit employees were victims of an email phishing campaign that affected hundreds of company contacts and employees. According to a Reddit statement at the time, “the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway in an attempt to steal credentials and second-factor tokens.”
Whether this attack could have been avoided is up for debate. At the very least, the fact that an employee was aware enough to understand what was underway and raise the alarm to their security team is vital. The sooner an attack can be mitigated, the better.
As well as email phishing via malicious links and attachments, the weaponization of office documents sent via email has also increased. Office documents that hide macro code are still very common, and 2022 saw many files sent as phishing documents to lure users to run the malicious code.
Unlike the traditional “spray and pray” approach, whereby mass phishing emails are sent to as many recipients as possible in the hopes they’ll get at least a few hits, “spear phishing” is a targeted phishing attack aimed at a specific individual or organization.
Cybercriminals will research their target in order to personalize the attack and increase their credibility, with the intent of persuading the target to disclose sensitive information or trick them into making payments.
While finance teams and executives would seem to be the most likely targets of spear-phishing campaigns, sales departments might also see an increase — mainly because a sales team member is more likely to receive emails from outside an organization. These employees could be a viable entry point for hackers trying to infiltrate an organization.
Social media is also a factor here, as many employees that use social media, either for personal or professional use, underestimate just how vast their digital footprint may be. In Q1 of 2022, LinkedIn users accounted for 52% of all spear-phishing targets globally, and users were cautioned to be on their guard for a rise in spear-phishing campaigns.
The biggest takeaway here should be that criminals are looking for the weakest link in a company, no matter who they are trying to target. One wrong click from an unsuspecting employee is all it takes, so they will keep trying again and again to ensnare their next victim.
And taking spear phishing attacks to the next level, “whale phishing” targets the most senior-level company members, like the CEO or CFO. Whaling phishing techniques may involve impersonating these figureheads, in order to trick an employee into authorizing high-value money transfers to the attacker or disclosing vital company information.
In general, users are misguidedly more trusting of text messages than they are of email. In actual fact, as most smartphones can receive text messages from any number in the world, smartphone users aren’t really afforded any SMS privacy at all.
Phishing conducted via SMS, also known as “smishing,” will entice a victim into revealing personal information via a link through compelling SMS text messages. Unfortunately, not enough users are aware of the dangers of clicking links in text messages.
These links may lead to credential-phishing sites or inject malware designed to compromise the phone itself. The malware can then be used to spy on the victim’s smartphone data or silently send sensitive data to an attacker-controlled server.
But what is it that we are afraid of? What can a phishing attack lead to? Once a threat actor has access to data, they can set to work to use it for their own nefarious purposes — be it holding the data ransom, using it for financial theft or creating further disruption for a company (e.g., doxing or cyber espionage).
For example, Atlassian recently suffered a cybersecurity breach in the form of a phishing attack that compromised customers and business insider information, including company floor plans. The attack is thought to have been achieved through using an employee’s credentials. We see from this that phishing can lead to unwanted and unwarranted prying eyes into a company’s inner sanctums, and it puts both consumers and businesses at risk for further interference. The plethora of phishing techniques is presumably why it ranks as the preferred method of attack for so many cybercriminals.
To protect against phishing attacks, whether as a consumer, employee or business owner, following some basic guidelines will be invaluable:
Be wary of unsolicited mail and unexpected emails, especially those that call for urgency.
Double-check transactions or data disclosure through a secondary means of communication (e.g., phone calls or face-to-face).
Watch out for telltale signs of phishing attempts, such as the misspelling of words, the incorrect use of URLs and completely irrelevant messaging.
Additionally, pay attention to emerging technologies on the market — it remains to be seen whether newly available clever AI chatbots could be used to construct phishing emails.
Above all, ensure all staff has cybersecurity training. All employees should be aware of basic tactics used in spear phishing emails, such as tax-related scams, CEO fraud and other social engineering tactics via email. Education and awareness are key defense skills as the majority of these phishing techniques will only actually succeed due to human error.