Phishing attacks are an ever-growing threat, and the methods used by cybercriminals are becoming increasingly sophisticated, making them harder to detect and evade.
In this article, Securus looks into the latest evolving trends and offers guidance on detection and prevention.
Key statistics from 2022
- Advanced phishing attacks grew by 356%
- AI tools have significantly contributed to the growth of phishing, with chatbot AI tools like ChatGPT enabling attackers to quickly develop more targeted phishing campaigns. Reducing the technical barriers to entry for criminals leaves organisations more vulnerable to attack.
- Education was the most targeted industry [PG1] with attacks increasing by 576%, followed by finance and insurance with an increase of 273%. The previous top target, retail and wholesale, dropped by 67%.
- The US, the UK, the Netherlands, Russia and Canada were the top five most targeted countries.
- Microsoft brands, including OneDrive and SharePoint, along with crypto exchange, Binance, were targeted the most in 2022.
- COVID-themed brand attacks accounted for 7.2% of phishing scams in 2021, but dropped to 3.7% in 2022.
Evolving phishing trends
Vishing attacks, short for ‘voice phishing’, happens when scammers attempt to lure victims into divulging sensitive information over the phone, such as personal ID, financial details or account credentials.
The attacker pretends to be a legitimate representative, such as a bank representative or tech support personnel, in order to gain the victim’s trust and manipulate them into providing confidential information.
2. Recruitment scams
In Q3 of 2022, JobsAware, a service that provides free help to UK victims, reported a 35% year on year increase in recruitment scams. Scammers are exploiting the high number of people now searching for job opportunities or switching jobs to boost their income.
Sophisticated techniques can be used to create a synthetic recruiting experience, for example, fake adverts, application processes and interviews, which are becoming more targeted and convincing.
In addition, with the increasing sophistication of conversational AI, it’s even easier for cyber criminals to create recruitment material that is relevant, convincing and tonally accurate.
Trusted platforms like LinkedIn are seeing a surge in fabricated job ads, websites or portals, with nearly 22 million fake accounts blocked by LinkedIn between January to June 2022 alone. Senior employees are the preferred targets for this type of scam. An attacker might post a fake LinkedIn advertisement with a phishing URL. Visiting the fake URL would let potential victims apply for the job. Once they’ve done so, the criminal can communicate with them, often impersonating an HR representative.
3. Man-in-the-Middle phishing attacks
Sophisticated Man-In-The-Middle (MiTM) attacks, also known as Adversary-in-Middle (AiTM) attacks, are helping attackers bypass multi-factor authentication (MFA) security measures.
An MitM attack occurs when the attacker intercepts communications between two parties. The hacker does this by secretly eavesdropping or modifying traffic between the two parties involved. MitM attacks can hijack login credentials, corrupt data, sabotage communications or spy on the target to gain sensitive information.
The best defence against MiTM attacks is to deploy strong end-to-end application encryption, making it more difficult for hackers to reroute traffic to sniffers or phishing sites. If the user has enabled MFA, it prevents the attacker from logging in to the account with only the stolen credentials.
4. Browser-in-the-Browser (BiTB) phishing attacks
BiTB phishing attacks simulate a login page window within a main phishing page that leads the intended target to believe they need to enter their single sign-on credentials (in a pop-up window) to continue using the website.
The malicious website or script runs within an inline frame (or iframe) or embedded browser window inside a legitimate website. It tricks users into thinking they are interacting with a genuine website when they’re actually providing sensitive information for a malicious end. It can be almost impossible for a user to distinguish a genuine pop-up from a well-designed phishing fake.
5. HTML smuggling and SVG files
Attackers often move HTML smuggling code into Scalable Vector Graphics (SVG), a vector graphics format based on XML used to create two-dimensional graphics that can be scaled without losing resolution.
6. “Hash in URL” phishing attacks
The “hash” in a URL refers to the portion of the URL that comes after the “#” symbol. Also known as the fragment identifier, it identifies a specific section within a web page, such as a section heading or a paragraph, and allows a user to navigate to that section directly by clicking on a link or bookmark.
This technique takes advantage of the fact that changes to the fragment identifier don’t trigger a full page reload, making it possible to display fake content, while retaining the appearance of a legitimate website.
Telltale signs of phishing scams
Phishing attacks can include multiple techniques. Personalised phishing attacks are becoming more challenging to detect as attackers develop advanced techniques to gather information about potential victims and dupe increasingly savvy user. The information is used to create tailored phishing emails that appear more legitimate and convincing, increasing their likelihood of success.
A telltale characteristic of online phishing scams is that they typically request users to submit information or download malware via one of the following methods:
- A link – the user clicks on a malicious link to a phishing site, hosted file or malware
- A prompt – the user is prompted to submit sensitive information, resulting in data theft
- An attachment – the user opens an attachment that delivers malicious software
Best practices to protect against phishing scams
IT security teams must have adequate protection in place to detect and mitigate damage. Some areas of protection to consider include:
- Email scanning: email is by far the most common phishing vector, so a cloud-based email scanning service that inspects emails before they reach the perimeter is key, with real-time protection against malicious links and domain name spoofing.
- Reporting: enable end users to report phishing attempts to block malicious senders and links as quickly as possible, ideally with a phishing reporting button built into users’ email clients.
- Multi-factor authentication: this is one of the most critical defences against phishing attacks. Authentication apps such as Okta Verify or Google Authenticator are particularly effective.
- Encrypted traffic inspection: more than 95% of attacks use encrypted channels, which often are not inspected, making it easy for even moderately sophisticated attackers to bypass security controls. Organisations must inspect all traffic, whether or not it’s encrypted, to prevent attackers from compromising their systems.
- Antivirus software: endpoints should be protected with regularly updated antivirus to identify malicious files and prevent them from being downloaded.
- Advanced threat protection: deploy an inline sandbox that can quarantine and analyse suspicious files and potentially malicious web content, without disrupting end user workflows.
- URL filtering: manage access to the riskiest categories of web content, such as newly registered domains.
- Regular patching: keep applications, operating systems and security tools up-to-date with the latest patches to reduce vulnerabilities.
- Zero trust architecture: deploy granular segmentation, enforce least-privileged access and continuously monitor traffic to find threats that may have compromised your infrastructure.
Securus Communications can help your organisation protect against phishing attacks, as well as assisting with training and educating your staff on cyber security.