The cybersecurity landscape is constantly evolving, and new threats are emerging regularly. While phishing is not a new type of cyber attack, its proliferation and evolution have cemented its status as the most significant and latest growing cybersecurity threat. Though attack surfaces have expanded and specific tactics have become much more complex and advanced, phishing remains cybercriminals’ preferred method and top tool for criminal activity.
According to the latest Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3), there were over 300,000 cases of phishing officially reported in 2022, more than five times what was reported for any other cybercrime type.
The Anti-Phishing Working Group (APWG) called 2022 a record year for phishing. In its latest Phishing Activity Trends Report, the group observed a record 1,350,037 phishing attacks in the fourth quarter of 2022 alone. The APWG, which analyzes attacks reported by its member companies and global research partners, logged more than 4.7 million phishing attacks in total in 2022. Since the beginning of 2019, the number of phishing attacks has grown by more than 150% per year. The financial sector remains the most-targeted industry, accounting for more than one-quarter of attacks.
Trickier Tactics & Emerging Cyber Threats
Cybercriminals continually find new ways to trick their victims into revealing login credentials or sensitive information through targeted and personalized phishing campaigns. These increasingly sophisticated methods are becoming more difficult to detect and defend against.
Phishing schemes and social engineering attacks have long relied on email to target victims, often with messages appearing to come from personal contacts such as a work supervisor or from a financial institution, professional organization, or website the victim recognizes.
Mobile and other non-email-based forms of phishing are dramatically on the rise. Stealthy, sophisticated mobile phishing methods, including vishing (voice phishing), smishing (SMS text phishing), and quishing (QR code phishing), reached their highest rates to date in 2022, according to Lookout’s Global State of Mobile Phishing Report. Part of what makes phishing attacks delivered via SMS so dangerous is that most mobile devices and operating systems don’t have any form of SMS phishing protection available to block cybercriminals’ nefarious efforts. Users also typically tend to trust messages they receive on their mobile devices and are more likely to respond or open links within without giving it a second thought.
Misspelled words or names and simple grammatical errors were once dead giveaways of a malicious phishing email. Now, however, artificial intelligence and machine learning tools can be used by cybercriminals to craft convincing emails. Targeted phishing attacks range from being topical, such as teasing shopping deals during the holiday season, to being disguised as part of the tax filing process during tax season.
Cybercriminals have also increased their use of major brand names, disguising phishing attacks as official messaging, including invitations, password resets, and credential verification prompts. Lookout’s report notes that Microsoft is the most abused brand name in phishing, with over 30 million messages using the company’s branding and mentioning products like Office, OneDrive, or Teams. Recently, Microsoft issued a warning alerting users to a new style of phishing campaign using Teams messages as lures for infiltrating corporate networks—a notable shift from traditional email-based initial access efforts.
Among the other most impersonated global brands, according to SlashNext’s latest State of Phishing report, are Google, DocuSign, Adobe, DropBox, Apple, Amazon, Netflix, Bank of America, and Wells Fargo.
Fighting Back Against Phishing
Phishing preys on the weakest links in any organization’s security chain: individual users. The rise of remote and hybrid work has made many organizations more vulnerable, and malicious actors have more access than ever to easy-to-use phishing kits from the cybercrime-as-a-service market across the dark web.
Training employees to recognize and flag potential phishing scams is the first step in prevention. Working with cybersecurity partners offering anti-phishing software solutions, as well as systems for siloing any compromised users’ accounts and segmenting backup data, is another that can pay dividends in the event of a phishing incident.
Learn How RAMPxchange Allows You to Find Trusted Partners
Find the partners you can trust to keep your organization safe and secure at RAMPxchange. Our coalition of cybersecurity defenders can help protect your organization against today’s biggest risks and the growing threats of the future. Contact the RAMPxchange team to learn more and join today.