2022 was a record year…but not all records were good ones. Need an example? The SlashNext State of Phishing report looked at 6 months of 2022 and determined that phishing attacks increased by 61% this year.
As we evolve our business environments to be more and more digital, bad actors are evolving right along with them. And with the surge in popularity of bring your own device (BYOD) policies, the attack surface is expanding. The SlashNext report found a 50% increase in attacks targeting mobile devices, and an 80% increase in attacks from “trusted” services – like Amazon Web Services and Google. Tried and true security methods like email gateways and firewalls aren’t keeping this new generation of attackers at bay.
Phishing attacks today are becoming more realistic – and harder to spot. In this article, you’ll learn what phishing looks like today, and how to keep your organization safe.
How Phishing has Evolved
First, a quick definition for anyone who hasn’t encountered the term yet: phishing is a type of social engineering attack where cybercriminals pose as reputable companies or people and attempt to trick victims into giving up sensitive information. These bad actors typically pose as someone the victim knows (say, the CEO of your company) and demand a time-sensitive task be done that involves the victim entering private information, like a username, password, or credit card information.
Phishing began way back in the 90s, targeting AOL email and messenger accounts. These messages were initially pretty easy to spot, with clunky subject lines, misspelled content, and links to suspicious-looking sites. But over time, cybercriminals have honed their technique with engaging subject lines and legitimate-sounding sender names. Today’s attackers are often so sophisticated that there are no obvious red flags to signal a fake. Even the clickthrough links they embed can take you to seemingly legitimate websites.
What’s more, phishing attacks are no longer focused on one victim. Once a cybercriminal gains access to one user’s credentials, they can use that legitimate email address or phone number to send messages to other users in the organization. As many of us are less wary of messages sent from known senders, this can trigger a chain reaction of breached data.
Phishing Trends in 2022
Unfortunately, this evolution didn’t slow down in 2022. In fact, the attacks have become even more targeted – and trickier to spot.
Using “Trusted” Services
Cybercriminals are now attacking from platforms their victims already inherently trust. According to SlashNext’s report, 32% of all phishing attempts are now being hosted on trusted services, like Google, Microsoft, or Amazon. Office 365 customers recently experienced one such event, that encouraged users to download an OAuth app titled “Upgrade”. Once downloaded, the app would allow attackers to create inbox rules, read and send emails, and even access calendars and contacts.
Source. This highly sophisticated phishing attack used legitimate Microsoft login interfaces, making it very difficult to spot that it was a scam.
The (legitimate) OAuth is supported by Google, Twitter, Facebook, and Microsoft, and allows users to grant access to third-party applications and account information for these identity providers. This functionality means most victims would download the Upgrade app and grant it permissions without a second thought.
Playing off Current Events
Many cybercriminals look for ways to utilize current events in their attacks to add a sense of urgency and legitimacy. For example, a Twitter phishing attempt took advantage of the company’s recent news that it will begin charging users for verification and other premium features – and removing verification from those accounts who don’t comply.
The phishing message, sent via email, warns users that they will lose their current verification status unless they pay $19.00 a month – or fill out a quick and easy form to confirm their information. The email is rife with typos and confusing wording that should be a red flag for most readers. But playing off the very real concern that Twitter will start requiring payment for verification may have led some users to simply “verify” their account without reading the email fully.
Moving to Mobile
2022 has seen an increase in phishing scams targeting mobile phones and applications. TripWire’s Q1 2022 Phishing Threat Trends and Intelligence Report found a 107% increase in social media phishing from Q4 2021 to Q1 2022. The most common vector of attack is impersonation attempts – where someone will reach out to an employee via LinkedIn, Twitter, or Instagram pretending to be a co-worker or a manager, for example. A bad actor will use a brute force attack strategy like InMailing multiple people in an organization a malicious link to click. As soon as one person clicks the link, their account will be taken over by the criminal, and then used to message other employees. Many users are suspicious of strangers messaging them strange looking links, but can be easily fooled if the link seems to come from someone they trust.
Social media may not seem directly connected to your business. But what if a user uses the same password for both work and personal accounts, and that account is compromised on a social media app? Cybercriminals can easily then use the stolen credentials to access work applications, too.
How to Combat Today’s Phishing Attempts
Now that you know how cybercriminals are attacking, here’s a few tips to help you – and your organization – spot a potentially malicious attack before it can do damage.
Look for Typos, Odd Syntax or Unusual Addresses
Even in today’s more modernized criminal environment, many phishing attacks are still crudely done and full of obvious mistakes. For example, in the Twitter attack described above, a screenshot of one of the emails shows that the sender is using a gmail account – not a Twitter account. The header also has “verified” capitalized for no apparent reason, and there’s an extra comma as well. The body copy was roughly done, and is similarly full of typos and strange syntax that suggest it wasn’t created in a professional environment.
Source. A screenshot of the phishing email designed to steal Twitter users’ credentials.
Encourage a workplace that questions before acting on any such communications. Sure, we all make typos from time to time. But if the email is supposedly coming from a business, these should be few and far between. Any one or a combination of these factors is a sure signal of foul play.
Consider the Behavior of the “Sender”
One of the most common phishing attempts involves a cybercriminal impersonating a high-ranking leader in an organization, and then emailing or texting employees requesting bank account information, login credentials, or gift cards. These bad actors will often claim to be your CEO, call you by name, and say they need this information ASAP and are counting on you to deliver it.
On the surface, this may seem like a crude attempt that one your employees would never fall for. But the statistics say just the opposite. A 2022 report by KnowBe4 found that 31.4% of employees are likely to fall for such a scheme – that’s roughly 1 in 3. Ensure your company has clear protocols when it comes to texting communication from executives, and a clear verification process to verify the legitimacy of such requests should they come in.
Invest in Team Training
Watching for typos, errors, and out of character requests may help employees avoid the majority of phishing attempts, but the threat landscape is changing – and evolving – every day. There’s really no prevention stronger than investing in regular team training to make sure your employees are aware of the latest phishing trends.
Here at JumpCloud for example, we require quarterly security training. This keeps our employees up-to-date with the very latest trends and threats, as soon as they come to light. These training sessions allow your staff to see what phishing attacks look like in real-time, and how to differentiate them from legitimate requests. and how to double-check any suspicious-sounding messages in the context of your business structure. Training should also include a clear, recorded process for verifying and/or reporting such messages, so employees can feel empowered to exercise caution and warn other users of the threat.
Upgrade your Security
Just as cybercriminals up their game, you have to up your security to continue to combat them. And the best way to do that is to enforce single sign-on (SSO), multi-factor authentication (MFA) and policies at your organization.
Single sign-on gives your users just one location to enter credentials into to access their company resources. Fewer logins means fewer opportunities for a bad actor to gain a foothold. SSO can be even further improved by implementing stringent password policies, like complexity requirements and frequent password changes.
Single sign-on is perfectly complemented by multi-factor authentication. For that one credential entering process users must undergo, require a second form of verification, like a push notification to a private device. This gives bad actors just one surface to try to infiltrate per user – and with MFA in place, gaining access will be next to impossible, even with the right username and password.
Phishing continues to become smarter, and harder to catch. But with a well-trained staff and top-of-the-line security solutions, you can ensure your organization doesn’t become just another victim statistic.
Choose JumpCloud for the Best Phishing Protection
While you can certainly purchase applications to handle your SSO and MFA, they often focus solely on application access without offering protection for devices or networks. The gold-standard of security is therefore an open cloud directory platform like JumpCloud. These all-in-one security solutions offer SSO and MFA, but they also include password requirements, policy creation, device and user management, and more, all easily managed in a single application. But don’t take our word for it. Create a free JumpCloud account to access the entirety of the platform for free today, for up to 10 users and 10 devices.