We talk a lot about Phishing attacks, but for good reason. These attacks are meant to trick users into providing sensitive and personal information, or to trick users into launching malware on the user’s system. If you read our blog with any regularity, you already know that by now. However, we keep talking about it because people are still being fooled - and it’s not their fault. Attackers are getting really good at pretending to be others and/or mimicking legitimate websites.

But another reason we need to continue to talk about just how dangerous phishing attacks are is because the number of attacks are increasing - making you more susceptible than ever to falling victim to one.

Messaging Security Provider SlashNext conducted a study in October 2022, and found more than 255 million attacks had been conducted in a six-month period. They analyzed URLs, attachments, and natural language messages that were present in emails, mobile and browser channels. That number is more than double that of the year before.

An interesting part of the study indicated that cybercriminals are starting to rely more heavily on mobile/personal communication attacks. This type of attack doubled in 2022, with scams and credential theft being the top attack types.

“What we’ve been seeing is an increase in the use of voicemail and text as part of two-pronged phishing and BEC [Business Email Compromise] campaigns,” according to Jess Burn, Senior Analyst at Forrester Research. “The attackers leave a voicemail or send a text about the email they sent, either lending credibility to the sender or increasing the urgency of the request.”

SlashNext says they have been receiving a lot of inquiries from clients about BEC attacks. “With geopolitical strife disrupting ransomware gang activity and cryptocurrency – the preferred method of ransom payment – imploding as of late, bad actors are going back to old-fashioned fraud to make money,” Burn said. “So BEC is on the rise.”

With Tax season approaching, spearphishing – or a more targeted form of a phishing attack – will become more common as attackers use topical lures to hook their victims.

“While it is not a new tactic, the topics and themes might evolve with world or even seasonal events,” said Luke McNamara, Principal Analyst at cyber security consulting firm Mandiant Consulting. “During regional tax seasons, threat actors might similarly try to exploit users in the process of filing their taxes with phishing emails that contain tax themes in the subject line.”

Phishing attacks aren’t always super-focused, though. Many times, victims are tricked by simple emails from popular technology companies simply suggesting something like an account reset. “More prolific criminal campaigns might leverage less specific themes, and conversely more targeted campaigns by threat actors involved in activity like cyber espionage might utilize more specific phishing lures,” McNamara said.

So how can you fight against falling victim to a phishing attempt? One way is to be vigilant when giving out personal information.

“Phishing is a form of social engineering,” Burn said. “That means that phishers use psychology to convince their victims to take an action they may not normally take. Most people want to be helpful and do what someone in authority tells them to do. Phishers know this, so they prey upon those instincts and ask the victim to help with a problem or do something immediately.” 

Show concern and pause if an email from an unexpected source is either asking you to do something urgently or asking for information or financial details that are not normally provided.

“If the sender looks legitimate but something still seems off, don’t open any attachments and mouse or hover over any hyperlinks in the body of the email and look at the URL the link points to,” Burn said. “If it doesn’t seem like a legitimate destination, do not click on it.” 

You may receive an email from a known source that seems suspicious. In these cases, reach out to the person or company using a different method of communication and simply ask them if they sent the message. “You’ll save yourself a lot of trouble and you’ll alert the person or company to the phishing scam if the email did not originate from them,” Burn instructs.

It’s also smart to keep yourself knowledgeable about the latest phishing techniques. “Cyber criminals constantly evolve their methods, so individuals need to be on alert,” said Emily Mossburg, global cyber leader at Deloitte. “Phishers prey on human error.” 

Using anti-phishing software and other cyber security tools as protection is another great way to keep personal and work data safe.

Another useful and effective tool is Multi-factor Authentication, which “can provide one of the best layers of security to secure your emails,” McNamara says. “It provides another layer of defense should a threat actor successfully compromise your credentials.”

Story via CNBC