Phishing attacks make use of social engineering and are spread via messages and emails. The goal of these malicious designs is to fool the victims into handing over their sensitive and personal information such as data related to financial instruments and passwords. They may even get people to perform acts like transferring money to someone using a wire transfer or download some malware. To make things worse, phishing schemes continue to grow in sophistication and are increasingly threatening businesses with targeted attacks (or spear phishing).
Although spam filters can prevent most phishing emails from reaching your inbox, the sophisticated ones can get past the defenses. Studies have shown that most people know about the nature and dangers of phishing attacks. This has been made possible by the many simulations and exercises conducted by businesses to train their staff on ways to spot the ill-meaning messages and emails.
However, cybercriminals are still having quite a bit of success with phishing attacks, and its use is still widespread. Also, hackers keep changing their tactics of getting past the anti-phishing defenses put in place. Here are the top phishing stacks you need to know in 2020.
2019 saw the highest number of attacks in the last 3 years
As per the APWG’s Phishing Activity Trends Report, phishing attacks recorded in the 3rd quarter of 2019 were the highest recorded since 2016.
Most of the attacks involved credential phishing
As per Cofense’s 2019 Phishing Threat and Malware Review, around 74% of the phishing attacks carried out between Oct 2019 and Mar 2019 engaged in some form of credential phishing such as pocketing usernames and passwords.
It is hard to prevent such attacks as there are no “easy to catch” signs on emails to classify them as malicious. A lot of them originate from company email accounts that have been hijacked – a technique called BEC (business email compromise).
Spear phishing is the most prevalent form of attack
As per Symantec’s 2019 Internet Security Threat Report, spear emails were employed by around 2/3rd of all known cybercriminal groups engaged in targeted attacks. The report also reveals that 96% of all such malicious acts are undertaken with the goal of gathering intelligence.
Human intelligence is our best bet to thwart these attacks
Cofense reiterates in its report that awareness training is critical to prevent phishing attacks. It provides a specific example of a big healthcare business where a phishing attack was blocked in merely 19 minutes because the users reported the suspicious emails quickly, which allowed the security operations team to act swiftly.
Phishing attacks are growing in sophistication
For instance, Cofense stumbled on .iso files whose extensions had been changed to .img to get the malware through the defenses. There were more instances of the use of unusual file types to pass through the gateways easily as part of phishing campaigns.
Cofense also pointed out to other sophisticated types of phishing attacks being launched. Since users are likely to trust the likes of OneDrive and SharePoint sites, hackers used many cloud-based file sharing facilities as a major component of their dangerous schemes. There were reports of 5200+ SharePoint phishing emails within a 12-month span; around 2000 OneDrive attacks were also observed.
Shortened URLs and Zombie Phish kind of tricks are being used
In a Zombie Phish attack, the perpetrator gains access to an email account and insert a phishing link while responding over an old email chain. It is an easy for the recipient to get trapped as they recognize both the sender and the subject.
Another tactic that was observed was shortened URLs. URL filters do not typically block such links as the actual destination cannot be determined. This is also likely to pass through the vigilant eyes of anyone who is looking for suspect domain names.
Users on SaaS and Webmail are still the most targeted
As per the APWG report, webmail and SaaS users are the targets of almost 1/3rd of all phishing attacks. Hackers use webmail credentials to launch BEC attacks, while corporate accounts are accessed by utilizing SaaS credentials. The other groups heavily targeted are financial institutions (19%) and payment services customers (21%).
Smaller companies get more malicious emails
As per Symantec, employees of smaller companies have a higher probability of getting email threats such as spam, email malware, and phishing links. For instance, organizations that employ between 1 and 250 people had a rate of 1 malicious email in 323. On the other hand, companies that hire between 1001 and 1500 individuals saw a much lower rate of 1 in 823.
Mining companies are more to be hit by phishing emails
Symantec has provided industry wise malicious email rates. The mining sector tops the list with 1 in 258 harmful emails, with agriculture, forestry & fishing (1 in 302), and public administration (with 1 in 302 as well) following closely. The companies that are next in the list of most targeted industries come from manufacturing, wholesale, and construction.
Saudi Arabia is likely to see the highest number of malicious emails
Saudi Arabia received the highest number of malicious emails (1 in 118), and the US had one of the lowest rates (1 in 674)/ However, as per Proofpoint’s State of the Phish 2020 report, around 2/3rd of US companies were successfully targeted by phishing attacks last year, which is way higher than the global 55% average.
Phishing attacks led to many data breaches
As per Verizon’s Data Breach Investigation Report for 2019, phishing was the top threat leading to data breaches – 32% to be precise.
Phishing is known by different names across generations
As per Proofpoint, phishing is popular as different terms across generations. Of the 4 age brackets, baby boomers (people more than 55 years old) were most familiar with “ransomware” and “phishing”, while they were less likely to be aware of “vishing” and “smishing”.
Sextortion is common in phishing
As per Cofense, sextortion scams perpetuated by phishing schemes are becoming a growing problem. The seemingly generic emails exploit human emotion and force the victims to pay a ransom by using the tactics of panic and fear. These payments are typically demanded in the form of bit coins or other crypto currencies to evade recognition.
Email addresses amounting to more than 7 million were found to be affected by sextortion during the first 6 months of 2019. Additionally, the Cofense report revealed that bit coin payments of $1.5 million had been made to bit coin wallets owned by extortionists. A sextortion botnet was also reported to have sent 30,000 emails per hour during 2019 end.
Ransomware continues to spread via Spear phishing
As per the McAfee Labs Threat Report for 2019, spear phishing is still the preferred method of delivering ransomware, particularly Ryuk and GrandCrab.
SEGs can also be attacked by phishing
Of all the phishing attack reports Cofense received, 90% were found in environments using SEGs ((Secure Email Gateways). The reason for this is that the advances in phishing tactics have made it extremely hard for even the most sophisticated detection mechanisms to keep up. Also, the SEG developers have to maintain a balance between productivity and protection – and then there is the problem of SEG misconfiguration.
CVE02017011882 is still commonly exploited
CVE-2017-11882 is MS Office remote code execution susceptibility. Though this vulnerability was discovered in 2017 and many updates were released to patch it, Cofense found that 45% of malicious attachments continue to exploit this hole. It is expected that this problem will go away as more companies patch their systems for the CVE02017011882 vulnerability.
Location-awareness observed in some payloads
AS per Cofense, the geolocation determined by your IP address may control the behavior of a phishing attack payload after it has been delivered. For instance, a given content may be harmless for one country but rogue in another.
Gift cards continue to be popular for collecting ransom
APWG reported that 56% of BEC phishing attack victims were asked to pay in gift cards in the 3rd quarter of 2019, which was down from 65% in the 2nd quarter. Other preferred kinds of payment are diverting payroll (25%) and direct transfers (19%).
Cost of a custom phishing page is between $3 and $12
From an attacker’s perspective, the underground industry supporting phishing pages charges anywhere between $3 and $12, as per the figures collected by Symantec by tapping into the dark web.
In summary, these were the top phishing stats you need to know in 2020. The figures show that phishing attacks will keep getting more sophisticated. Focus on social engineering is going to keep increasing. It is hard to say with certainty as to what the future will bring. For now, it can be safely assumed that at least for the immediate future, phishing will continue to be a substantial threat for both businesses and individuals.