According to the 2022 X-Force Threat Intelligence Index, phishing was the most common way that cyber criminals got inside an organization. Typically, they do so to launch a much larger attack such as ransomware. The Index also found that phishing was used in 41% of the attacks that X-Force remediated in 2021. That’s a 33% increase from 2021.

One of the biggest reasons threat actors are increasing phishing attacks is that all it takes is one employee to make a split-second mistake to cause major business and reputation loss. Cybersecurity workers must continually stay on top of new phishing trends. That way, they can use the right technology to help prevent the right types of attacks. Most importantly, they need to focus on training employees on how to spot and prevent attacks.

Here are five phishing trends that your organization is likely to see in 2022:

Voice phishing

You likely think of spam calls as just annoying. But that’s why vishing, or voice phishing, is on the rise. Cybersecurity training stresses not to click on links. However, many users do not realize that spam phone calls may actually be the start of a cybersecurity attack. In a vishing call, the person on the other end of a VoIP phone typically impersonates a legitimate organization, such as the IRS or a bank. From there, they ask the person who answered to visit a website. The attacker then uses the information entered into the website to launch a cyberattack. Common vishing scams include imposters (meaning the caller pretends to be someone else), debt relief scams and charity scams.

Vishing became such an issue in 2021 that the FBI even issued an alert. Proofpoint’s State of the Phish report found that 69% of the organizations were the recipient of a vishing attack. That’s an increase of 54% from 2020. Most concerning is that the X-Force index found that vishing attacks were three times more effective than a classic phishing scheme. Because the attack starts with the phone, using cybersecurity applications to stop the attack is challenging.

Train your employees about the rise of vishing and how to spot a vishing attack. Many vishing attacks are successful because employees don’t recognize this tactic as a potential cybersecurity attack. Stress to employees that they should never visit a website given to them over the phone. Keep employees updated on current vishing scams to help them more accurately spot threats.

Spear phishing

If you receive an email from a bank that you’ve never used before, then it’s very likely that you will recognize it’s a phishing email and hit delete. But if you get an email from your own bank, you are much more likely to fall for the scam. The difference is the first type of attack was a general phishing attack. The second is referred to as spear phishing, which is an attack targeted at specific people.

A 2021 FireEye report found that spear phishing recipients were 10 times more likely to click on the link than general phishing email recipients. Not surprisingly, spear phishing is on the rise. Proofpoint found that 79% of organizations were targets of spear phishing attacks. That’s an increase of 66% from 2020, which is a very concerning increase.

The IBM Threat Index found that the brands most imitated by threat actors were large and trusted companies. Attackers might pretend to be from Microsoft, Apple or Google. In addition, these types of attacks work as spear phishing since most consumers do business in some shape or form with these companies. Train employees to carefully look at logos and check email addresses. Often phishing attacks use an email that looks official at first glance. After close investigation, you’ll be able to see it is phony, such as [email protected]. You can also reduce the likelihood of a spear phishing attack gaining control of an employee’s access by installing multi-factor authentication on all employee accounts.

Smishing

Smishing is when threat actors target someone over SMS texting. One of the reasons that this type of attack is even more effective is many people do not have cybersecurity software on their phones. The same attack might get blocked on their laptop. Many people are not as aware of smishing. Therefore, they may be more vulnerable to falling prey over text than email. Proofpoint found that 74% of organizations faced smishing attacks in 2021, which is an increase of 13% from 2020.

Many people began using food delivery and meal kits during the pandemic. So, cyber criminals began creating smishing schemes mentioning these services. Other common schemes include upcoming package deliveries and giveaways.

Start by updating your cybersecurity training to include smishing. Surprisingly, Proofpoint found that only 26% of organizations included Smishing in cybersecurity training. You should also let employees know what type of legitimate SMS messages they may receive from your organization. That way, they know what to expect from their commonly used work systems. As new smishing schemes emerge, keep employees updated on new types of text messages to watch out for.

Social media phishing attacks

Attackers are increasingly turning to social media for their phishing attacks. Proofpoint found that 74% of organizations were targeted by social media phishing attacks. That’s an increase of 13% from 2020. Many people are suspicious of blatant phishing attacks on social media, such as a stranger messaging you through a private message on social media with a link to click. But other schemes are harder to spot. Attackers often take over accounts and then target their friends with phishing attacks. Other schemes include social media quizzes that get users to enter information that can then be used for social engineering accounts. Threat actors also create clone accounts of real companies to get people to click on malicious links thinking they are trustworthy.

How to protect your organization

With employees using personal devices for work with increased remote and hybrid work, social media phishing attacks are likely to continue to pose a big risk. You should include a section in your cybersecurity training on social media phishing and keep employees updated on new types of schemes. Require that any personal devices that employees use for work have the latest patches and company-approved cybersecurity technology installed.

Phishing is expected to remain a top threat as attackers get more creative in their social engineering and targeting techniques. By staying on top of the latest phishing schemes, you keep your employees up to date, too. If employees know that the latest trend is to impersonate a specific company or type of email, then they are going to be more aware and suspicious when that message lands in their social media account, email, text or even at the other end of a phone call.

More from Data Protection

Third-party access: The overlooked risk to your data protection plan

2 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors.The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In this…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today