Corporate awareness of phishing attacks is on the rise, but that hasn’t stopped attackers from doubling down on efforts to infect enterprise networks and compromise employee data.
According to Wombat Security’s “State of the Phish” report, 76 percent of companies were hit by phishing in 2017, and half of IT professionals surveyed said the rate of attacks ramped up compared to 2016. These numbers suggest that phishing efforts aren’t water under the bridge just yet.
Phishing Attacks Persist Despite Heightened Awareness
With companies getting better at ignoring the bait, why are cybercriminals still putting the hook in the water? A PhishMe report found that 91 percent of data breaches begin with a spear phishing email, suggesting that employees are still clicking through to malicious websites and downloading infected files despite better training and heightened security awareness.
But cybercriminals are also branching out. The Wombat report highlighted the rise of smishing — phishing that uses text messages to initiate attacks — and vishing, which involves attackers making actual phone calls and convincing users to email confidential information or grant access permissions. In fact, 45 percent of security professionals said they experienced smishing or vishing last year.
With new techniques comes diminishing employee awareness. Until training methods catch up with current efforts, fraudsters will see improved success rates because employees simply aren’t trained to be suspicious of text messages or phone calls, especially in a mobile-driven technology market. Add in sophisticated phishing attacks that include well-written messages and seemingly legitimate links, and those that appear to originate from within organizations themselves, and it’s no surprise that phishing remains a lucrative cybercriminal pastime.
Bigger Phish to Fry
Threat actors are also getting creative when it comes to traditional email phishing. For example, the Daily Dot detailed a sophisticated scam that leverages the branding and images of popular streaming movie service Netflix. A user receives an email from “Netflix,” which contains familiar text and image elements and claims that the user’s credit card was declined. It’s well-written, professionally designed and very convincing — except for the actual email address itself, which is a random string of characters.
According to SC Magazine, enterprising fraudsters have also figured out a way to leverage cloud-based Google documents for phishing attacks. First, attackers upload malware files to Google Drive, then share a convincing Google Doc linked back to the malware. While the foundation here is a basic phishing scheme, the potential attack surface is massive, and users may not recognize the risk posed by cloud-based documents.
Avoiding the Hook
Threat actors are still baiting the hook and hoping users will bite. While employee training programs are reducing total response rates, malware-makers are getting creative with smishing, vishing and cloud-based attacks.
Fortunately, good advice for avoiding email attacks works for all other variants: If it seems suspicious, it is. If attachments or links don’t seem quite right, they aren’t. When in doubt, always swim away.