Corporate awareness of phishing attacks is on the rise, but that hasn’t stopped attackers from doubling down on efforts to infect enterprise networks and compromise employee data.

According to Wombat Security’s “State of the Phish” report, 76 percent of companies were hit by phishing in 2017, and half of IT professionals surveyed said the rate of attacks ramped up compared to 2016. These numbers suggest that phishing efforts aren’t water under the bridge just yet.

Phishing Attacks Persist Despite Heightened Awareness

With companies getting better at ignoring the bait, why are cybercriminals still putting the hook in the water? A PhishMe report found that 91 percent of data breaches begin with a spear phishing email, suggesting that employees are still clicking through to malicious websites and downloading infected files despite better training and heightened security awareness.

But cybercriminals are also branching out. The Wombat report highlighted the rise of smishing — phishing that uses text messages to initiate attacks — and vishing, which involves attackers making actual phone calls and convincing users to email confidential information or grant access permissions. In fact, 45 percent of security professionals said they experienced smishing or vishing last year.

With new techniques comes diminishing employee awareness. Until training methods catch up with current efforts, fraudsters will see improved success rates because employees simply aren’t trained to be suspicious of text messages or phone calls, especially in a mobile-driven technology market. Add in sophisticated phishing attacks that include well-written messages and seemingly legitimate links, and those that appear to originate from within organizations themselves, and it’s no surprise that phishing remains a lucrative cybercriminal pastime.

Bigger Phish to Fry

Threat actors are also getting creative when it comes to traditional email phishing. For example, the Daily Dot detailed a sophisticated scam that leverages the branding and images of popular streaming movie service Netflix. A user receives an email from “Netflix,” which contains familiar text and image elements and claims that the user’s credit card was declined. It’s well-written, professionally designed and very convincing — except for the actual email address itself, which is a random string of characters.

According to SC Magazine, enterprising fraudsters have also figured out a way to leverage cloud-based Google documents for phishing attacks. First, attackers upload malware files to Google Drive, then share a convincing Google Doc linked back to the malware. While the foundation here is a basic phishing scheme, the potential attack surface is massive, and users may not recognize the risk posed by cloud-based documents.

Avoiding the Hook

Threat actors are still baiting the hook and hoping users will bite. While employee training programs are reducing total response rates, malware-makers are getting creative with smishing, vishing and cloud-based attacks.

Fortunately, good advice for avoiding email attacks works for all other variants: If it seems suspicious, it is. If attachments or links don’t seem quite right, they aren’t. When in doubt, always swim away.

More from

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

Abuse of Privilege Enabled Long-Term DIB Organization Hack

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to an advanced cyberattack on a Defense Industrial Base (DIB) organization’s enterprise network. During that time frame, advanced persistent threat (APT) adversaries used an open-source toolkit called Impacket to breach the environment and further penetrate the organization’s network. Even worse, CISA reported that multiple APT groups may have hacked into the organization’s network. Data breaches such as these are almost always the result of compromised endpoints…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…