January 19, 2018 By Douglas Bonderud 2 min read

Corporate awareness of phishing attacks is on the rise, but that hasn’t stopped attackers from doubling down on efforts to infect enterprise networks and compromise employee data.

According to Wombat Security’s “State of the Phish” report, 76 percent of companies were hit by phishing in 2017, and half of IT professionals surveyed said the rate of attacks ramped up compared to 2016. These numbers suggest that phishing efforts aren’t water under the bridge just yet.

Phishing Attacks Persist Despite Heightened Awareness

With companies getting better at ignoring the bait, why are cybercriminals still putting the hook in the water? A PhishMe report found that 91 percent of data breaches begin with a spear phishing email, suggesting that employees are still clicking through to malicious websites and downloading infected files despite better training and heightened security awareness.

But cybercriminals are also branching out. The Wombat report highlighted the rise of smishing — phishing that uses text messages to initiate attacks — and vishing, which involves attackers making actual phone calls and convincing users to email confidential information or grant access permissions. In fact, 45 percent of security professionals said they experienced smishing or vishing last year.

With new techniques comes diminishing employee awareness. Until training methods catch up with current efforts, fraudsters will see improved success rates because employees simply aren’t trained to be suspicious of text messages or phone calls, especially in a mobile-driven technology market. Add in sophisticated phishing attacks that include well-written messages and seemingly legitimate links, and those that appear to originate from within organizations themselves, and it’s no surprise that phishing remains a lucrative cybercriminal pastime.

Bigger Phish to Fry

Threat actors are also getting creative when it comes to traditional email phishing. For example, the Daily Dot detailed a sophisticated scam that leverages the branding and images of popular streaming movie service Netflix. A user receives an email from “Netflix,” which contains familiar text and image elements and claims that the user’s credit card was declined. It’s well-written, professionally designed and very convincing — except for the actual email address itself, which is a random string of characters.

According to SC Magazine, enterprising fraudsters have also figured out a way to leverage cloud-based Google documents for phishing attacks. First, attackers upload malware files to Google Drive, then share a convincing Google Doc linked back to the malware. While the foundation here is a basic phishing scheme, the potential attack surface is massive, and users may not recognize the risk posed by cloud-based documents.

Avoiding the Hook

Threat actors are still baiting the hook and hoping users will bite. While employee training programs are reducing total response rates, malware-makers are getting creative with smishing, vishing and cloud-based attacks.

Fortunately, good advice for avoiding email attacks works for all other variants: If it seems suspicious, it is. If attachments or links don’t seem quite right, they aren’t. When in doubt, always swim away.

More from

Will AI threaten the role of human creativity in cyber threat detection?

4 min read - Cybersecurity requires creativity and thinking outside the box. It’s why more organizations are looking at people with soft skills and coming from outside the tech industry to address the cyber skills gap. As the threat landscape becomes more complex and nation-state actors launch innovative cyberattacks against critical infrastructure, there is a need for cybersecurity professionals who can anticipate these attacks and develop creative preventive solutions.Of course, a lot of cybersecurity work is mundane and repetitive — monitoring logs, sniffing out…

Hacking the mind: Why psychology matters to cybersecurity

4 min read - In cybersecurity, too often, the emphasis is placed on advanced technology meant to shield digital infrastructure from external threats. Yet, an equally crucial — and underestimated — factor lies at the heart of all digital interactions: the human mind. Behind every breach is a calculated manipulation, and behind every defense, a strategic response. The psychology of cyber crime, the resilience of security professionals and the behaviors of everyday users combine to form the human element of cybersecurity. Arguably, it's the…

Stress-testing multimodal AI applications is a new frontier for red teams

5 min read - Human communication is multimodal. We receive information in many different ways, allowing our brains to see the world from various angles and turn these different "modes" of information into a consolidated picture of reality.We’ve now reached the point where artificial intelligence (AI) can do the same, at least to a degree. Much like our brains, multimodal AI applications process different types — or modalities — of data. For example, OpenAI’s ChatGPT 4.0 can reason across text, vision and audio, granting…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today