January 19, 2018 By Douglas Bonderud 2 min read

Corporate awareness of phishing attacks is on the rise, but that hasn’t stopped attackers from doubling down on efforts to infect enterprise networks and compromise employee data.

According to Wombat Security’s “State of the Phish” report, 76 percent of companies were hit by phishing in 2017, and half of IT professionals surveyed said the rate of attacks ramped up compared to 2016. These numbers suggest that phishing efforts aren’t water under the bridge just yet.

Phishing Attacks Persist Despite Heightened Awareness

With companies getting better at ignoring the bait, why are cybercriminals still putting the hook in the water? A PhishMe report found that 91 percent of data breaches begin with a spear phishing email, suggesting that employees are still clicking through to malicious websites and downloading infected files despite better training and heightened security awareness.

But cybercriminals are also branching out. The Wombat report highlighted the rise of smishing — phishing that uses text messages to initiate attacks — and vishing, which involves attackers making actual phone calls and convincing users to email confidential information or grant access permissions. In fact, 45 percent of security professionals said they experienced smishing or vishing last year.

With new techniques comes diminishing employee awareness. Until training methods catch up with current efforts, fraudsters will see improved success rates because employees simply aren’t trained to be suspicious of text messages or phone calls, especially in a mobile-driven technology market. Add in sophisticated phishing attacks that include well-written messages and seemingly legitimate links, and those that appear to originate from within organizations themselves, and it’s no surprise that phishing remains a lucrative cybercriminal pastime.

Bigger Phish to Fry

Threat actors are also getting creative when it comes to traditional email phishing. For example, the Daily Dot detailed a sophisticated scam that leverages the branding and images of popular streaming movie service Netflix. A user receives an email from “Netflix,” which contains familiar text and image elements and claims that the user’s credit card was declined. It’s well-written, professionally designed and very convincing — except for the actual email address itself, which is a random string of characters.

According to SC Magazine, enterprising fraudsters have also figured out a way to leverage cloud-based Google documents for phishing attacks. First, attackers upload malware files to Google Drive, then share a convincing Google Doc linked back to the malware. While the foundation here is a basic phishing scheme, the potential attack surface is massive, and users may not recognize the risk posed by cloud-based documents.

Avoiding the Hook

Threat actors are still baiting the hook and hoping users will bite. While employee training programs are reducing total response rates, malware-makers are getting creative with smishing, vishing and cloud-based attacks.

Fortunately, good advice for avoiding email attacks works for all other variants: If it seems suspicious, it is. If attachments or links don’t seem quite right, they aren’t. When in doubt, always swim away.

More from

Exploring the 2024 Worldwide Managed Detection and Response Vendor Assessment

3 min read - Research firm IDC recently released its 2024 Worldwide Managed Detection and Response Vendor Assessment, which both highlights leaders in the market and examines the evolution of MDR as a critical component of IT security infrastructure. Here are the key takeaways. The current state of MDR According to the assessment, “the MDR market has evolved extensively over the past couple of years. This should be seen as a positive movement as MDR providers have had to evolve to meet the growing…

Regulatory harmonization in OT-critical infrastructure faces hurdles

3 min read - In an effort to enhance cyber resilience across critical infrastructure, the Office of the National Cyber Director (ONCD) has recently released a summary of feedback from its 2023 Cybersecurity Regulatory Harmonization Request for Information (RFI). The responses reveal major concerns from critical infrastructure industries related to operational technology (OT), such as energy, transport and manufacturing. Their worries include the current fragmented regulatory landscape and difficulty adapting to new cyber regulations. The frustration appears to be unanimous. Meanwhile, the magnitude of…

Generative AI security requires a solid framework

4 min read - How many companies intentionally refuse to use AI to get their work done faster and more efficiently? Probably none: the advantages of AI are too great to deny.The benefits AI models offer to organizations are undeniable, especially for optimizing critical operations and outputs. However, generative AI also comes with risk. According to the IBM Institute for Business Value, 96% of executives say adopting generative AI makes a security breach likely in their organization within the next three years.CISA Director Jen…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today