The New Face of Phishing Attacks in 2023
Phishing attacks have always been a cybersecurity weak point for small and midsized businesses, causing enormous financial losses and reputational damage every year. According to a report from Deloitte, 91% of all attacks starting with a phishing email, making it far and away the most common type of cyberattack.
Empowered by artificial intelligence (AI) and the dark web, hackers have continued to evolve the threat of phishing attacks beyond simply sending bulk emails, turning it into a targeted form of attack that is far harder to detect and more dangerous than before. It’s time for businesses to take note, the new era of phishing attack is here.
Here’s why phishing is getting more dangerous for Ohio businesses and what they need to do to improve their cyber defenses.
What is a Phishing Attack?
A phishing attack is a type of cyberattack that attempts to deceive users into revealing sensitive information, such as login credentials or financial data. By posing as legitimate electronic communication from a trusted source, phishing attacks target most business’s weakest point: their staff’s level of cybersecurity readiness.
Phishing attacks are used as a foothold into a business’s network. Once hackers have gained their initial access through phishing, they’ll slowly expand their access to sensitive technology and data, potentially doing months or years of harm to a business.
Phishing is Evolving Beyond Bulk Emails
Because anti-phishing technology has evolved and employees are becoming more skillful at detecting phishing emails, the modern phishing attack has evolved.
Hackers are now delivering attacks through channels like instant messaging, phone calls, and even leveraging trusted platforms, which should prompt business teams to rethink how they defend against phishing attacks.
Fraudulent Google Ads
Anyone can run a Google Ad for specific keyword, displaying it to millions of people on the world’s most popular search engine, and this includes cybercriminals.
Hackers have found a way to exploit Google Ads to direct users to malicious websites. By creating an ad that impersonates a well-known brand, they can put their phishing websites at the top of popular search results.
Unsuspecting users click on these ads thinking they are visiting a legitimate website, only to be lured into a phishing trap where personally identifiable information (PII) can be stolen.
There have been several variations in this type of attack so far.
Researchers spotted one version of this attack in February where fake ads were running for Amazon’s popular AWS cloud service. The ad appeared second in a Google search term for “AWS,” ranked right behind Amazon’s own promoted search results, making it highly visible to thousands of users. When clicked, the destination page (which looked exactly like the AWS sign-in page) asked users to enter their email addresses and passwords.
More benign versions of this technique are being used to make fast money. One example is a campaign in 2022 that targeted users of the cryptocurrency wallet Trezor. In the attack, the criminals ran a misleading Google ad that looked exactly like a legitimate ad for the service, resulting in users losing over $1 million worth of the digital coin.
Domains Lookalike Attacks
Another new form of phishing attack that we’ve noticed an uptick of recently is what’s known as “domain lookalike attacks.”
Lookalike domains are websites with URLs that closely resemble those of legitimate sites. The attacks use slight variations in spelling or the arrangement of characters to deceive users. An unsuspecting person is susceptible to these tricks, as we tend to process information quickly and may overlook subtle differences.
For instance, attackers might create a domain like “sample-bank.com” to mimic the legitimate site “samplebank.com.” Users who inadvertently visit the malicious site could be tricked into entering their login information or downloading malware.
The most success attack of this type was the recent QuickBooks payments scam. In this attack, hackers sent malicious invoices and payment requests from notable brands like Norton or Office 365 using the official QuickBooks email and domain. The only way for users to see that the email was fraudulent is for them to closely examine the domain name in the email message header of the payment request.
Here example domain lookalikes, can you spot the difference?
- netflix.com vs. netffix.com
- kaspersky.com vs. kapersky.com
- facebook.com vs. facebock.com
Are you confident that you could spot one fake domain in all the emails you get every day? Most users aren’t taking the time to do so right now, meaning the attack has a high chance of success.
Phishing Attacks Are Targeting Your Decision Makers
While these are not exactly new forms of phishing, both spear phishing and business email compromise (BEC) have become more prevalent in recent years.
What is Spear Phishing?
Spear phishing is a highly targeted form of phishing that focuses on specific individuals or organizations. Attackers gather information about their targets, such as their job titles, interests, or recent activities, to craft convincing messages.
One prominent example is the 2016 attack on the Democratic National Committee (DNC), in which hackers used spear-phishing emails to gain access to sensitive information. The attackers posed as Google’s security team and sent emails to DNC staff members, urging them to change their passwords due to a security breach. This ultimately led to the theft of thousands of emails, which were then leaked online.
What is Business Email Compromise?
In BEC attacks, cybercriminals impersonate high-level executives or business partners to trick employees into transferring funds or sharing confidential information. It involves using stolen email credentials to trick your employees into taking specific action.
According to the FBI, businesses across the US lost over $2.4 billion to Business Email Compromise (BEC) in 2021 alone.
For instance, in 2019, a Lithuanian man named Evaldas Rimasauskas was convicted for defrauding Google and Facebook out of over $100 million through a sophisticated BEC scheme. Posing as a Taiwanese hardware manufacturer, Rimasauskas forged invoices, contracts, and emails to deceive tech giants into transferring funds to his bank accounts.
New Forms of Phishing Require New Levels of Security
Businesses must prioritize security awareness and training across their organizations to combat the ever-evolving phishing threat. An excellent security awareness program should include the following components:
Regular employee training
Ensure all employees receive up-to-date information on the latest phishing techniques and how to recognize them. This training should be conducted weekly or bi-weekly—not annually—with refresher courses and testing to keep everyone aware.
Simulated Phishing Attacks
Consider testing your employees’ ability to recognize phishing attempts by sending them simulated phishing emails. This will help identify areas where additional training may be necessary and reinforce the importance of vigilance.
Continuous Reinforcement of Cybersecurity Best Practices
Use various communication channels, such as internal newsletters, posters, and team meetings, to remind employees of the importance of security and the role they play in preventing phishing attacks.
Multi-layered security approach
Implement a combination of robust email filtering, multi-factor authentication, and endpoint protection solutions to safeguard your organization from phishing attacks. Make sure those applications are properly integrated and maintained to ensure maximum protection.
Stop Phishing with a Trusted Cybersecurity Partner
Phishing attacks are becoming more sophisticated than ever before, and many small and midsized businesses in Columbus and Cincinnati are struggling to stay safe on their own. For 20 years, the Astute Technology Management team has been helping businesses manage all their cyber threats, from phishing and ransomware to insider threats and cybersecurity training.
We’re here to help. Contact us at any time at 614 389 4102 or [email protected].