Phishing scams are on the rise! Does that statement give you a feeling of déjà vu? Every time you look up anything to do with cybercrime and cybersecurity, you’ll probably see that exact statement or one just like it. And despite phishing being one of the oldest scams in the book, they’re still a popular choice for malicious actors – because they still work!
According to Verizon’s 2021 Data Breach Investigations Report, data breaches occurring as a result of a successful phishing attack are up by a whopping 11% compared to the previous year. This means that phishing was a factor in 36% of data breaches in 2021. And yet research finds that 95% of organisations claim their employees have undergone phishing awareness training. (Note to customer: Unfortunately this is a statistic from a study that the whole industry has been referencing and I have to link to a trusted source for it. However, I have found a neutral alternative instead of a link to the original study on Proofpoint.)
It is critical for businesses of all shapes and sizes to adopt a proactive and multilayered approach to prevent them from falling victim to phishing campaigns in and out of the workplace. So here are some of the most common phishing campaigns you and your employees might encounter over the next year.
Pandemic-related phishing emails
With remote work policies and social distancing in place, the pandemic saw a lot more people venturing online for everything from news to groceries and more. This meant malicious actors had a huge pool of unsavvy targets to victimise. Many scammers also played on people’s fears, misunderstandings, and loneliness to scam them out of money.
According to the Australian Competition and Consumer Commission (ACCC), health and medical scams accounted for over $3.9 million in losses, an increase of over 20 times more than losses in 2019. Remote access scams increased by over 74%, accounting for $8.4 million in losses, while threat-based scams increased by 178% for a total of $11.8 million in losses.
Brand impersonation and deepfake campaigns
Despite being told time and again to make sure that an email they receive comes from a legitimate source, brand impersonation phishing scams are still one of the most popular – and successful – phishing scams around. Fraud.net reports that the most commonly impersonated brands are PayPal, Apple, Google, Microsoft, and Facebook.
However, other popular social media sites and online shopping venues are also common targets. Deepfake campaigns are a more sophisticated type of impersonation, often used in threat-based campaigns. Videos or photos are edited with the victim's face placed on compromising images, and they are so well done that they look real.
However, malicious actors are also using AI voice technology in whale or spear-phishing attacks, recently managing to scam a company director out of US$35 million.
This type of scam often takes the form of smishing or SMS phishing, where someone is sent an SMS regarding a package they’ve ordered or something that needs to be delivered. The user is prompted to click on a link so that they can confirm their delivery address or delivery slot and taken to a phishing website that looks like the real thing.
With people ordering more online, and often working from home – it is common that their personal devices are connected to a corporate network. So phishers may include a fake invoice that contains a malicious download, such as keylogger software or ransomware. Sometimes the attachment itself is not malicious but contains a link to the malicious download or website instead.
Tax-related scams are always common around tax season, with malicious actors prompting people to ‘claim their refund’ or informing them that there has been a problem regarding the paperwork they’ve submitted and threatening a fine if they don’t sort it out immediately. And they’re often successful because anything related to taxes is confusing and stressful.
It is particularly popular at the moment, thanks to the confusion surrounding COVID-19-related tax relief programs, the tax obligations on stimulus checks received from the government, and changes in income due to companies putting workers on short hours or shutting down completely.
Internal department phishing
As we said before, 95% of companies claim that their employees undergo regular phishing awareness training. And when they’re paying attention, most people are understandably suspicious of emails they receive from outside sources, even if those sources are usually completely trustworthy.
However, phishing is evolving as people get smarter, with many malicious actors combining their phishing campaigns with some degree of social engineering. And one tactic that has become increasingly popular in recent months is for phishers to impersonate someone from within the victim's own company.
They can often get all the information they need from searching sites like LinkedIn, or the victims' company website. And people are more likely to trust an ‘internal’ mail, even if the request is a little odd. While these emails may come from an external source such as Gmail (which most people tend to trust), business email compromise (BEC) attacks increased to 72% in the last year.
A BEC attack is where malicious actors have gained access to internal business email networks, either through a targeted phishing campaign or by seeking out disgruntled employees and paying them for their credentials. A popular version of this campaign is to prompt people to buy gift cards and share the details with the sender, promising that they will be reimbursed at a premium. The gift card numbers are then sold on the dark web.
Protect your employees and your company from phishing attacks
Keeping your employees educated on the latest cybersecurity measures and digital safety best practice tips is vital to their safety and that of your company. We’ve developed a phishing simulation and cybersecurity program that earned us a place on the winner’s podium at the 2021 Learning Awards.
With our award-winning training options, you will be able to:
• See improvements to your organisation’s cybersecurity risk profile in as little as 90 days, thanks to comprehensive courses designed by highly experienced and certified cybersecurity professionals.
• Create awareness amongst your employees, thanks to our journey-based phishing awareness training.
• Make more intelligent cybersecurity decisions, thanks to the clearer frameworks our security awareness training will help you develop.
Our phishing awareness training sets a higher standard and allows you to amplify your company’s defences over the long term. So contact us today to request a demo or find out more about how we can help you and your employees stay safer in the digital workspace of today.