Phishing is today’s most dangerous cyberattack. Google noted a more than 600% spike in phishing attacks in 2020 compared to 2019 with a total of 2,145,013 phishing sites registered as of January 17, 2021, up from 1,690,000 on Jan 19, 2020. It is the gateway to many types of damaging cyberattack including ransomware, malware, business email compromise (BEC), spoofing, identity theft, brand impersonation and credential compromise.
Phishing doesn’t discriminate. It hits businesses of every size in every industry. Phishing attacks account for more than 80% of reported security incidents. The epic SolarWinds cybersecurity disaster that resulted in seismic shockwaves at the highest levels of government and business began with a humble phishing email. So did the 2020 Twitter hack. A massive, far-reaching ransomware incident at cloud computing giant BlackBaud also started as phishing. It’s a constant, malicious thorn in every organization’s side regardless of size or industry.
What is the Most Common Form of Phishing?
At its root, phishing is fraud. A typical phishing message arrives via email. Cybercriminals who craft phishing messages are sometimes known as phishermen. A phishing message will attempt to create content or a “lure” that is compelling enough to convince the target to interact with the message and perform an action, like clicking a link or opening an attachment. Other general terms for this type of cyberattack include email phishing, barrel phishing, blast phishing, cyber phishing and deceptive phishing.
What Are the Different Kinds of Phishing?
Phishing ebbs and flows based on opportunity. Cybercriminals are quick to jump on opportunities to exploit stress, fear, excitement or chaos to perpetrate phishing schemes. At the start of the COVID-19 pandemic, cybercriminals flocked to inundate newly remote workers with phishing messages, especially ransomware. Attacks targeting home workers rose five-fold in the first six weeks of the widespread lockdown in Western nations.
Trends in phishing during the COVID-19 pandemic are a good illustration of why phishing is so dangerous to businesses and so profitable for cybercriminals. Early in the saga, phishing messages targeted newly remote workers in an attempt to defraud anxious employees who were out of their comfort zone and away from strong in-office cybersecurity defenses. Then the spotlight turned to hospitals as data about the virus grew in value. After that, laboratories and research institutions were in the hot seat during the vaccine development stage. Finally, bad actors targeted logistics firms like cold storage companies needed to get the vaccine to consumers.
By far, the biggest nightmare that can result from a successful phishing attack is contracting ransomware. More than 90% of ransomware and malware arrives at businesses via a phishing email. These attacks are especially devastating because ransomware isn’t just used to snatch data and hold it for ransom. It’s also used to crash IT systems, shut down production lines, stop transportation and conduct other big impact cyberattacks. That’s why it is the favored weapon of nation-state cybercriminals. Two in five small and medium businesses were impacted by ransomware in 2020.
The most common subtype of phishing is spear phishing. In this style of attack, cybercriminals use information gathered bout the target to create a convincing message. This information is often gathered from the dark web. Approximately 95% of all attacks targeting enterprise networks are caused by successful spear phishing.
Whale phishing or whaling is a variant of spear phishing in which the phisherman is hunting for bigger prey: Executives. The goal is to either score an executive password that will provide them with easy entry into business systems and data or facilitate BEC fraud – 72% of whaling attacks impersonate a trusted source. These attacks are also mounted against highly privileged accounts like administrators and security personnel.
Smishing is phishing done through SMS text messages. This type of attack had a surge in popularity in mid-2020 with a 328% increase in April 2020 as cybercriminals sought to reach people in lockdown. In the same survey, 44% of respondents said they had seen an increase in scam text messages during the first two weeks of the nationwide quarantine period.
Another frequently phone-based attack, vishing is phishing with voice messages. A spike in phone-based phishing attacks in early 2020 was serious enough to elicit an FBI warning. That spike can in part be attributed to the COVID-19 pandemic, and the sudden shift to telework, leading to a massive increase in the use of virtual private networks (VPNs) and the elimination of in-person verification.
Business Email Compromise
Business email compromise is a sticky, multifaceted cybercrime that almost inevitably starts with a phishing attack. Cybercriminals use phishing to obtain a password for a corporate e-mail account. Then, they impersonate the real owner of the account to defraud other businesses of cash or sensitive data. 65% of organizations faced BEC attacks in 2020.
Lesser-Known, Newer Types of Phishing
Cybercriminals may have seen great success with classic phishing scams, but they’re not resting on their laurels. As styles of communication evolve, so do styles of phishing scams as bad actors seek to be sure that they’re maximizing their opportunities to strike.
Social media phishing or angler phishing is an increasingly popular vector of attack. Bad actors use imitation system and notification emails to lure targets into providing them with information and credentials. Some social media scams obtain information using fake job ads to gather company data or locate new targets. Particularly audacious social media scams entail cybercriminals creating a dummy account, sometimes called a sock account, then seeking connections with real accounts to add legitimacy to their profiles in order to up the authenticity factor of their phishing messages.
Social media accounts associated with angler phishing increased by about 40% in 2020. Emails with “LinkedIn” in the subject line led the list of most opened social media phishing emails again for 2020, marking its third year on top with a 47% open rate. Twitter clocked a 15% open rate, Facebook grabbed third at 12%, and Instagram and WhatsApp were a distant fourth at 5%.
This is a skyrocketing category of phishing. Brand impersonation accounts for 81% of all spear phishing attacks. In this type of phishing scam, cybercriminals carefully imitate brands that the target would be likely to trust. For businesses, these messages can purport to be from technology firms, service providers, distributors, vendors, transportation companies, insurers and other companies that would regularly communicate with other businesses.
The most imitated brands of 2020 clearly illustrate the social engineering effort that goes into cybercrime. The undisputed heavyweight champion is Microsoft, the star of 45% of brand impersonation scams targeted toward businesses. DHL is a distant second at 18%, and other sources like Amazon, Google, Chase, Yahoo and Rakuten were each under 10% of the total.