We Need to Talk about Phishing, the Most Popular Threat Right Now

Let’s face it: It’s close to impossible that any of us would send money to a Nigerian prince in distress who emails us out of the blue. Yet, people still fall for similar attacks, even when we’ve come a long way from a time when they had a chance to work. How come? Well, it surely helps that those phishing attempts have evolved into highly sophisticated attacks.

That’s so true, that phishing has now become one of the most successful and popular hacking techniques out there. In fact, the FBI’s Internet Crime Complaint Center (IC3) has found that phishing attacks were the most common type of cybercrime during 2020, a trend that doesn’t seem to be declining any time soon. 

So, since we’re living in a world where phishing is a palpable and ubiquitous phenomenon, it’s better if we understand what it’s all about, why it’s so popular, and what you can do to reduce the risk of falling victim to it. 

What Is Phishing?

As you can imagine, “phishing” comes from “fishing,” as the attack basically consists of using bait to catch prey. A more formal definition of phishing would say that it’s a technique through which malicious actors try to acquire sensitive information by using deceitful means that make them appear as legitimate and reputable businesses or individuals. 

The most common form of phishing comes through email. The Nigerian prince example above is one of the most widely known phishing attacks, but there are many, many others that are more sophisticated. For instance, hackers use emails to lure people into giving away their bank account information or their login data for streaming services. Naturally, there are other phishing schemes, mostly through fraudulent websites and fake phone calls. 

Types of Phishing Attacks

Phishing attacks can be classified depending on how they are delivered, how sophisticated they are, or who they target. Thus, the most common types of phishing you should watch out for today include:

• Advanced Malware Phishing. This is the typical phishing attack that has evolved into a new form that’s harder to detect automatically and more deceiving. They often disguise themselves as official communications from well-known entities (from big corporations to government agencies and organizations) and prompt recipients to provide personal information or download an infected file. 
• Vishing. Hackers also use phone calls to get their target’s personal information. The name “vishing” comes from “voice phishing” and it’s exactly what it sounds like: Someone calls the target and convinces them that they need to provide certain data to avoid going into debt, being arrested, having bank accounts shut down, or other similar threats. 
• Smishing. Aside from emails and phone calls, hackers also use text messages to perpetrate their attacks. That’s when smishing appears—a text message that tries to get personal data. Though the name “smishing” refers to “SMS phishing,” the reality is that this technique encompasses all messenger platforms, including WhatsApp and Facebook Messenger. 
• QRishing. Following the same formula as vishing and smishing, QRishing is all about phishing through QR codes. With the rising popularity of such codes thanks to social distancing during the pandemic, QRishing attacks are starting to increase. The worst part about them is that most people don’t expect phishing attempts from a QR code. Hackers know this, which is why they use them to offer downloads infested with malware, connections to compromised networks, and redirections to sites that replicate real websites of well-known companies and organizations. 
• Spear Phishing. We often think of cyberattacks as massive campaigns that target multiple targets at once. While that’s frequently the case, that doesn’t mean that there aren’t phishing attempts directed specifically at one individual or company. That’s known as spear phishing, a carefully crafted attack that wants to steal sensitive information or intellectual property by taking advantage of a perfectly identified weak link. 

Why Is Phishing So Popular?

The fast increase in the number of phishing attacks throughout 2020 wasn’t a coincidence. Last year’s events substantially increased the chances of success of phishing attacks. That, in combination with long-standing psychological and technical factors, is what’s making phishing the most popular kind of attack today.

If we were to make a list of the reasons behind phishing’s popularity, we could boil them down to 3 things:

1. Remote work. Once the pandemic struck, businesses quickly adopted remote work to keep moving forward. Thus, people started working at their homes, using their own devices through their domestic internet connections. The problem with that is that most of those devices and connections aren’t properly secured. What’s more, people may use their own devices more carelessly, which opens the door to corporate information being stolen through a compromised personal device. Finally, remote work is new for many companies, so they might fail at providing proper technical support, which can only deepen the vulnerability of people working at home. 
2. People are the weakest link. If you’ve read a couple of articles about cybersecurity, you’ve surely come across the idea that people are the weakest link in any protection system. That’s because people misuse security features and best practices—or right-down neglect them (by suspending automatic updates, opting out of multifactor authentication, disabling intrusive antivirus programs, and so on). That’s not all. People might fall victim to phishing attacks out of good faith. While training can help in partially overcoming this challenge, people will always be your biggest vulnerability. 
3. Easy to build. While many phishing attacks sound sophisticated, the reality is that coming up with them isn’t that hard. Anyone with a well-crafted message can build their own phishing campaign, mainly because there are plenty of tools available to help. Phishing kits are just a Google search away while ransomware is becoming more and more ubiquitous thanks to the emergence of ransomware-as-a-service (RaaS).

How to Avoid Phishing Attacks

There are certain actions you can take to reduce the risk of being affected by a phishing attack. However, there’s no bulletproof strategy to prevent them altogether. There’s nothing you can do to avoid becoming the target of a phishing attack, so the only thing left to do is to take the necessary precautions to reduce its likelihood or limit its impact.

To reduce the chances of being a victim of a phishing attack, you need to do the following:

• Use the latest technologies available to help you fend off phishing attempts. Machine learning has proven to be a valuable ally in that respect. 
• Institute an ongoing training program on cybersecurity to educate your team members in the best security practices they should keep in mind. 
• Conduct surprise and controlled tests to analyze your weak spots. You might find out that certain departments need more training or that your security software isn’t identifying clear signs of phishing. 
• Establish good password practices, such as forcing people to change them periodically or using robust keys. 
• Stay informed about the new phishing strategies going around, so you can better prepare your company. 

Those might not be enough to prevent an attack, so you also need to know how to mitigate the impact of a successful phishing attack. Some of the things you need to do include:

• Get the IT team to act as quickly as possible and activate your emergency response and remediation processes. 
• Mandate a company-wide password reset of all users for all systems. 
• Analyze related systems to the one that’s compromised, as hackers might have infected them too.
• Be transparent with your customers about the attack and the potential ramifications. Explain what happened, what you need them to do (if applicable), and what are you doing to get back to normal.
• Keep monitoring all systems (with a strong focus on the compromised one) for a couple of weeks. 

As we get into the post-pandemic world, it’s clear that phishing will become an even bigger threat. More interconnected devices, more people working remotely, more false information going around, and more sophisticated malware tools will surely boost phishing attempts. The course moving forward is simple to explain but hard to execute: Basically, stay alert and in constant evolution, security-wise.