Columbia Advisory Group
Phishing: How The Monster Is Changing Its Shape and Size – Phishing Protection in a Post-COVID World
Cyber scams during COVID-19 have shaped a new term – scamdemic: a global epidemic of frauds and scams. There was an unprecedented rise in cybersecurity scams during the pandemic. Phishing emerged as the most frequent attack type. Read on to learn how malicious actors changed their tactics in 2022 and how you can protect yourself.
The COVID-19 pandemic changed how people live, including how all conduct business and social interactions and how work lives function. Regarding the latter, enforcement of social distancing and lockdowns resulted in an increasing number of people experiencing changed work habits. Some employees adapted – often even abruptly – to using messaging apps, digital platforms, and other communication channels for everyday activities. Thus, there was a worldwide shift from office to remote (home) work. The overlooked consequence of the change was the increase in cyber risks, which resulted in a rapid escalation of cyber-attacks.
The State of Phishing Report for 2022 by SlashNext highlights that traditional security strategies, including proxy servers, secure email gateways, and firewalls, no longer prevent phishing threats, especially as attackers increasingly launch these attacks from personal and messaging apps and trusted servers. Thus, phishing attacks are a rising concern, as the following statistics show.
Here is a look at the key statistics which signify the rising phishing problem:
- SlashNext analyzed numerous link-based URLs, messages, and attachments in email, browser, and mobile channels in 2022 and found over 255 million attacks – a 61% rise in phishing attack rates compared to 2021.
- A Check Point Research (CPR) report found emerging social engineering scam trends shifting away from tech giants and shipping establishments toward social networking sites. In Q1 2022, social networks became the most targeted category, followed by shipping.
- Zscaler pointed out that, from January to March 2020, COVID-19-themed phishing attacks increased by 30,000%.
- APWG’s Phishing Activity Trends Report says that phishing attacks hit an all-time high in 2021. December 2021 recorded an unprecedented 300,000 attacks, signifying these incidents became over three times more common than they were two years before.
- UK’s Cyber Security Breaches Survey 2022 signifies that phishing is the most common cyber threat that targets UK businesses and charities. 83% of them suffered a phishing scam.
- 2022’s first quarter saw a dramatic rise in phishing attacks. CheckPoint revealed in its 2022 Q1 Brand Phishing Report that malicious actors planned phishing attacks impersonating professional social networking websites. Attacks related to LinkedIn alone comprised over half (52%) of all phishing attempts globally.
Post-COVID Threat Landscape Isn’t Reducing – Threat Actors Are One Step Ahead
Once authorities lifted the COVID-19 restrictions, employees started moving back to their offices, and malicious actors adapted to the change again. While remote workers were their primary targets for 18 months, new phishing campaigns targeted those who were returning to the physical workplace. The following are some prominent examples:
- Cofense observed an email-based campaign that targeted employees with emails impersonating their CIO and welcoming them back to the office. The emails appeared legitimate and contained the organization’s official logo and the CIO’s signature. The message outlined the organization’s new precautions and business operation changes connected with the pandemic.
- India saw a surge in new phishing techniques after the government launched electric vehicle (EV) incentives.
- Some phishing attempts preyed upon financial fear. For example, In a scam, bank customers were informed that their accounts were on hold due to suspicious logins or transactions. Users became victims when they attempted to resolve the issue by clicking on the embedded link.
- The BazarBackdoor attackers send malware-free mail, bypassing email security and directing users to a website contact form. Once a user submits the form, the perpetrators send malware through a purported response file through a file-transfer service to avoid email security.
- Some latest phishing attacks send malware links through QR codes embedded in emails or stickers in restaurants or public locations. The QR codes directly execute malware or redirect the users to credential-stealing websites.
- Microsoft recently discovered a multi-stage phishing attack on businesses that don’t use multi-factor authentication. The first stage steals an employee’s email credentials, and the second stage creates a new Office 365 account in their name on a rogue device. After getting established on the new computer, the threat actors use the victim’s account to send internal phishing attacks to the organization or clients using legitimate email accounts.
Top 2022 Phishing Tactics Used By Malicious Actors
In 2022, phishing attacks exploited vulnerabilities unheard of earlier. Here are the year’s top tactics:
- Typosquatting: Threat actors register domains that users can enter by accident. For example, instead of typing www.phishingexample.com, a user can type www.phishingexanple.com (hitting the ‘n’ key next to the intended ‘m’ key by mistake). If an attacker registers the www.phishingexanple.com domain, the user enters the attacker’s website instead of the legitimate www.phishingexample.com website. If the imposter website looks the same as the legitimate one, the user can easily get tricked into sharing their credentials.
- Lookalike Domain Attacks: While typosquatting depends on the victim making a typo, lookalike domains exploit the difficulty of differentiating between words or similar characters. For example, an attacker can craft a phishing email with an uppercase “I” instead of the lowercase “l,” making www.iurethevictim.com look like Iurethevictim.com. Having end users targeted by what they think is a legitimate website opens various challenges, like loss of user confidence, theft, fraud, and reduced traffic (and business) to your website. Thus, if you can quickly discover and avoid scam sites, you can mitigate the risks linked to fraud and loss of brand reputation.
- Executive Impersonation: Executive impersonation is an effective tactic. If malicious actors can spoof or compromise an executive’s email account, they can craft phishing emails to lure unsuspecting users to legitimate-looking phishing. If the user who suspects the fake email to be from their boss enters their credentials into the spoofed website, the attackers steal them and gain unauthorized access.
- Credential Reuse Attacks: Unfortunately, credential reuse (using the same password, etc., across different platforms) is common among end users because it is inconvenient to create new credentials for every application. If a phishing attack retrieves a credential set successfully, the attackers can access other applications with the same information. Because of credential reuse, such attacks grant attackers access to multiple accounts across various platforms.
- High-Level Employee Targeting: High-level employees can access sensitive, confidential, and proprietary information that other employees cannot. If attackers obtain their login credentials, they can access sensitive corporate data in the cloud (which organizations store within their network perimeter). Thus, these credentials are the keys to the domain, and stealing them makes threat actors capable of planning large-scale data breaches traditionally mitigated by network perimeter solutions.
- Financial Scams: Sophisticated phishing campaigns target login credentials and aim to steal financial information from end users. In a financial scam-type phishing attack, the threat actors trick the user into visiting a phishing site, making them share personal or financial information and conduct financial transfers or transactions with it. For example, threat actors may design a site pretending to be a charity platform raising money for the pandemic victims. The unsuspecting users might get fooled into donating cash through it.
- Business Email Compromise: In BEC, malicious actors spoof the email credentials of top officials of an organization, like the CEO. They then send orders to subordinates to make money transfers of massive amounts. The assistants follow the instructions thinking it to be their boss’s command. Business email compromise (BEC) is rising, and attackers exploit it to make money from fake wire transfer requests.
- Spear Phishing on Small Businesses: In today’s growing threat landscape, there is nothing too small to become a phishing attack target. Small businesses get targeted frequently with cyberattacks because they often have less IT security than large organizations. Spear phishing is more dangerous than phishing because it is targeted and not generic. Threat actors deploy it in an attack using BEC.
- Using Initial Access Brokers to Make Phishing Attacks More Effective: One-way threat actors make more money is by taking help from specialists called Initial Access. They are malicious actors who only focus on initially breaching the network or organizational accounts. The rising use of these experts in the field makes phishing attacks more threatening and difficult for end users to detect.
How To Redefine Cybersecurity in a Post-COVID World
Organizations’ strategies to counter the threats mentioned above will vary according to each organization’s cyber security maturity level. Generally, they must focus more on new cybersecurity models, including ‘zero trust.’ Following are ways individuals and organizations can remain protected:
- Antivirus Protection: Employees must have an antivirus software license for their information systems. A good antivirus solution can eliminate many attacks.
- Cybersecurity Awareness: Organizations must brief their staff on best procedures and practices to regulate sending emails or sensitive content to other parties or cloud storage.
- Phishing Awareness: Employees must remain vigilant when receiving emails and check the sender’s addresses’ authenticity.
- Home Network Security: Employees must ensure that their home Wi-Fi remains protected by a strong password.
- Using VPN: Virtual private networks offer an additional protection layer to home internet use. They can remain a stringent barrier against cyberattacks.
- Identifying Vulnerable Spots: Each IT system has vulnerabilities. Organizations must run tests to identify and patch them quickly. It can take the form of vulnerability scanning or penetration testing. Furthermore, businesses must perform hardening of technical infrastructure components.
- Frequent Reviews: Organizations must evaluate cybersecurity risk exposure regularly and determine whether the existing controls are robust. The IT teams must consider new cyberattack forms during these reviews.
- Renewing Business Crisis and Continuity Plans: Top managers must update their business continuity plans considering various cyberattack.
More advanced measures that users can take are:
- Applying New Tools and Technology: IT teams can use advanced tools like host checking (which checks the endpoint’s security posture before authorizing access) to reinforce remote work security.
- Intelligence Techniques: Businesses must encourage proactive cyber threat intelligence to identify indicators of attacks (IOC) and address them.
- Risk Management: Organizations can apply GRC (governance, risk, and compliance) solutions to improve risk management. GRC solutions offer a detailed view of the organization’s risk exposure and help link various risk disciplines (cybersecurity, business continuity, and operational risks).
- Prepare for Attacks: In today’s high-risk times, businesses must carry out frequent cyber crisis simulation exercises and prepare their response to a phishing attack.
- Zero Trust Infrastructure: CIOs and CISOs must consider implementing the zero-trust framework for cybersecurity. It is a security model where only authorized and authenticated devices and users get access to applications and data.
The COVID-19 pandemic taught people that preparation is critical to limit the risks linked to cyberattacks. Malicious actors have been clever in changing their tactics to adapt to changing situations and executing sophisticated phishing attacks. The ability of a user to quickly react to unforeseen events helps lower the impact of a cyberattack. Today, organizations that benefit from secure remote work capabilities are better prepared to face the growing risk of phishing attacks. Consequently, businesses fearing risks must quickly assess their exposure to phishing attacks and prioritize initiatives to address cybersecurity gaps.
- Al-Qahtani, A. F., & Cresci, S. (2022). The COVID-19 scamdemic: A survey of phishing attacks and their countermeasures during COVID-19. IET Information Security, 16(5), 324–345. doi:10.1049/ise2.12073
- Damcova, K. (2022, May 6). Phishing attack trends to beware of in 2022. Retrieved January 4, 2023, from IQ in IT website: https://iqinit.uk/news/phishing-attack-trends-to-beware-of-in-2022/
- Nabe, C. (n.d.). Impact of COVID-19 on cybersecurity. Retrieved January 4, 2023, from Deloitte Switzerland website: https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html
- Ideal Integrations (2022, March 14). New phishing techniques to watch for in 2022. Retrieved January 4, 2023, from Ideal Integrations® website: https://www.idealintegrations.net/beware-these-new-phishing-techniques/
- McCurdy, R. (2022, November 8). The Biggest Phishing Breaches of 2022 and how to avoid them for 2023. Retrieved January 4, 2023, from Security Boulevard website: https://securityboulevard.com/2022/11/the-biggest-phishing-breaches-of-2022-and-how-to-avoid-them-for-2023/
- Over 255m phishing attacks in 2022 so far. (2022, October 26). Retrieved January 4, 2023, from Security Magazine website: https://www.securitymagazine.com/articles/98536-over-255m-phishing-attacks-in-2022-so-far
- Page, C. (2021, June 1). Hackers are targeting employees returning to the post-COVID office. TechCrunch. Retrieved from https://techcrunch.com/2021/06/01/hackers-phishing-post-covid-office/
- (2022, September 28). Webinar wrap-up: Cyber security in a post-COVID world: New challenges & opportunities. Retrieved January 4, 2023, from Simplilearn.com website: https://www.simplilearn.com/cyber-security-challenges-and-opportunities-post-covid-article