As far as small business cybersecurity, it’s amazing, and not in a positive way, to think that phishing is still one of the primary risks, but this is the reality. We think of cybersecurity and cyber threats as fast-moving and they are, but phishing remains one of the prime ways hackers target businesses and individuals.
Much of what you need to do as far as avoiding phishing attacks relies on thoroughly training your employees, but it’s still tough because these attacks do get more sophisticated every year.
In the most general sense, phishing means cybercriminals try to get personal or business information using deceptive websites and emails.
The primary weapon in a phishing attack is an email, and while specific tactics may evolve, the core goal is the same—trick someone into thinking a message is legitimate and is something relevant to them and usually then get them to click a link.
Some of the original phishing attacks go back to the 90s, and these remain the most pervasive and often most damaging attacks.
In 2019, phishing was described as the most consequential cyber threat for businesses and consumers, and according to the Phishing Activity Trends report, during the third quarter of 2019, phishing attacks went up 46% from the previous quarter.
One of the biggest contributors to successful phishing attacks is usually untrained employees who aren’t aware of possible scams.
The following are important things to know about phishing as it stands in 2020.
Types of Phishing
Some of the general types of fishing include first, the scams that target identity and financial information.
Brand phishing targets the credentials of consumers, and IT/SaaS can also be targeted to gain access to data and credentials. A spear-phishing attack is one that targets individuals.
Along with the majority of employees not being able to identify sophisticated and advanced attacks, a relatively small number of businesses use automated email analysis.
Even more concerning is the fact that more than 50% of phishing attacks used SSL certificates, and the attached invoice is a big way attackers infiltrate small businesses in particular, as well as payment notifications.
Phishing Kits
One of the trends having the most impact on phishing attacks are the turnkey kits that are becoming increasingly available on the dark web.
Phishing kits provide everything needed by even an inexperienced attacker to carry out the attack.
A phishing kit includes the tools to create login pages, and many of these kits use URL randomization generations.
With URL randomization generators, attackers can create multiple URLs for phishing campaigns so that even if one gets blacklisted, they can keep going.
Phishing-As-a-Service
Phishing-as-a-service or PaaS is even simpler than a turnkey kit. With PaaS, an attacker can subscribe to a monthly service, and fees are usually around $50 a month.
Then the people behind these PaaS companies use traditional tactics to promote their services, and you can quickly create a profitable business with minimal upfront investment.
Google Services
Google’s free services are viewed by most as legitimate and trustworthy, and cybercriminals are taking advantage. Instead of using a phishing link to an unusual looking malicious file that someone might not click on, attackers are using something that involves things like Google drive, so victims are more likely to click.
Attackers can even use Google Calendar by sending fraudulent meeting invitations with phishing links.
Something that’s somewhat similar and is growing in popularity is the use of attacks on Cloud Storage.
The volume of cloud storage attacks went up 48% last year and is expected to continue.
With cloud storage attacks, what’s been common recently is that attackers will send emails acting as the service and telling you to change your password. If you click the link, you’ll likely see a login form, and then your cloud services login can be stolen.
Finally, phishing scams are becoming extremely personalized and targeted.
It’s easier to spot an attack that might be sent to undisclosed recipients and maybe has no relevant personal information. You might flag that right away.
However, thanks to automation and the availability of information online, more criminals are personalizing phishing attacks so you might see not just your name, but the company you work for and your title.
It’s also easy not just to personalize these attacks based on who they’re being sent to, but also who they’re coming from.
It’s an important time for businesses to evaluate their current training and preparedness for phishing attacks and perhaps build onto it as the trends for 2020 and beyond look like phishing is going nowhere and will only become more common.