Analysis Shows Phishing Strikes Up 61% Over 2021, With a 50% Increase on Mobile Devices
By Patrick Harr, CEO, SlashNext
Hybrid offices and BYOD policies have reorganized the workplace forever, and this shift has also amplified the risks of phishing attacks on remote workers. Security teams need to protect against phishing gangs that increasingly breach organizations through clever social engineering scams on employees’ personal devices, or through private messaging apps such as SMS texts, Slack, and WhatsApp.
Cyber attackers employ nefarious social engineering techniques such as spoofed websites or fake links to deceive people into giving away sensitive data by mistake. The attackers can then use the breach entry point to install malware on an organization’s infrastructure, such as encrypted ransomware for extortion purposes.
The recently released SlashNext State of Phishing Report analyzed billions of link-based URLs, attachments, and natural language messages sent by email, mobile, and browser channels over six months in 2022. The in-depth analysis identified more than 255 million phishing attacks in 2022, or a jaw-dropping 61% increase over 2021.
In addition, the detailed analysis revealed a 50 percent increase in attacks on mobile devices, with scams and credential thefts topping the list of payloads. This disturbing growth trend seems to highlight that prior security strategies – including secure email gateways, firewalls, and proxy servers – are no longer adequate to prevent the latest phishing threats.
At this point, the cybercriminals know that most email systems have at least some phishing protections in place. They also know that more employees are using their personal mobile devices for work purposes. This transition has greatly increased the number of attacks targeting mobile devices and other communication channels.
Even more alarming, the bad guys have updated their strategies to launch more phishing attacks from trusted services and messaging apps. In fact, the threats from trusted services such as Microsoft, Amazon Web Services, and Google are up 80% this year, with nearly one-third of all threats (32%) now being hosted on such trusted services.
For many businesses, this increase in mobile phishing and credential harvesting has incurred costly data losses, harmed brand reputations, and hurt the bottom line. And as the phishing landscape continues to evolve and expand, the cybercriminals have become even more sophisticated in their use of software automation and AI technologies to launch zero-day threats.
Such zero-day threats are designed to make the biggest impact and wreak the most havoc before security controls can detect and block them. In turn, more than half of all threats now detected (54%) are defined as zero-day threats, marking a 48% rise over the prior year. This uptick reveals how the hackers have shifted to more real-time technologies to improve their success rates.
The Easiest Phishing Targets Are Distracted Employees
Fallible people continue to be the most vulnerable attack surface for phishing breaches. The attackers have adjusted their fraudulent methods to meet targets wherever they use digital devices for both work and personal purposes. One of the most damaging problems involves credential harvesting from an unwitting employee’s personal account on a mobile device.
Such threats can be launched through link-based attacks, malicious attachments, or natural language conversations that are highly personalized to trick the victim. Someone posing as an internal IT technician can catch a distracted employee off-guard with an urgent request for logins to perform troubleshooting, and that may be all it takes to breach the entire system.
Yet the crooks require less time and effort to launch such personalized attacks today, due to the growing use of automation and machine learning. Cybercriminals can now send out thousands of targeted spear-phishing attacks to detailed lists of targets, creating highly unique and customized lures. This technique enables the bait to bypass many threat detection engines for hours and sometimes even days, giving the attackers a huge advantage.
Providing cybersecurity training to employees should always be part of the solution, but training alone cannot stop the speed, scale, and sophistication of never seen, zero-day attacks. Furthermore, many current security tools and processes – such as reputation-based and relationship-graph technologies – can no longer keep pace with many of these newest attack vectors.
Armed with stolen logins and passwords, the hackers can then penetrate an organization laterally. Once a user’s credentials have been compromised, the threat can be devastating to an enterprise. The effects may include the loss of critical business data, customer information, and intellectual property, resulting in lawsuits, financial payouts, and reductions in shareholder value.
New phishing safeguards should be deployed wherever employees communicate today, whether for personal or work reasons. This includes collaboration apps such as Outlook, Gmail, LinkedIn, WhatsApp, Telegram, Slack, Microsoft Teams and more. To stay protected, organizations must move from traditional practices and last-generation tools to a more modern security strategy.
The adoption of real-time, cloud-based AI phishing controls that can address all types of attacks will be essential, along with multi-layered protections that preemptively hunt for threats and scan for breaches in real-time. This is the only way for security teams to keep their remote workers protected from zero-day threats across all potential attack vectors, including email, mobile, and web messaging apps.
About the Author
As CEO of SlashNext, Patrick Harr directs a workforce of security professionals focused on protecting people and organizations from phishing anywhere. Before SlashNext, Patrick was CEO of Panzura, which he transformed into a SaaS company, grew ACV 400%, and led to successful acquisition in 2020. He has held senior executive and GM positions at Hewlett-Packard Enterprise, VMware, BlueCoat and was CEO of multiple security and storage start-ups, including Nirvanix (acquired by Oracle), Preventsys (acquired by McAfee), and Sanera (acquired by McDATA).
Patrick can be reached by email at patrick.harr@slashnext and on Twitter at @patrickharr and at our company website https://www.slashnext.com/.