In a phishing attack, a cybercriminal will send a fraudulent email to their victim, pretending to be someone else – like a boss or trusted company. The email will attempt to lure the user into clicking a malicious link containing malware or direct them to a dodgy website that could harvest their sensitive information. 

Phishing attacks are one of the most prevalent threats to organizations today. According to Verizon, phishing played a role in 36% of data breaches in 2020. These attacks are so successful because they rely on a mixture of human error and a lack of knowledge. In most cases, an unwitting employee will accidentally comply with a phishing email – none the wiser that it’s illegitimate. 

To make matters more complex, phishing emails are becoming harder to detect. Thanks to media headlines and employee training, most people now have a basic understanding of this threat. In response, cybercriminals have upped their game. Attacks are becoming more stealthy and more realistic. 

What Are the Latest Phishing Techniques?  

To protect your business from phishing attacks and put proper IT security infrastructure in place, you need to understand what to look out for. So, here are four new phishing trends you need to be aware of. 

Ransomware Delivered via Email 

Ransomware attacks dominated the news headlines this year. The Kaseya attack, for example, impacted over 1,500 companies across the globe. As context, ransomware is a type of malicious software that infiltrates a network and restricts user access until a ransom is paid to decrypt it.

While ransomware sounds complex, its means of delivery is often straightforward: phishing. To infiltrate a network, cybercriminals will typically attach a document containing ransomware to their email. If the recipient clicks on the attachment, the ransomware will automatically download onto their device and crawl into the broader company network. 

Business Email Compromise

Business email compromise (BEC) attacks wreaked havoc in the last year. So much so that the FBI stated BEC is one of the most damaging forms of online financial crime. 

BEC attacks are highly targeted and personalized. A cybercriminal will do a lot of research about a company, its executives, and suppliers before sending the email. The email itself will impersonate a trusted business contact, such as a partner or colleague. Here, cybercriminals will use tactics like email spoofing to create a legitimate-looking email header. 

The email body will contain an urgent request that convinces the victim to pay an invoice or transfer funds. Because these emails look realistic and are personalized, they have a high success rate. Gartner predicts that BEC attacks will continue to increase over the next couple of years, leading to financial losses of over $5 billion by 2023.

Email Account Takeover

BEC attacks impersonate a trusted business contact. Email Account Takeover (EAC) attacks go one big step further. In these attacks, a cybercriminal will compromise the email account of a senior stakeholder in the business. This might sound hard to do, but you’ll be surprised at just how many email addresses and passwords are available on the dark web as a result of data breaches. 

Once logged in to the executive’s account, the threat actor will then send legitimate-looking emails to other employees in the business. They can either request sensitive credentials, ask for financial payments or even share malware in an attachment. These attacks are tough to detect as they come from a legitimate email account. Moreover, junior team members are more unlikely to question a request from a senior colleague – even if it sounds a little strange. 

The Rise of Deep Fakes 

A deep fake is a video or voice instance where a person’s face is convincingly replaced by a computer-generated face and voice. While videos in emails are uncommon, the underlying artificial intelligence (AI) technology that powers deep fakes is increasingly being used in phishing emails. 

One such technology, called GPT-3 (Generative Pre-trained Transformer), uses machine learning to create highly credible emails that impersonate well-known brands like Microsoft and Amazon. Employees that receive these emails – for example, requesting to update their Microsoft Office 365 password – are unlikely to question them.

Get Help Protecting Your Business Against Phishing Attacks   

As we move into a new year, organizations must be aware of the growing threat of highly sophisticated and targeted phishing attacks. No matter the size of your organization, you are at risk. It’s, therefore, more important than ever to invest in the proper training, infrastructure, and support to help protect your company and your employees from social engineering. 

ECN IT Solutions can help you implement solutions that protect against phishing and spam emails. We also offer employee awareness training to help your people spot phishing attacks. 

We’re here and ready to talk data security with you! Reach out at 520-355-7553 or through our website.