Although phishing attacks using a social engineering method are a very old tactic, they are still used by malicious actors today. Research shows 1 million phishing attacks occurred in the first quarter of 2022. The risk of exposure to phishing attacks is also increasing every year. In this post, we've compiled crucial information about phishing attacks, which have become increasingly widespread in the era of remote work.
Statistics show that roughly 15 billion spam emails are sent daily, while 83% of organizations experienced phishing attacks in 2021. Another study reveals more than 1 million phishing attacks occurred worldwide in the first quarter of this year. These figures suggest that the first quarter of 2022 was the worst-ever period in phishing attacks. The prevalence of remote work in the post-pandemic period has also increased the likelihood of phishing attacks. Finance, service-as-a-service, e-commerce, social media, cryptocurrencies, payment systems, and logistics are the sectors most vulnerable to phishing attacks.
Phishing attacks aim to access users' personal data via emails or fake websites and are among the most commonly used methods by today's cyber-attackers. These attacks come in various forms and exploit users' weaknesses using the social-engineering technique. In this post, we'll provide crucial information, such as the definition of phishing attacks, the history of the phenomenon, and the most common phishing techniques. We'll also examine the direct relationship between the era of telecommuting and phishing attacks.
A phishing attack is a cybercrime directed at a target via email, phone or text message by malicious actors posing as legitimate institutions or authorities to persuade individuals to provide sensitive personal data, such as passwords or bank and credit card information. Phishing attacks are a type of psychological attack that seeks to force victims to behave in a particular way. They are organized by a social-engineering method to trick victims into providing information with the ultimate aim of committing data theft.
It is known that the first case of phishing was filed in 2004 against a Californian cyber-attacker who obtained users' sensitive information through a fake web page disguised as the "America Online" website. Phishing attacks can be carried out through emails or websites and communication tools such as text (SMS) and WhatsApp messages.
Phishing attacks exploit people's weaknesses, prompting them to make quick decisions based on emotions. Therefore, the main features of phishing attacks can be listed under the following headings:
As mentioned above, phishing attacks are generally based on social engineering. They aim to access victims' data by offering a seemingly real opportunity. To make their scams more believable, cyber-attackers will access information about users' personal history, work experience, interests or hobbies using publicly available sources. Attackers posing as senior company officials often try to gain victims' trust using this simple method.
While many email phishing attacks are poorly written and obviously fraudulent, criminals often use professional marketing techniques to make unwitting victims believe their messages. In a phishing attack, the victim typically receives a message from the cyber-attacker. Victims who click on the link or open the attachment are then persuaded to give their personal data before being exposed to fraud. Ransomware, with a fee of over $800,000 and a cost of millions of dollars, including processes such as data recovery, also settles on the victim's computer through malicious files attached to phishing emails. They can lose their social media accounts, bank information, and cash.
Although all phishing attacks are based on the same general idea, they can be carried out in different ways. These different types of attacks are referred to by different names. Descriptions of the most common types of phishing attacks are as follows:
The State of Email Security 2022 report, published by Mimecast, states that phishing attacks are the most common type of attack via email. While 55% of survey participants said email phishing attacks were on the rise, nearly all (96%) said their organization had experienced phishing attacks – in one form or another – within the last year. The post-pandemic prevalence of hybrid work models has also contributed to the rise of phishing attacks. There are two overriding reasons for this, namely:
Since the main motivations of phishing attackers are financial, they tend to choose the most lucrative sectors for their attacks. According to data compiled for the first quarter of 2022 by Statista, the financial services industry comes in first place. E-commerce platforms and retail services follow the finance and software as a service (SaaS) industries. Users who trade on cryptocurrency exchanges, which have become increasingly popular investment tools, are also among those most affected by phishing attacks.
Many email services offer protection from phishing. But phishing attacks aren't only carried out via email. Antivirus software, firewalls, and spam avoidance are no longer enough to protect yourself. In the current circumstances, users must know how to prevent phishing attacks. Common ruses used in phishing attacks include the following:
To protect yourself from phishing attacks, it's necessary to question the authenticity of the phishing attack message. It is therefore recommended to evaluate the information, such as how good the grammar and spelling are and the validity of the sender's email. Searching the email content on Google is one way to determine if it's an attack. Before clicking on the forwarded links, one should always check where the link leads and run a search on the Internet address in question. It also helps to keep one's cool and consult at least one other person, especially in voice phishing attacks, to stop you from doing something you might regret.
Businesses also have a responsibility in this regard. Firstly, every business should evaluate how much their employees know about phishing attacks and raise awareness within the company by providing training on the subject. Moreover, companies – especially those that adopt a hybrid working model – should employ end-to-end security systems to protect their networks from attacks and optimize safety. Such solutions can insulate the entire network from online threats and reduce attack surfaces that cyber-criminals might otherwise exploit.