Security teams often joke that the weakest links in their IT infrastructure defences are users.
They point out that the most sophisticated tools and processes can be in place, but all it takes for an attack to be successful is for just one user to make a mistake.
Increasingly, such mistakes are being made when a user falls for a phishing campaign. This involves them receiving what appears to be a message from a legitimate source but is actually one that contains either malicious code or a link to an infected website.
During the past 12 months, as well as becoming more prevalent, phishing attacks have become significantly more sophisticated. Rather than being a poorly worded email that has come from a dubious source, some are almost indistinguishable from legitimate communications.
The channels being used by cybercriminals are also evolving. Initially reliant on only email, they are now casting their nets wider and using everything from social networks to voice calls and SMS messages.
Mobile users being targeted
Cybercriminals are also placing more attention on targeting mobile device users and crafting attacks suited to smaller screens. Users are more susceptible when on their phone as it can be more difficult to spot tell-tale signs such as a suspicious URL.
Attackers are also producing more convincing phishing sites that target mobile users, with as many as one in 10 people falling for an attack. According to research completed by Jamf, there has been a 160% increase in mobile phishing victims during the past 12 months.
The problems are being compounded because end-user computing devices are increasingly becoming a consolidated communications platform comprising multiple communications channels. Messaging apps tend to be an overlooked area in the defences of many the organisations and are therefore appealing for attackers. Some are already using services such as WhatsApp, Messenger, Instagram, and LinkedIn to mount attacks.
A padlock is no longer enough
Double-checking a web browser’s address bar for a padlock used to be an easy way to catch a bad domain and avoid a phishing attack. However, now there are a multitude of free services online that attackers can use to quickly and easily gain SSL certification for malicious phishing sites.
This is unfortunate because many users believe the padlock symbol preceding a URL is a reliable indicator that a website is safe. This is clearly no longer the case.
New TLDs further confusing the picture
An increase in the variability of Top Level Domains (TLD) in use is also helping attackers. TLDs used to be limited to examples such as .com, .net, and .org. However, now there are more country- and business-specific TLDs which can make spotting malicious ones even more difficult.
The danger is that a user might see a brand name they recognise, but with a TLD that isn’t the usual one. For example, a hacker might register microsoft.xyz to host a Microsoft-themed phishing attack, and when it gets discovered, replace it with microsoft.info or microsoft.network.
Brands being put to use
To further increase the likelihood that a user will be tricked into interacting with a phishing message, cybercriminals are spending considerable effort to impersonate legitimate companies.
Where once they might have used a brand associated with a local business, there are now shifting to using global, tech-oriented brands. The logic is that people are more likely to fall victim to a phishing attack if the bait seems associated with a site they have actually interacted with previously.
Also, as single-sign-on technology is incorporated into more and more apps, credentials for large influential companies such as Apple, Google, and Microsoft provide access to more than just email. They’ve essentially become a digital key to the front door.
This key can provide access to layers of both personal and business data. It’s not these companies that are at fault, however, they are simply used by the malicious actors because they are recognisable and considered trustworthy.
According to the Jamf research, the top three brands used in phishing attacks that were successfully used to trick users into interacting with a phishing message in 2021 have been Apple, PayPal, and Amazon, which account for 43%, 27% and 9% of attacks respectively.
An evolving security challenge
The evolution of phishing campaigns is showing no sign of slowing down, so new tricks and tactics are likely to appear in the months and years ahead. For organisations and individuals to have the best chance of avoiding falling victim, ongoing user education is key.
IT and security teams must take the time to inform all users about the risks posed by phishing attacks, what to be watchful for, and what to do if they receive one. It won’t remove all risks, but it will mitigate the chance of a successful attack.
Lloyd Thomas is Security Sales Manager at Jamf.