Phishing attacks that attempt to extract sensitive information through the use of links and downloads have long been a significant threat to company data.
Phishing emails, in particular, have seen even big business names like Sony, Google, and Facebook falling foul. In fact, scams of this nature are so prevalent that they cost businesses an average of $3.92 million in settlements, repairs, and more each year.
2020 witnessed a 73% spike in phishing attacks — likely driven by the remote working shift and economic downturn. Worse, the face of phishing has changed, with new and often independent cybercriminals going for the jugular with targeted emails and scams that play on business vulnerabilities/personal concerns.
To stay safe, companies must reassess security, and shift their defences to meet these new challenges. The question is, what exactly do phishing attacks look like in 2021, and how can you protect yourself in an uncertain future?
1. Covid-themed phishing attacks are catching
Phishing attacks have always preyed on people’s vulnerabilities, and never has that been more the case than this past year. The first coronavirus-themed phishing emails were spotted as early as March last year, and these tailored attacks have been gaining traction ever since.
Perhaps more worryingly, this switch towards scams that tap into current concerns goes alongside a significant increase in keyloggers and clone phishing. These methods allow hackers to hijack business email addresses and accounted for 70% of data breaches last year.
Strategies to help:
These two trends work dangerously alongside one another to enable phishing scams that can mimic the World Health Organisation (WHO), Centers for Disease Control (CDC), gov.UK, and even your own in-business email address. Employees inside your enterprise are thus far more liable to click a link as these malicious emails get lost among the multiple official notifications that the past year has sent to our inboxes. As such, it’s now more important than ever that organisations prevent these sometimes difficult-to-spot phishing emails from reaching employee inboxes in the first place.
2. Targeted attacks have their eye on the prize
While mass phishing attacks are common, and help cybercriminals gain widespread personal information, we’ve also seen an increase in targeted phishing attacks — a.k.a spear-phishing. These tailored and personalised attacks involve emails sent to well-researched targets. Thus, attackers can more easily appeal to recipients, and may even use first names for authenticity, alongside geo-specific information in their attempts to steal important data.
While not necessarily a trend in the past year alone, this spear-phishing focus has come to the fore alongside lower-volume attacks that have very much arisen out of 2020. Small businesses, in particular, are open to targeted attempts to gain access, with a company of between 1-250 employees receiving malicious links within one in every 323 emails. This, compared with a much lower rate of one in every 823 emails for companies employing between 1001-1500 employees.
Strategies to help:
A shift towards smaller-scale attacks makes malicious emails far harder for security software to recognise, while tailored focuses drastically increase the risks that multiple members of an ill-prepared remote team could be convinced. This means that hackers can make use of the changes already inherent in company landscapes as well as undermining existing security structures. To overcome this, it’s vital that companies implement fast responses amidst an endpoint focus that protects wider business networks despite individual device breaches.
3. Ransomware is on the rise
Cybercriminals are exploiting the high levels of anxiety inherent with the pandemic. This, mixed with those targeted attempts, has led to a somewhat unsurprising increase in the use of ransomware that threatens to publish customer bank accounts, phone numbers, etc. In fact, an astounding 65% of organisations were somehow impacted by ransomware in 2020.
Strategies to help:
Effective ransomware defence (like cyber security in general) requires a multifaceted strategy, and each component is as important as the next.
- You need technical defences that limit your exposure to ransomware (for example, screening emails for potential threats).
- You need people-centric training to help staff identify suspicious activities and reduce successful attacks.
- You need contingency plans to accommodate an attack if/when it occurs.
On that last point specifically, ABI has recently supported the inclusion of ransomware payments in cyber-insurance policies. This is an important contingency option to explore. However, it’s worth keeping in mind that a willingness to pay ransoms may be partially behind the spike in attacks. More than half of businesses paid their ransoms in 2020, compared with just 45.1% in 2019.
Suggested reading: To learn more about ransomware, check out our blog — Ransomware trends 2021.
4. Microsoft masks attacks
We’ve already spoken about how clone phishing has seen a rise in the amount of official enterprises being dragged into cyber-attacks this past year. However, on a business-specific level, phishing attempts have also become a whole lot cleverer, using the prevalence of Microsoft 365 adoption to gain access to an organisation’s inner workings.
In a way, this is nothing new, with Microsoft having long held the top spot as the most spoofed brand due to the cohesive package that it offers. However, this past year has seen phishing attacks taking this focus further, with emails impersonating other brands that still lead back to Microsoft logins.
Strategies to help:
Spoofs of this nature have proven especially lucrative as newly remote employees don’t even question being sent files, etc. Worse, a step away from blatantly Microsoft-related attacks adds a curtain behind which cybercriminals can successfully hide, and only by increasing their security training with these risks at the forefront can companies prevent their employees from jumping right into these downloads.
5. HTTPS won’t help you anymore
This last year has seen an astounding 80% of phishing websites gaining HTTPS tags, which previously pointed towards an SSL certificate worth trusting. Admittedly, this trend has been rising for years, but the added authenticity required for successful attacks in 2020 has been a turning point.
Strategies to help:
As these tags continue to gain traction with threat actors, so-called SSL security benefits are proving to be more of a curse than a blessing, as they prevent the Google red-flags that many of us rely on. What’s more, HTTPS proves nothing other than the fact that information shared is on an encrypted network between you and the website owner. Unfortunately, that’s absolutely useless if said website owner is looking to phish your details. Realistically, this is just one more thing to keep in mind and start accounting for across all of your other phishing defence priorities.
Phishing defence best practices
With the above in mind, organisations need to return to the security drawing board with multi-faceted approaches that both overhaul employee training and security software. Specifically, in the face of phishing changes, businesses need to focus on what to do if an attack does land, because some are almost guaranteed to get through. As such, security in 2021 should be about both prevention and further focuses such as:
- Quick responses
- Increased, multi-layer network protections
Unfortunately, these once standard security practices are harder to employ than ever in a risk landscape that’s still very much shifting. Worse, companies are increasingly falling behind as they scramble to perfect security in scattered BYOD landscapes.
At Six Degrees, we help our clients face unknown threats and challenges just like this. For example, a combination of MDR (managed detection response) and an endpoint security system can dramatically reduce your organisation’s total exposure to phishing attacks, and simplify the challenge of managing remote workflows securely. However, that’s just one option. If you want to learn more, get in touch — we’re happy to help!