What 2022 taught us about phishing

What 2022 taught us about phishing

2022 was such a huge year for phishing. According to IBM’s 2022 Cost of a Data Breach Report, phishing was the second most common initial attack vector (i.e., entry point or method that can be exploited to break into an IT system) of data breaches. Not only that, but phishing was also the costliest initial attack vector at $4.91 million.

Unfortunately, phishing is expected to become more prevalent in 2023 and beyond. As such, companies need to effectively protect themselves against phishing. One great way to do this is by staying on top of phishing trends.

Fewer visual cues

Today, phishing emails are harder to distinguish from legitimate ones since they no longer exhibit what used to be the most common phishing signs, such as:

  • Poor grammar and spelling
  • Generic salutations
  • Suspicious-looking email domain used by the sender

Cybercriminals are now using sophisticated tools to improve grammar and spelling. They are also launching more targeted attacks called spear phishing, wherein they craft personalized emails for their victim to increase the chances that the victim will respond as directed. What’s more, they are purchasing domains that look very similar to the legitimate ones to better trick their victims into opening phishing emails.

Since phishing attacks keep evolving, businesses also need to continuously update their cybersecurity awareness training to include the latest phishing tactics.

Read also: 4 Common types of phishing attacks

Rise in mobile phone-based phishing

Cybercriminals primarily launch phishing attacks through email messages and web pages. However, cybercriminals today are also conducting mobile phishing to take advantage of the fact that people are spending more and more time on their phones. In fact, in 2022, there was a 50% increase in mobile phishing threats compared to the previous year.

As the name implies, mobile phishing targets smartphones, tablets, and other mobile devices by launching the following types of phishing attacks:

  • Smishing – uses SMS or text messages
  • Vishing – uses voice calls and emails
  • App-based phishing – uses Facebook Messenger, WhatsApp, LinkedIn, and other apps

In 2022, numerous spear phishing attacks used WhatsApp and SMS. On these channels, cybercriminals pose as the victims’ coworkers and send out URLs that look like MS Teams invites. When the victim clicks on the link, they are taken to a landing page where they need to enter their Microsoft 365 credentials to supposedly log in to the meeting. But in truth, this would enable cybercriminals to steal those credentials.

Channels exploited for mobile phishing are typically less secure than email systems, making it easier for cybercriminals to trick users and steal credentials and other sensitive information. This highlights the need to improve security across mobile devices and apps used for work by implementing a mobile device management solution and identity and access controls.

Increase in zero-hour threats

Zero-hour threats, also known as zero-day threats, are those that haven't been seen before, so they don't match any known malware signatures. This means traditional signature-matching security solutions won't be able to detect these threats. Zero-hour threats are designed to cause maximum damage before security systems can detect and thwart them.

According to SlashNext's The State of Phishing Report 2022, 54% of all threats detected in 2022 are zero-hour threats. Of the zero-hour attacks detected, 76% were spear phishing credential harvesting and 15% were social engineering scams.

The rise in zero-hour threats shows that hackers today are continuously changing tactics until they find what works. That's why it's important to have detection measures that can identify and mitigate evolving threats in real time.

Keep your company safe from phishing by partnering with SpectrumWise. We offer email/spam protection and cybersecurity services that can keep all types of cyberthreats at bay. Schedule a FREE consultation with us today.