Phishing Used to Get PII, not Just Ransomware
With all of the focus on ransomware attacks, it’s easy to forget about the damage done by email phishing. Yet, new research from Vade shows that phishing has seen a meteoric rise in the first half of 2021, including a 281% increase in May and a 284% increase in June. And what they want is personally identifiable information (PII).
Phishing is one of the oldest yet most effective social engineering attack vectors, and that’s because the threat actors remain one step ahead of their targets.
“H1 saw a surge of advanced phishing attacks featuring sophisticated automation techniques and abuse of high-reputation domains. Due to the high level of targeting and automation we have seen in the first half of 2021, we should place less emphasis on the total number of unique URLs detected and more on the nature and quality of the threats received,” the report stated.
This observation was seconded by Ivanti, which found that 74% of respondents to their survey said their organization was a victim of a phishing attack, 80% said they’ve seen a rise in phishing and 85% said the attacks were getting more sophisticated.
Based on the top 25 “phishers,” it is clear that PII is the primary goal in these attacks. In the top five, there are two financial institutions and two social media brands that are the most mimicked for phishing.
Although financial PII has always been sought by cybercriminals, the report speculates that the current rise in this type of phishing attack is the result of the pandemic and its effect on the global market. The deferrals on loan payments and the rise of government-backed loans to keep businesses running are now coming due.
“This is a significant weapon for phishers to wield against businesses and individual citizens who borrowed or deferred and could signal a continuance of the trend toward financial services phishing as payment moratoriums expire around the world,” stated the report.
On the other hand, there is the interesting case of social media. Even though only four social media companies were listed among the top 25 of most spoofed companies, they make up a quarter of all phishing URLs in the first half of 2021, with (not surprisingly) Facebook leading the way.
Malware’s Drop Off
Phishing is by far the most common cause of ransomware attacks. Datto’s Global State of the Channel Ransomware Report found that not only is ransomware the number-one malware threat, but also that phishing is the most successful attack vector. The reason is poor user practices; a lack of cybersecurity awareness training is setting up users to fall for social engineering attacks.
Early in 2021, ransomware and malware were at the top of the list of phishing trends, but the Vade study found that malware emails decreased as the year moved into Q2, even while overall numbers of phishing emails skyrocketed. The logical conclusion is that threat actors are switching gears—or that they at least do so with some regularity; earlier in the year, the focus was ransomware, and now they are after PII. As we move through the summer, if the pattern holds, there should be another uptick in malware phishing attacks.
Why Phishing Is Exploding
The problem of successful phishing attempts can’t just be blamed on end users. The cybersecurity skills shortage is also playing a huge role, according to the Ivanti study. One out of two companies has staff shortages, decreasing mitigation times. And the staff that is there are suffering from burnout, which also leads to an increase in mistakes that lead to a phishing attack.
Also, it is very easy to get fooled by a well-done phishing attempt. It even happens to IT and security professonals.
“While many organizations have been making investments in security awareness training initiatives, they should also be prioritizing and applying advanced automation, artificial intelligence and machine learning technologies to more quickly and consistently identify, verify and remediate phishing threats,” said Derek E. Brink, vice president and research fellow at Aberdeen Strategy & Research, in a formal statement about the Ivanti research. Threat actors see phishing as an easy way to make money, and they will continue to take advantage of the social engineering tactics that result in the big payoff.