Phishing Attacks Shift to IT, Online Services-Related Campaigns
More IT and online services-related email subjects are being used as a phishing lure, as phishing emails continue to be one of the most common methods to perpetuate malicious attacks on organizations worldwide.
These were among the key findings of KnowBe4’s latest phishing report, which also found tax-related email subjects became more popular as the U.S. prepared for tax season in Q1.
In Q1, holiday phishing email subjects were also deployed, luring victims with incentives such as a change in schedule, gift card and spa package giveaway.
Phishing With a Trusted Lure
Roger Grimes, data-driven defense evangelist at KnowBe4, explained that attackers are always trying to use a well-known brand as their lure to make potential victims trust them more.
“Defenders can fight back by teaching employees that they can’t innately trust an email or message simply because it appears to come from an otherwise trusted person, service or organization,” he said. “Every email must be reviewed to determine if it has any signs of potentially being a scam.”
Grimes added that AI-driven phishing campaigns loom large this year, where not only are relatively unskilled and uneducated scammers crafting better, more legitimate-looking phishing attacks, but also are able to better respond to potential victims who ask questions.
“You’d be shocked how good the AI-generated answers are to potential victim questions—they’re very realistic and plausible sounding,” he says.
Mika Aalto, co-founder and CEO at Hoxhunt, agrees AI and large language models like ChatGPT are being used to create more convincing phishing messages at scale.
“There’s also an increase in attacks initiated via fake social media accounts and MMS,” he said. “AI lowers the technical barrier to create a convincing profile picture and impeccable text, not to mention the ability to code malware.”
He pointed out the threat landscape is shifting incredibly fast now with the introduction of AI, but said the good news is that AI can also be used to defend against sophisticated attacks.
“We’ve seen that good training continues to have a protective effect against AI-generated threats,” Aalto said.
Identifying the Threat
Darren Guccione, CEO and co-founder at Keeper Security, said some of the most common signs of a phishing or scam email are misspellings and bad grammar, email addresses that don’t match the sender’s information and unexpected links or attachments.
“The emails will often contain a grandiose promise or urgent message that pushes you to take action,” he explained. “If you receive an email or promotion that you didn’t anticipate, it’s best not to click any links or download any files from it.”
This is because many email phishing attacks use these types of tactics to spread malware that will infiltrate the device and can gain access to personal information.
“Even if you recognize the sender, it’s still good practice to use a separate communication channel, such as a phone call, to confirm they were the ones who sent it,” he added.
Grimes agreed it is best to create a culture of healthy skepticism for any message, no matter how it arrives (e.g., email, web, chat, SMS, social media), if it is both unexpected and is asking the recipient to do something for the sender that the recipient has never done before.
“Teach everyone receiving a message like that to first verify the request as legitimate using some other known legitimate method before performing the requested action,” he said. “Deliver security awareness education and simulated phishing attacks monthly, covering popular topics and scenarios that the end users are likely to see and face.”
Zac Warren, chief security advisor, EMEA, at Tanium, said to ensure employees are aware of phishing risks, organizations can provide initial and ongoing training, conduct simulated phishing exercises, communicate regularly, establish reporting procedures and consider offering incentives.
“By doing so, organizations can create a culture of cybersecurity awareness and help employees identify and report suspicious emails,” he explained.
He added that organizations can prepare for emerging threats by staying up-to-date on the latest techniques, updating security controls and defenses, and training employees to recognize and report suspicious emails.
To measure the effectiveness of anti-phishing strategies, organizations can use metrics such as the number of phishing emails blocked or reported, the percentage of employees who complete training and the success rate of simulated phishing attacks.
“These metrics can be tracked over time to assess progress and identify areas that require improvement,” Warren said.
Grimes noted that the best measure of anti-phishing awareness is whether the organization is or isn’t compromised by a successful phishing campaign—that’s what matters most.
Next is determining the percentage of end users who will willingly click on a simulated phishing link and respond to its request, known as the phish-prone percentage rate.
“The average new customer that comes to us has over a third of their employees that will respond to a simulated phishing email, but after a year of monthly training and simulated phishing tests, that phish-prone rate usually falls to 5% or below,” he said.
