According to ESET Threat Report D1 2022, email threats saw a 2022 percent increase in the first four months of 37. Phishing scams use fake email tactics to trick attackers into installing malware, stealing credentials, and tricking users into making corporate money transfers. Scammers use social engineering techniques designed to make the buyer rush into action without thinking.
These tactics include:
- Using fake sender IDs/domains/phone numbers and sometimes typos or internationalized domain names (IDNs)
- Hijacked sender accounts that are nearly impossible to detect as phishing attempts,
- Online research (via social media) to make spear phishing attempts more credible
- Official logos, headers, footers, etc. use,
- Creating a sense of urgency or excitement that pushes the user to make hasty decisions.
- Shortened links that hide the true destination of the sender,
- Legit looking entry portals, websites, etc. creation.
According to the latest Verizon DBIR report, four vectors were responsible for the majority of security incidents last year: Credentials, phishing, exploits, and botnets. The first two of these are about human error. A quarter (25%) of the total breaches examined in the report were the result of social engineering attacks. Combined with human errors and abuse of privilege, the human element accounted for 82% of all violations.
Distracted and home workers with poorly protected devices have been brutally targeted by threat actors. In April 2020, Google claimed to block as many as 18 million malicious and phishing emails worldwide every day.
As many of these employees return to the office, there is also the risk that they will be exposed to more SMS smishing and voice call-based phishing attacks. Users on the go may be more likely to click on links and open additional files they shouldn't. This can lead to:
- ransomware downloads,
- Banking Trojans,
- Data theft/violations,
- cryptomining malware,
- botnet deployments,
- Accounts hacked for use in subsequent attacks,
- Interception of business emails (BEC) resulting in lost money due to fraudulent invoices/payment requests.
While the average cost of a data breach is over $4,2 million, which is a record high today, some ransomware breaches cost several times that.
ESET Turkey Product and Marketing Manager Can Erginkurban emphasized that training is always important and said, “Regular training should be carried out in order to prevent attacks against employees. Phishing awareness training should be only part of a multi-layered strategy to combat social engineering threats. Even the most trained personnel can sometimes fall victim to sophisticated scams. That's why security controls are also important. If you want to protect your organization against phishing attacks, you should definitely support your employees with trainings.” said.