The global quantity of phishing attacks rose by over 60% in 2022, and we do not anticipate that this particular cybersecurity threat will show any sign of letting up in 2023.
In fact, these phishing attempts are becoming increasingly sophisticated. For example, we recently reported on EvilProxy, a new phishing tool that is capable of bypassing Multi-Factor Authentication.
With that in mind, we have decided to examine some of the biggest emerging phishing trends, helping you to better understand what to watch out for and thereby mitigating the risk of Business Email Compromise (BEC) cases.
What is Phishing?
Phishing is a cybercrime technique employed by attackers to gain unauthorized access to sensitive information, such as login credentials or financial data, by deceiving individuals into divulging it through fake communication or websites.
These fraudulent communications can take various forms, including emails, text messages, and phone calls and may appear to come from reputable sources like financial institutions or well-known organizations. The main objective of the attacker is to convince the victim to click on a link or provide personal information, which will later be utilized for illegal activities.
To protect oneself from phishing attacks, it is crucial to exercise caution when sharing personal information online or responding to unsolicited communication and to confirm the authenticity of the source before taking any action.
3 Phishing Trends to be Aware of in 2023
Geo-Targeted Phishing
The first item on our list of emerging phishing trends is Geo-Targeted Phishing. This is a tactic employed by cybercriminals to deceive victims by tailoring their phishing attempts based on the victim’s location.
Attackers use this method by incorporating local information such as phone numbers, addresses, or banks in the phishing message to make it appear more legitimate. This way, they can increase the chances of the victim falling for the scam.
For instance, a phisher can send an email to a victim living in Ireland, pretending to be from a renowned local bank and requesting the victim to update their account information. The email will include a link to a fake website that looks similar to the bank’s official website but is controlled by the attacker. Once the victim enters their login credentials on the fake website, the attacker can use them to gain access to the victim’s bank account.
Geo-Targeted Phishing can be particularly dangerous as it takes advantage of the victim’s trust in local organizations and can evade detection by anti-phishing tools that rely on IP addresses or other indicators of location.
To protect yourself from geo-phishing, it is essential to be vigilant when receiving unsolicited emails or calls, especially those that ask for personal information or login credentials. Always verify the authenticity of the source and never click on links or enter personal information on a website unless you are certain that it is legitimate.
Additionally, keeping your anti-virus and anti-malware software updated and running regular security scans on your devices can also help to prevent geo-phishing attacks.
People were inundated with geo-targeting phishing attempts in 2022 – we all got those texts pretending to be from AIB, An Post, or some other familiar local institution. We expect that these attacks will become even more prevalent in 2023 as they can be used to reach large numbers of people at once and are a favoured method of social engineering.
Artificial Intelligence
As technology continues to advance, so do the methods used by cybercriminals. One area in which this is particularly evident is in the realm of phishing.
Artificial Intelligence (AI) is being utilised more and more in these types of attacks, making them more sophisticated and harder to detect.
Here are a few examples of how AI is being employed in the latest phishing trends:
Email Filtering
As cybercriminals look for new ways to evade detection, they are turning to AI to help them bypass email filters that are designed to block phishing.
By utilizing natural language processing (NLP) and machine learning (ML) techniques, attackers can craft emails that are more likely to slip through the filters and reach their intended target’s inbox.
Social Engineering
Cybercriminals are using AI to make their social engineering attacks more convincing.
By using AI-generated text or voice, attackers can impersonate a trusted individual or organization, making it more difficult for victims to identify the communication as fraudulent.
More Targeted Attacks
Cybercriminals are also using AI to launch more targeted attacks.
By utilizing machine learning algorithms to study a victim’s online behavior and personal information, attackers can create phishing attempts that are more likely to succeed.
Phishing Detection & Prevention
It is worth noting that while AI is being used in phishing attacks and that its application in cybercrime is expected to increase significantly in 2023, there is also a growing use case for AI in detecting and preventing AI.
Anti-phishing tools are leveraging AI and machine learning to identify patterns of phishing attempts within the email content. This allows for more efficient and accurate detection of phishing attempts.
Furthermore, AI can also be used to educate users on how to recognize phishing attempts and how to protect themselves.
Bypassing Multi-Factor Authentication
Security measures are constantly evolving to stay ahead of cyber threats, and one of the most effective methods is Multi-factor Authentication (MFA). This method of protection requires users to provide multiple forms of identification in order to access a system or account.
MFA is considered to be a robust defense against phishing attacks, as it makes it much more challenging for attackers to gain unauthorized access to an account. However, phishers have found new ways to bypass MFA by using various tactics.
One such tactic is “Phishing 2FA.” This method is a type of phishing attack that focuses on the second factor of authentication, usually a one-time code that is sent via text message or generated by an authenticator app.
The attacker tricks the victim into providing their second-factor code by sending a phishing email or text message that appears to be from a legitimate source. This allows the attacker to access the account even with the MFA in place.
The Radius Incident Response team has recently observed a significant increase in the number of Business Email Compromise (‘BEC’) cases ending in attempted payment fraud. Most of these cases appear to be linked to a global phishing campaign using a new tool – called EvilProxy – used to bypass most forms of multi-factor authentication (‘MFA’) and compromise user accounts.
It is important to note that these tactics are always evolving and new methods are constantly being developed, so it is crucial to stay informed on the latest tactics used by phishers and to implement a multi-layered security solution that includes multi-factor authentication.
These sorts of attacks are expected to become more frequent in the year ahead so generating awareness and practicing vigilance is key.
Build a Security-focused Culture
When it comes to protecting your organisation against phishing and cybersecurity threats, education is your best line of defense.
Security awareness training leads to employees being 30% less likely to click on a phishing link and reduces the cost of phishing by 50%.
At Radius, we deliver engaging training programmes that instill a security-focused culture where employees actively participate in the security process.
Here is what is involved:
- Simulated phishing
- Engaging training
- Customisable schedules
- Analytics and reports
Learn more about our training package here.
If you think your organisation is at risk of falling foul of phishing or would like to know more about it, contact our team today.