While phishing is an evergreen cyberthreat, phishing attacks and scams in 2019 made headlines way too often.
Looking at the news from the last year, we gathered the most typical phishing attacks and scams, as well as some jaw-droppingly exciting statistics and facts.
One thing is sure: phishing is widespread – 91% of sophisticated cyberattacks start with email. We expect that phishing will remain a dominant attack vector. Hackers like to commit phishing attacks because these are easy to carry out, and the rewards can be stellar. With minimal effort, they can make a good profit.
The bad news for you is that it’s extremely difficult to build your defences against phishing. Reading this article will help you to become familiar with popular phishing attack and scam types.
Remember that all businesses are under threat. Whether you work for a small business or a global enterprise, you need to face the existing risks of phishing.
Our not-so-secret purpose with this article is to create awareness about this massive issue and about the fact that you can never be prepared enough to fight back.
Now we will look into what attack types dominated the phishing attack and scam landscape in 2019.
According to a study, 43% of the UK’s small- and medium-sized enterprises (SMEs) were targeted by phishing attacks that used staff impersonation over the last 12 months (between September 2018 and September 2019). According to Comtact, 76% of businesses in the UK were affected by phishing attacks.
Impersonation can be extremely convincing because of the personal factor. People are more likely to act or click a link when the email comes from someone they know and the email sounds real. That is why impersonation phishing attacks and scams are likely to be successful for the attackers and cost businesses a fortune.
Another reason why impersonation as a phishing scam works very well is that companies take very little to no action in terms of reducing their human cyber-risk.
Business Email Compromise – BEC
In 2019, business email compromise (BEC) attacks were on the rise. BEC is also known as CEO fraud. In a way, this type of attack is very similar to impersonation. The attacker chooses the victim and hijacks a C-level executive’s email (usually using an email that looks very similar to the original one). In the email, they often urgently ask people to make a money transfer or purchase a service. They could also compromise a user’s account through traditional harvesting.
Last year was big for BEC attacks. Among the victims were Toyota and Nikkei.
Toyota (to be more precise, Toyota Boshoku Corporation, a major supplier of Toyota auto parts) ended up paying $37 million because of a BEC email scam.
Nikkei America’s employee transferred $29 million to hackers after falling victim to a business email compromise. In this case, too, BEC scammers were posing as a Nikkei management executive.
According to an FBI report, BECs affect business globally, and over the last 3 years, attackers fleeced $26 billion.
Some believe that at least 85% of businesses receive at least one BEC in a year.
Do you want to learn more about BEC? Get our free ebook on business email compromise now.
Vishing & Smishing
When we are talking about phishing, we mainly focus on emails. Vishing and smishing were on the rise during 2019.
Vishing is when you think you get a credible phone call, for example, from your bank. Smishing means that the attackers try to steal your credentials or compromise your accounts through text message (sms). In reality, attackers are posing as an authority (e.g., your bank) to trick you into giving up your credentials.
Vishing and smishing can come hand in hand. For example, the script could be the following:
- An unknown number is calling.
- The attacker poses as an authority (e.g., an employee from your bank).
- They will claim that you are under attack – for example, that your credit card was used in another state.
- They could then ask for your ID, and you would receive a text message. (This is where smishing starts.)
- You receive a text message with a code the attacker needs to reset your password.
- Once you tell them the code, they access your account.
- At this point, they could read back a few transactions to you to seem legitimate.
In just a few minutes, your bank account could become compromised. This example is based on a real-life story. If you want to read the original story, head over to CNN.
Typically, all these attack types mentioned earlier utilize social engineering techniques. Attacks spreading malware rarely utilize technical flaws, instead, hackers tend to rely on social engineering. It is no wonder then that in a survey, 75% of respondents said that email phishing scams are their top security risk. At the same time, the number of social engineering attacks has been increasing 16% year over year.
Government-backed hackers were also engaging in phishing activities during 2019.
Google detected a steady stream of phishing attacks from cyberspies. Between July and September 2019, there were over 12 000 warnings when hackers tried to attack Google accounts. Of the affected users, 90% were hit with phishing emails. In these emails, hackers typically posed as ‘Google’, using a lookalike email to ask people to reset their passwords.
Read the article on this topic from Google’s Shane Huntley, Threat Analysis Group, here.
Experts expect that government-backed hacking attacks remain important also in 2020. The Public Security Intelligence Agency (PSIA) of Japan released a warning regarding expected attacks against the Tokyo Summer Olympic and Paralympic Games in 2020. The agency discovered phishing emails that looked like emails from the Olympic staff.
Attacks Through Google
To continue with Google, if you have received an unfamiliar notification in Google Calendar, don’t click on it. It’s a new form of phishing attack that began spreading during May 2019.
People are trained against emails and other types of messages, but hacking people through calendar invites are rather new and can be successful in stealing people’s details.
Google commented that attackers sent phishing emails and used social engineering techniques, and the attacks did not happen due to a technical security vulnerability.
We have just recently created two videos on how attackers could utilize bugs/issues with Google to attack you and steal your password or spread malware on your systems. Find these here:
Google just released its Google Better Password Protection in Chrome against phishing. Read more about it here.
Wondering if you can identify phishing? Try yourself with Google’s awesome phishing quiz: https://phishingquiz.withgoogle.com/
Are you using Office 365? You may then notice that you have a phishing problem.
Avanan’s ‘Global Phish Report’ includes an entire chapter on this topic. In this report, they analysed 55,5 million emails from 20 companies and 100 000 users.
Out of the 55,5 million emails analysed, 52 379 886 emails were emails from an Office 365 environment. Out of this, 1,04% (546 247 emails to be exact) were phishing emails. (For more interesting statistics, you should check out the report!)
Nevertheless, the problem is the following:
“Of the phishing attacks we analysed, 25% bypassed Office 365 security, a number that is likely to increase as hackers design new obfuscation methods that take advantage of zero-day vulnerabilities on the platform” – Avanan wrote in the report.
This means that Outlook’s message filter is only 75% effective. As we predicted in our cybersecurity trends 2020 article, one cannot rely solely on technology’s effectiveness to protect a company against cyber threats.
If you are a small company that does not invest in advanced phishing training, you can utilize the Attack Simulator in Office 365.
Social Media and Online Shopping
You might not have thought about it, but employees using social media and doing online shopping on work computers could put your business at risk. Social media is increasingly being abused for phishing attacks. In 2018, the abuse of social media increased by 200%, and in 2019, Instagram (who also implemented anti-phishing to prevent phishing attacks on Instagram) and Facebook saw a 74,6% increase in phishing through their platforms. Social media played a role in about 5% of phishing attacks.
A while ago, we published an article on why it’s a problem when your employees use your Wi-Fi or work devices for online shopping.
In a survey, 69% of people claimed that they have shopped online from work. This number is 81% among millennials. It’s a problem because when they use your network and devices, they put sensitive data at risk – if malware spreads, attackers could easily steal your information. If they use the same password for online shopping as for work and it gets stolen, it could also compromise your systems.
Employees Are Still Falling for Phishing Attacks and Scams
Sadly, employees are still falling for phishing attacks and scams. We expect that this trend will continue unless companies start to focus on the only right resolution: changing employees’ behaviour.
We’ll get there in a moment, but before that, let’s look at some facts.
- 80% of employees say that they have a hard time differentiating a phishing email from a real one.
- 49% claimed that they clicked on a link in an email from a previously unknown sender.
- Another research from GetApp presented similar numbers: a quarter of businesses are falling to phishing attacks, and nearly half of employees (43% to be exact) had clicked on a phishing email before.
- 48% of 4000 people surveyed by Webroot claimed that they had had their personal or financial data compromised previously – despite this, 35% had not bothered to change their passwords.
- 60% of people would open and act on an email received from their superior – and attackers exploit on it (e.g., CEO impersonation).
- Only 27% of companies provide some form of social engineering awareness training.
These are alarming statistics that should make everyone in a business concerned, not just cybersecurity professionals.
We interpret the data as follows: a majority of companies do not invest in employee cybersecurity training. Even if they do, it is often just simply cybersecurity awareness. Cybersecurity awareness does not mean that employees would be up to date with the latest phishing attack types. It is also unlikely that people would be able to recognize phishing emails without proper training. It takes more than awareness to ensure that people behave in a certain way that could help protect your business.
To successfully safeguard your company from phishing attacks and scams in 2020, employee training will be essential. To learn more about it, we suggest that you head to our Cybersecurity trends in 2020 article.