Almost everyone has received a phishing email at some point. Sometimes they are easy to spot; when you receive a message asking you to log in to your account at a bank you don’t use, for example, it’s easy to just delete and ignore.
Phishing attacks, though, are becoming increasingly more sophisticated – not to mention, more common and more dangerous. In fact, most security experts now say that phishing attacks are more common than malware and ransomware (which are still a concern), as nearly 1 in 100 emails is a phishing email. And people continue to fall for them, despite knowing the risks.
Since email isn’t likely to disappear any time soon, it’s important to understand the current state of phishing, and how to avoid falling victim to an attack when it appears that a threat can lurk behind every notification.
Social Engineering: The Driving Force in Phishing
For some cybercriminals, phishing is just a crime of opportunity. They send spam mails to a list of address (usually purchased for pennies on the dark web) and hope that someone (or many someones) bite.
That’s why you might receive those emails from unknown banks, or a streaming service you don’t use. The hackers have numbers on their side, realizing that of the thousands of emails they send, a few are likely to end up in the inboxes of real customers, and a few of them will fall for the ruse.
Although that might make up some phishing attacks – and your internet security programs will block many of them – criminals are becoming more sophisticated and using social engineering methods to improve the success of their attacks.
In fact, in third quarter of 2018, the number of social engineering attacks increased by 233 percent over the previous quarter, even as the overall number of phishing attacks only increased by 11 percent over 2017.
Although social engineering refers to any attack that attempts to manipulate someone into giving up confidential information, which is then used for malicious purposes, the most common form of social engineering is spear phishing.
Spear phishing isn’t necessarily new, but it’s becoming more common. In short, rather than sending phishing emails to everyone, hoping to snare a victim, spear phishing is more targeted, and uses specific information to target individuals.
For instance, a criminal might look up the names of executives or employees in a company and use that information to craft specific emails that will trick employees into giving up information.
It’s not only businesses that fall victim to these targeted attacks, though. Thanks to social media and our willingness to share information online, cybercriminals are also able to use these techniques on individuals as well.
Other Trends in Phishing
A hacker’s primary goal is to get you to respond to an email, by clicking a link or entering your credentials, and they are doing more than ever before to make their emails look real.
According to one report on phishing trends, nearly 300 brands were specifically targeted in phishing scams last year, including major brands like Facebook, Netflix, PayPal, Bank of America, and Microsoft. Giving hackers access to these accounts provides access to payment information and personal information, as well as a treasure trove of additional information that can be used for other purposes.
Phishing sites are also increasingly using HTTPS encryption, long used as a sign of security, to trick victims into a false sense of security. And to help thwart filters and security measures that block suspected phishing emails, some criminals are hiding malicious links in files, not in the emails themselves. They attach a harmless looking file which hides a link that compromises the machine when clicked.
The key to avoiding phishing attacks is vigilance and being aware that it’s still a major problem – and that phishing emails might not be as outwardly obvious as they might have been in the past.
You need to use caution when opening emails and avoid clicking links from unknown senders. Even if you are relatively certain that an email is legitimate, navigate directly to a website to log in rather than clicking a link just to be sure.
It’s also a good idea to use a password manager. Even if you do accidentally click on a malicious link, a password manager will not allow you to log in if the website isn’t legitimate. Using strong antivirus software that includes phishing protection will also help keep you safe.
Avoiding all phishing attempts is likely to be all but impossible in today’s environment, especially with new attempts coming in via instant messaging and texts as well as email. But understanding the threat and remaining on alert for anything suspicious will go a long way toward keeping you safe.