In a recent report released by Zscaler namely “Zscaler’s ThreatLabz Report”, has reported for the year 2021, a dramatic growth of 29% in overall phishing attacks compared to previous years. The report has been prepared post analysis by the well-equipped research team at Zscaler Inc. The research team analysed data from more than 200 billion daily transactions, and 150 million daily blocked attacks in order to identify emerging threats and track malicious actors on Government, Non-government, Retail, Wholesale entities from across the globe. The report also talks of the new emerging trend of ‘phishing-as-a-service’ among the others.
Phishing Attacks are responsible for more than 80% of reported security incidents, with more than 90% of cyberattacks infiltrating an organization being via email. Phishing has always been one of the most pervasive cyberthreats, and this Phishing Attacks are executed through selective methods, which is chosen by the Attacker based on the Target. One of the reasons this type of attack grows in prevalence every year is its low barrier to entry. The Attacker, also plans the modalities based on the scenario prevalent and also the psychological built of the Target/Victim. The Attacker is able to use the situation, such as the COVID-19 pandemic, Ukrainian War, Vaccination Drive, cryptocurrency, etc, to convince unwitting victims to hand over confidential data, such as passwords, banking information, login credentials, etc.
What are Phishing Attacks and its Popular Methods of Execution?
Phishing Attacks can be termed as those attacks made through online attempts to get you (to give up) Valuable Information that could lead to theft of credentials, financial loss, or other consequences. Hackers or Attackers may use various methods and may like to send spoof emails, set up fake websites, and try to contact you through social media.
There are mainly five types of Phishing
- Email Phishing : In this format the attacker sends an email to recipients by selecting a campaign or a theme with an aim to entice the victim to click on a link or return the mail with a new information. The attacker in this case is intending to capture the relevant details with the aim of profiteering, or to facilitate a further action.
- Spear Phishing: This format targets a specific user by capturing details from other sources, normally the dark web or from other sources that have been found to have been compromised. The format plays on your emotions by seemingly coming from a trusted source (known as “impersonation attacks”), but with contact details that look like the legitimate ones.
- Whaling: In a Whaling attack the attacker is more victim centric. A whaling attack is a method used by cybercriminals to masquerade as a senior player at an organization and directly target senior or other important individuals at an organization, with the aim of stealing money or sensitive information or gaining access to their computer systems for criminal purposes. This form of attack is also known as C-suite fraud. This is normally executed via email, it impersonates a C-suite executive or sends an email to a C-suite executive in the organization. The attacker frames the email in such a way that the matter is made relevant and the factor of urgency is embroiled in the text, and they seek information for access to sensitive details or a password, or they’re requesting the transfer of money or vouchers to carry out a company function.
- Smishing/Vishing: This is basically phishing on smartphones, using either SMS or video. Smishing uses texts or SMS to replace emails, while vishing uses voice messages and robocalls for the same effect. For example, a user receives a call or text claiming to be from their bank and the attacker uses the urgency factor and seeks an immediate response with the aim of gathering personal information.
- Angler: This is a type of phishing using social media to retrieve information. The Attacker may have cornered on a victim and in specific observing or monitoring their social media posts, they wait for complaints on certain products and services or even sense the need of the victim. Subsequently, the attacker intercepts the communication, and then responds or the attacker offers to make things right by impersonating customer service. In the Angler Attack Type, the attacker is required to spend more time to understand the behaviour end-to-end and also the specific situational need/help of the victim.
Organizations Most Targeted by Phishing Attack based on Statistics for the Year 2021
Phishing Attack with Country-wise Heat-Map based on Statistics for the Year 2021
What Individuals/Enterprises can do to avoid Phishing Attacks?
- Educate audience on the key characteristics of a phishing attack.
- Verify ‘sender email ID’, Configure a good Email Gateway.
- Inspect URLs in that are provided in the body of an emails before opening the URLs, Configure a good Web Gateway.
- Updating the passwords regularly and installing anti-virus software, spyware filters, email filters and firewall programs also help in avoiding phishing attacks.
- Pay attention to subtle differences in website content.
- Avoid divulging personal information through SMS or Tele-calls.
- Verify the other end before divulging any information both directly or indirectly related to personal data.
- Subscribing to Threat Intel solutions.
Zscaler Inc, reviews 12 months of global phishing data from the Zscaler security cloud to identify key trends, industries and geographies at risk, and emerging tactics and to bring out the Zscaler’s ThreatLabz Report 2022.
Zscaler Inc is a cloud security company, headquartered in San Jose, California. The company’s cloud-native technology platform, the Zscaler Zero Trust Exchange, is designed to help enterprise customers secure their employees, applications, and data as infrastructure and applications move to the cloud and as employees connect to work remotely, off the traditional corporate network. (Source: https://www.wikipedia.org/)