In our recent Trends in consumer cybersecurity report, RAV researchers dug into the threats faced by consumers over the past year. It was relatively unsurprising when phishing once again took the top spot for cybercrime activity.

There are different types and different ways that threat actors can perform a phishing attack. Let’s take a look at the most common and also the most insidious ways phishing is currently threatening the consumer cybersecurity landscape.

Related: What Is Phishing? Here’s how to protect yourself from attacks.

Email phishing

It may sound like old news, but email phishing attacks just don’t seem to stop – and it’s amazing how many people are still falling victim to them.

In February were Reddit employees victims of an email phishing campaign that affected hundreds of company contacts and employees. According to a Reddit rack at that point, “the attacker sent plausible-sounding prompts directing employees to a website that cloned the behavior of our intranet gateway in an attempt to steal credentials and second-factor tokens.”

Whether this attack could have been prevented is up for debate. At the very least, it is essential that an employee was informed enough to understand what was going on and raise the alarm with his security team. The faster an attack can be averted, the better.

In addition to email phishing via malicious links and attachments, the weaponization of office documents sent via email has also increased. Office documents hiding macro code are still very common, and in 2022 many files were sent as phishing documents to trick users into running the malicious code.

Related: 4 things your employees are doing right now that are putting your network at risk

Spearfishing

Unlike the traditional “spray and pray” approach, where mass phishing emails are sent to as many recipients as possible in the hope that they get at least a few hits, “spear phishing” is a targeted phishing attack. on a specific person or person. organization.

Cybercriminals will research their target to personalize the attack and increase their credibility, with the intention of persuading the target to disclose sensitive information or tricking them into making payments.

While finance teams and executives seem to be the most likely targets of spear phishing campaigns, sales departments may also be seeing an increase, especially as a sales team member is more likely to receive emails from outside an organization. These employees can be a viable entry point for hackers trying to infiltrate an organization.

Social media also plays a role here, as many employees who use social media, whether for personal or professional use, underestimate how large their digital footprint can be. In Q1 of 2022, LinkedIn users were responsible 52% of all spear phishing targets worldwideand users were warned to be wary of an increase in spear-phishing campaigns.

The biggest takeaway here should be that criminals are looking for the weakest link in a company, no matter who they try to target. One wrong click from an unsuspecting employee is enough, so they will keep trying again and again to trap their next victim.

And to take spear phishing attacks to the next level, “whale phishing” targets the most senior corporate members, such as the CEO or CFO. Whaling phishing techniques may involve impersonating these figureheads, tricking an employee into agreeing to transfer money to the attacker, or disclosing vital company information.

Related: Is Your Business Prepared for a Cyberattack? (infographic)

Smishing

In general, users mistakenly rely on text messages more than email. Since most smartphones can receive text messages from any number in the world, smartphone users don’t really get any text message privacy at all.

SMS phishing, also known as “smishing,” will trick a victim into revealing personal information via a link via attractive text messages. Unfortunately, not enough users are aware of the dangers of clicking links in text messages.

These links can lead to credential phishing sites or inject malware designed to compromise the phone itself. The malware can then be used to spy on the victim’s smartphone data or silently send sensitive data to an attacker-controlled server.

Compromised privacy

But what are we afraid of? What can a phishing attack lead to? Once a threat actor has access to data, they can get to work using it for their own nefarious purposes – be it to ransom the data, use it for financial theft, or create further disruption to a business ( e.g. doxing or cyber espionage). .

Atlassian, for example, recently past a cybersecurity breach in the form of a phishing attack that compromised customers and business inside information, including company maps. It is believed that the attack was carried out using an employee’s credentials. We see from this that phishing can lead to unwanted and unwarranted prying eyes into a company’s inner sanctuaries, and it puts both consumers and businesses at risk of further interference. The plethora of phishing techniques is probably why it is the attack method of choice for so many cybercriminals.

To protect against phishing attacks, whether you’re a consumer, employee, or business owner, it’s invaluable to follow a few basic guidelines:

• Be wary of unsolicited and unexpected emails, especially emails that ask for urgency.

• Double-check transactions or data disclosure through a secondary means of communication (e.g., phone calls or face-to-face).

• Watch out for telltale signs of phishing attempts, such as misspelling words, using URLs incorrectly, and completely irrelevant messages.

• In addition, keep an eye out for emerging technologies in the market – it remains to be seen whether newly available smart AI chatbots can be used to create phishing emails.

Make sure that all staff have it cyber security training. All employees should be aware of the basic tactics used in spear phishing emails, such as tax-related scams, CEO fraud, and other email social engineering tactics. Education and awareness are important defense skills, as most of these phishing techniques will only really succeed due to human error.