Phishing Scams Set New Records (Don’t Take the Bait!)

This is Part 2 of our Case for Cybersecurity Awareness in support of Cybersecurity Awareness Month. The National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency (CISA) lead this annual initiative.

Cybersecurity Awareness Month was started in 2004 to raise awareness of the importance of cybersecurity in our digital activities, which range from emails and social media posts to website visits and online payments. We spend a lot of time online and, as a result, so do cybercriminals.

Thanks to NCS and CISA for encouraging the use and sharing of online content and resources they have provided during Cybersecurity Awareness Month. This post borrows from those resources in order to spread the word to our readers.

The Importance of Cybersecurity

Cybersecurity is the art and science of protecting networks, systems, applications, electronic devices, and information from unauthorized access or criminal use. Knowing how to protect these assets is important for individuals as well as for organizations.

The purpose of cybersecurity is to maintain the confidentiality, integrity, and availability of data. In simple terms, this means keeping data private and secure, keeping it accurate and whole, and keeping it accessible to those who require it.

What is a Phishing Scam?

Phishing has a soft, non-threatening sound, doesn’t it? However, the fact is that phishing is now the second most common cybercrime in the world. A scheme, a scam, a ploy, a ruse—phishing is a highly effective social engineering technique. Successful phishing enables cybercriminals to collect information from you by fooling you into thinking their requests are legitimate. They will use your information to make unauthorized purchases, gain access to a secure system (such as your employer’s network) in order to steal volumes of data, or offer masses of personal information for sale on the dark web.

When phishing for unsuspecting victims, cybercriminals may use fake emails, social media posts, direct messages, and texts with the goal of luring you to click on embedded links and open or download attachments. The links and attachments contain malware that can infect your computer system and copy information from it. Alternatively, a link may redirect you to a website that looks legitimate and asks you to complete a form—which then captures your information for misuse by the cybercriminal.

Phishing has several variations. Smishing is conducted through text messages on cellphones. Vishing refers to phone calls that leave phishing voice messages. While phishing campaigns are sent to large numbers of potential victims, spear-phishing scams target selected individuals or organizations. Whaling is a form of spear-phishing that targets senior executives (the big fish). Business Email Compromise (BEC) is a related form of spear-phishing email that attempts to trick senior financial executives into transferring funds.

Phishing has been around for years. The first use of the term is traced to 1996. Since then, cybercriminals have continued to invent creative new ploys, phony requests, and deceptive messaging to hook their victims. As a result, phishing schemes are setting new records in 2022.

Phishing Scams Are #2 Cybercrime in 2022

Three leading research sources for information about data breaches and phishing attacks are IBM’s Cost of Data Breaches Report, Verizon’s Data Breach Investigations Report, and the Anti-Phishing Working Group (APWG). These sources collect, analyze, and report data, and monitor changes over time. The APWG posts quarterly reports on phishing.

• Phishing data from the APWG this year is disturbing. In the first quarter of 2022, the organization identified 1,025,968 phishing attacks, marking the first time the quarterly total has ever exceeded one million incidents. This pattern continued into the second quarter, which set another new record at 1,097,811 phishing incidents.
• The APWG also reported an increase in mobile phone-based fraud in the second quarter, traced to increased smishing and vishing activity. BEC attacks are also getting bolder. In the first quarter, an average of $91,436 per BEC incident was requested in fraudulent wire transfers. The average request rose to $109,467 per incident in the second quarter of 2022.
• According to the 2022 Cost of Data Breach Report published by IBM, phishing was the second most common cause of security breaches in 2022. Phishing accounted for 16% of all data breaches and cost an average of $4.91 Million per breach. Security breaches caused by phishing attacks were second only to breaches resulting from stolen or compromised user credentials, which cost an average of $4.5 Million per breach.

• The year before, an incredible 94% of phishing attacks were delivered through emails, according to Verizon’s 2021 Data Breach Investigations Report. Additionally, almost 40% of data breaches were caused by phishing scams with another 11% involving malware.

Global Security Magazine also follows what’s happening on the phishing front, noting that in the first quarter of 2022 cybercriminals used the LinkedIn social media platform in 52% of their worldwide phishing scams, a significant uptick from 8% the previous quarter. Amazon, Apple, Facebook, Google, and Microsoft remain the most frequently spoofed brands.

How to Screen Your Emails for Phishing Clues

Once you learn to recognize the signs of phishing, it becomes easier to spot phishing emails and to know how to react to them. When you receive a phishing email and recognize it for what it is, do not click on any links or open any attachments. Do not click on the Unsubscribe link, either. Just delete the email from your inbox.

There are certain signs to look for in spotting a phishing email. Any one of these clues is often enough to give it away, but if you notice more than one it‘s almost certainly a phishing email. And remember, even though 94% of all phishing was conducted via email last year, smishing and vishing are also on the rise.

• Does the email (or text, or phone message) contain an offer that sounds too good to be true? Such as an unexpected refund from the IRS?
• Does it include language that is urgent, alarming, or threatening?
• Is it poorly written, with bad grammar, misspellings, and typos?
• Is the greeting generic, or non-existent?
• Is it missing a subject in the subject line?
• Does the email include a request to send personal information, such as a password or PIN or an account number?
• Does it create an urgency for you to do something specific? Or does it cause you to fear that one of your accounts is in jeopardy?
• Is it a strange, or abrupt, business request?
• Does the company name in the sender’s email address match the company name you are familiar with? (Look for little variations in email addresses, such as @pavpal.com or @amazom.com; phishers have to use variations so that you respond directly to them and not to the real brand.)
• When you hover your cursor over the sender’s email address in the From field, what do you see? Does that email address match what’s displayed in the From field? Does it look suspicious for any other reason? You should always check the sender’s email address to verify its authenticity.

What to Do if You Suspect Phishing

If you suspect an email is fraudulent, reach out to the sending company or individual directly on a separate, secure platform—or call them. If the email includes a phone number, call it. If you receive a fast busy signal or an out of service message, you know it’s a fraud. An effective technique is to Forward the suspicious email to the sender’s address that you have copied and pasted into the new To field and ask them to verify. In most cases fraudsters will not respond. (Never reply directly to the suspicious email.)

Because it bears repeating, when you receive a phishing email and recognize it for what it is, do not click on any links or open any attachments. And do not click on the Unsubscribe link. Just delete the email from your inbox.

If you receive a phishing email at work, notify your IT team, and follow your company’s cybersecurity protocol. Your employer should offer classes to train employees to recognize phishing emails and other tactics. Take advantage of that training whenever possible!

An Ounce of Prevention

It’s important to remember that the more personal information you share about yourself online, the more likely you are to become a phishing scam target. Avoid oversharing your life on social media sites. And only visit websites whose URLs begin with “https.” The “s” indicates a “secure” site, where encryption is enabled to protect visitor information. Using secure sites is especially important when making financial transactions and online shopping payments.

Remember, also, that the FBI strongly advises against making ransom payments if you become the victim of a ransomware scheme. Instead, proactively put security measures in place before you are attacked, including backing up your data routinely.

Summary

Cybersecurity Awareness Month is an initiative of the National Cybersecurity Alliance and the Cybersecurity and Infrastructure Agency, who use the annual occasion to reinforce cybersecurity guidance for businesses and consumers.

Social engineering ploys, and particularly phishing scams, have become increasingly popular among cybercriminals and are usually the first step in costly ransomware schemes. The number of phishing incidents recorded by the Anti-Phishing Working Group has set new quarterly records in 2022, and phishing scams now rank as the second most common cause of data breaches, with 94% of them delivered right to your email inbox.

The irony of these statistics is that phishing emails are really easy to spot once you know what to look for. We all need to become more diligent in screening our emails for these clues. Organizations should take advantage of Cybersecurity Awareness Month to train employees and executives to recognize phishing emails and reinforce that training throughout the year.