Phishing remains one of the most common methods used by attackers to gain access to sensitive information or install malware. Two notable cyberattacks in recent years, the Yahoo and Sony breaches, both began with a phishing email. These attacks targeted specific individuals and highlights the increasing threat posed by phishing.
According to researchers from ESET, the number of phishing attacks has seen a year-over-year increase of almost 30% in 2022. This rise can be attributed, in part, to advancements in AI language models that make it easier for attackers to compose convincing emails. As a result, it is likely that these numbers will continue to rise in the future.
Phishing attacks rely on social engineering techniques that exploit human behavior, often inducing a sense of urgency or curiosity. While anyone can fall victim to these attacks, there are steps individuals can take to protect themselves.
One common phishing tactic involves sending an email that claims a user’s session has expired and prompts them to sign in again. Clicking on the provided link takes the user to a fake website that resembles the real one. Inputting login credentials on this site allows attackers to gain access to the information. These emails often mimic messages from popular services like Amazon or PayPal to increase their credibility.
Another phishing tactic involves impersonating a corporate email account, particularly targeting employees responsible for financial matters. Scammers gather information about a company’s structure, language, and visuals to make the phishing email appear legitimate. These emails may come from someone posing as a CEO or another authority figure, instructing the victim to make an urgent payment to a specific account. This tactic was used to steal over CA$100,000 from the city of Ottawa in 2018.
Phishing emails can also exploit job offers to lure victims. These emails may contain malicious links or files along with requests to create an account and provide personal details. The Lazarus threat group has run campaigns using fake job offers to trick individuals, as discovered by ESET researchers. It is important for job seekers to verify the legitimacy of any offers they receive, especially on popular job advertising boards.
Attackers also take advantage of major events or holidays to launch phishing campaigns. For example, during the war in Ukraine, the threat group Fancy Bear ran an email campaign using a malicious file titled “Nuclear Terrorism A Very Real Threat” to trick recipients into opening it. Scammers also use holidays like Christmas to send phishing emails with fake offers or attachments related to holiday greetings.
Tax season is another prime time for phishing attacks. Scammers send emails impersonating tax agencies, claiming that information is missing or offering refunds in exchange for personal or financial details. These emails exploit the fact that people are more likely to receive communication from tax authorities during this time.
Some phishing emails have little to no content, encouraging recipients to open an attached file to learn more. Recently, ESET Research uncovered a campaign targeting corporate networks in Spanish-speaking countries that used short emails with PDF attachments. These attachments redirected victims to cloud storage services, where they could download malware.
To protect against phishing emails, individuals should carefully read emails and avoid clicking on anything automatically. They should also check the email address to ensure it matches the real domain. Red flags to look out for include urgent or threatening emails that require an immediate response or requests for credentials, personal, or financial information. Grammar mistakes, spelling errors, and typos can also indicate a phishing email. Comparing attached URLs with the legitimate company or organization’s domain and being cautious of offers that seem too good to be true are also important. Additionally, individuals can install cybersecurity products with anti-phishing tools for added protection.
Phishing emails pose a significant threat, and even IT professionals can fall victim to them. By staying vigilant and following these precautions, individuals can reduce their risk of becoming a phishing target.