Phishing is moving away from email and going where?

Phishing is moving away from email and going where?

Over the past several years phishing has continued to evolve. While many of the emotional lures used to get people to fall victim remain the same (covered in more detail below), we have seen changes in both cyber attacker modalities and goals.

Modalities: Traditionally phishing was done through email. However, we have seen a shift where messaging technologies are also being used, to include Apple’s iMessage, WhatsApp and standard SMS functionality. Texting phishing attacks have become increasingly popular as many phones lack any type of filtering capability, which means scams and attacks are far more likely to get through.

Goal: Traditionally the goal of cyber attackers with phishing attacks was to install malware on the victim’s computer. However, malware infections are becoming easier and easier for security teams to detect, so that approach has radically changed.

Gaining Passwords: Phishing is used to get victims to click on a link that takes them to a website that harvests their passwords. Once an individual’s credentials are stolen, cyber attackers can cause a great deal of damage while operating undetected.

Getting People on the Phone: An increasing number of phishing attacks have no link or attachment, only a phone number as their point of attack. The cyber attacker’s goal is to get the victim to call a phone number. Once the victim is on the phone, cyber attackers will use stories and emotion to pressure people into taking actions, such as giving up their passwords, purchasing gift cards or transferring money from their bank accounts to accounts controlled by the attacker.

Scams: Many phishing emails have no link or attachment, instead the messages are often very short and impersonate someone that the victim knows or trusts, such as their boss, a co-worker or a vendor they work or shop with. BEC (Business Email Compromise) or CEO Fraud attacks are a common example, when cyber attackers send an urgent email to a specific individual in accounts payable pretending to be a very senior executive, pressuring the individual to approve an invoice or payment. The accounts payable person believes they are doing the right thing, not realizing they are approving a payment to cyber criminals.