Don't be the weakest link in surging phishing attacks

By Sairam T A, enterprise analyst, ManageEngine.

  • 1 month ago Posted in

Cyberattacks hit the UK hard over the past year. Reported cases of fraud more than doubled to £2.3 billion in 2023—a figure fuelled by online scams, phishing attacks, and system breaches—according to BDO UK.

Phishing remains the most common initial attack vector, which shouldn't be surprising; after all, phishing attacks are one of the least expensive attacks to launch, yet they generate huge payouts. And opportunities for phishing fraud have greatly increased due to wider access to AI technology, which makes cyber risks harder to control. Barclays Bank warned in 2023 that 70% of scams now happen on social media, online marketplaces, and dating apps. And Martin Lewis, Currys, and BBC have all recently been impersonated in online phishing scams. Law enforcement has indicated that there's been an increase in smishing (SMS phishing), impacting shipping companies and many other industries. Missed delivery texts are a common scam tactic; phishers often pretend to be from UPS, Evri, and the Post Office. And HMRC has warned about bogus tax refund offers being sent over text and email, reporting 207,800 referrals of suspicious contact over the past year, particularly in response to the Self Assessment tax deadline in January.

Why phishing thrives today

Phishing is the most common initial attack vector today because it helps bad actors access a network and search for sensitive data in order to conduct an attack at a later stage. It's popular, at least in part, because it's cheap to conduct. An entire phishing campaign, including a phishing kit and hosting, can cost as low as £40. Also, phishing is easily scalable because every employee is a potential target. In an organisation with thousands of employees, one oversight by an individual can bring the entire organisation down. Remember, an organisation's security is only as strong as its weakest link.

Novel phishing attack types have emerged

Phishing attacks using novel tactics are rising, such as malicious QR codes embedded in phishing emails. What's more, generative AI threatens to make phishing attacks more dangerous. For example, the infamous CL0P Ransomware Gang is known to have used Truebot. Such threat actors are leveraging phishing campaigns with malicious redirect hyperlinks to deliver new Truebot malware variants. Recently, we’ve also seen the rise of QBot Trojan attacks—with new variants discovered in January. This type of attack comes in the form of an email with context-aware information. These emails will contain an attachment or a link from a supposedly trusted source, prompting you to download or open a file, or enter your credentials. A single click triggers a malware download, and subsequently, your system or network will be hacked. If the file contains obfuscated data acting as window dressing, it can go unnoticed by your organisation's security team. This attack is also conducted on reply-chain emails, which often lends to the credibility of the email.

Unfortunately, the novel forms of attacks keep coming. Domain impersonation and business email compromise attacks have seen a spike. A small tweak to a familiar-looking domain of your organisation—along with the display name of a current employee—can trick you into thinking that a malicious request is legitimate. 

Phishers also keep improvising. The unsubscribe malware scam is a new phishing tactic that you should be wary of. After you click the unsubscribe button of a fraudulent email, the bad actor learns that the email address is active, making you a target of further phishing emails. The unsubscribe link might also lead to a website that downloads malware onto your system. It’s worth noting that the best way to deal with unsolicited emails is to mark them as spam, delete them, or block the sender—don't directly interact with the email's contents.

How to prepare for tomorrow

While there are numerous ways to safeguard your digital enterprise, here are my top-four tips.

1. Train employees to recognise phishing attempts. Have a red team in your organisation to identify vulnerabilities, play the role of an attacker, and periodically simulate attacks. Awareness training can inculcate good habits, such as taking a step back and inspecting anything unusual received over email, SMS, or a phone call. If you receive an email from a legitimate source asking you to do something urgently, it is always best to reach out to the sender separately to confirm the message.

2. Deploy phishing-resistant MFA. Unauthorised access can be prevented by using phishing-resistant MFA. These apps require an additional layer of authentication, such as a passkey that can only be accessed with your face ID or fingerprint.

3. Use UEBA and SOAR for proactive detection and response. A SIEM tool equipped with user and entity behaviour analytics (UEBA) profiling will help you spot anomalies. The user behaviour variables are customisable; they can be based on time, event patterns, and the number of events triggered. ML-driven security orchestration, automation, and response (SOAR) capabilities will automatically execute workflow profiles and assign tickets to security admins to quickly remediate a phishing attack.

4. Monitor privileged users. Privileged users are the most vulnerable to spear phishing because of their access to sensitive information. Ensure you follow the principle of least privilege, train privileged users to exercise caution, and have visibility into privileged user account activities.

Today, phishing thrives on social engineering, so it's vital to stay vigilant, especially if you have privileged access to your network. Trust your gut instinct if you do find anything out of the ordinary, then take a step back and analyse the situation. Don't be the weakest link in this rapidly changing realm of cyberthreats. It is high time that organisations become more cyber-aware and take cybercriminals head on.

By Ciaran Luttrell, Head of Security Operations Centre EMEA, eSentire.
By Jon Lucas, co-founder and director of Hyve Managed Hosting.
By Emmanuel Routier, VP Smart Industries, Orange Business.
By Niall McConachie, regional director (UK & Ireland) at Yubico.
By Karl Mattson, Field CISO at Noname Security.
By Frank Catucci, CTO and Head of Security Research, Invicti Security.