The phishing threat landscape is changing as we head into 2023. Here’s what businessowners need to know.
Phishing attacks, which involve the use of malicious online contentto steal information, have been around for years now. However, phishing has become much more popular over the past few years. Businesses need to take steps to stay secure and protect their customers. Here’s a look at the top phishing attack trends and emerging tactics going into 2023.
The Role of RaaS and IABs
Two particular trends are on the rise in hacking circles that businessowners need to be aware of. Ransomware as a service, or RaaS, is making it much easier for amateur hackers to launch sophisticated attacks, which frequently start with a phishing attack. In the RaaS model, more skilled hackers develop ransomware programs that other hackers can usefor a certain fee, typically a percentage of the profits from the attack.
Initial access brokers, or IABs, are hackers who focus specifically on sneaking into businesses’ networks and stealing login credentials. They can then sell these credentials to other hackers for use in phishing campaigns and ransomware attacks.
These two trends combined pose a serious risk for businesses in the year ahead because they reduce the effort required to launch a cyberattack. IABs make phishing much more dangerous since hackers can simply buy a stolen legitimate email login and use that to send malicious mail that can get through spam filters since it is from a real email address.
In fact, amateur hackers employed this exact strategy in numerous successful data leaks on Apple and Meta – Facebook’s parent company – in 2021.
The hackers in this case used stolen email credentialsto send big techcompanies “emergency data requests” which are usually only available to law enforcement officials in urgent emergency situations. Personnel at Apple and Meta had no way of knowing the email accounts sending the requests were compromised and handed over the requested user data.
To defend against these threats, business owners must ensure they are utilizing some kind of identity and access management system. Network monitoring and multi-factor authentication can also help protect employees’ accounts from unauthorized access.
Be wary of emails requesting any kind of data, as well. Wherever possible, verify the legitimacy of any emails like this through a known and trusted channel (not a reply to the potentially suspicious email).
Trends in Phishing Methodology
Phishing methodology has changed over the past year, shifting the landscape in 2023. For example, many phishing attacks are exploiting the war in Ukraine to get victims to open malicious emails. The phishing messages will have subject lines like “Donations for Ukraine” and bet on victims’ humanitarian desire to help those in need.
Another social engineering trend is the rising threat of fake websites. Also called “lookalike” websites, these pages are copies of legitimate websites designed to steal users’ credentialsand information without them noticing. Usually, lookalike websites will look and feel almost exactly like the real thing, but with a slight difference in the domain name. They may also pose as “outlet” or “clearance” partner sites to legitimate websites. Lookalike websites are often hidden behind adsfor the legitimate business that send customers to the fake website when they click on the ad.
Lookalike website phishing attacks pose a unique threat to businesses. On one hand, businesses could fall victim to a lookalike website themselves, such as a fraudulent supplier’s website. On the other hand, a business’s own website could be used to create a malicious lookalike site to exploit its customers.
Defending against lookalike websites can be tricky. Business owners can use security plugins and security featureson their websites to help prevent content theft and unauthorized access.
Another tactic is to buy a number of domain names that are similar to the business’s actual domain but with a one-or two-letter difference. For example, a coffee shop called Green Tea Coffee might buy the fake domains “greeenteacoffee”, “greenteaacoffee” and “greenteacofffee” in addition to their actual domain name. This prevents phishing hackers from buying these subtly different domain names to use in lookalike website attacks.
The Who and When of Risk
Phishing attacks can occur at any time of year and hit any kind of business. However, trends going into 2023 point to particular times of the year when the risk of a phishing attack is higher.
The U.S. FBI and CISA have issued warnings for holiday surgesin cybercrime, particularly phishing. Hackers take advantage of increased traffic on everyone’s credit cards and websites to sneak in and steal personal information, such as login data and credit card numbers.
Additionally, throughout 2022, the targets being hit most often by phishing attacks are shifting. While retail and e-commerce businesses were popular targets in previous years, financial sector organizations have become the new prime target for phishing. As mentioned above, it does not help matters that RaaS and IABs are also on the rise.
Both of these trends mean business owners must be more vigilant in 2023, particularly at certain times of the year and in specific industries. During the holiday season, business owners may want to consider sharing cyber safety resources with their customers. It may even be a good idea to run holiday sales early to reduce the risk of customers falling victim to phishing attacks.
Staying Secure in 2023
As 2022 draws to a close, business owners can prepare for 2023 by understanding emerging and trending phishing risks. Protecting businesses and customers from phishing attacks is all about awareness and preparation. Hackers are betting on people overlooking red flags or making careless mistakes. Businesses can stay secure in 2023 by protecting their website from fraud and taking steps to reduce cyber risks for customers.