As phishing attacks rise, knowledge of common phishing trends is the greatest weapon to combat them
While phishing attacks have decreased from 2022 to 2023, consequences from these attacks are soaring, with a 144% increase in financial penalties and a 50% increase in reputational damages year over year due to phishing attacks, according to Proofpoint’s 2024 State of the Phish report. Scammers’ toolkits are expanding with the easy accessibility of AI, making malicious emails harder to spot and easier to fall for. Arming personnel with knowledge of current phishing trends and what attacks to expect and how to spot them is the best way to stop these attacks from affecting your organization.
There are two types of attacks that Facility Security Officers (FSOs) need to be aware of: non-targeted and targeted attacks. Non-targeted attacks are generic and could be sent to anyone, like a call claiming there’s an issue with your car’s extended warranty. While employees should report these to their FSO when they get them, and to their IT department if they click on any links or download anything from a scam, the FSO doesn’t necessarily need to pass that report onto their Industrial Security (IS) representative.
Targeted attacks are aimed at the organization specifically. These could be emails claiming to be from accounting, saying the recipient needs to update their bank account information or risk not getting their next direct deposit. These are attacks that the FSO should definitely report to the IS rep. While they may just be a more sophisticated type of financial attack, the goal could be stealing proprietary or classified information from the company.
Currently, common ways scammers will try to reach their victims are emails, text messages, social media and phone calls. Different types of attacks will have different tactics and indicators you and your employees will need to learn to catch.
Types of Phishing
Email Phishing
Email remains one of the main ways scammers try to contact people. Common non-targeted attacks include messages from companies with slightly misspelled names like amazonn claiming there’s an issue with your billing and attacks related to student loan debt relief. Targeted attacks may be harder to spot, especially when they come from an email address only a letter off from your company email. Some common scams include a message claiming to be from HR, saying the recipient is being accused of sexual harassment with a link to schedule an appointment to discuss the accusation. Personnel may also receive an email from someone pretending to be company leadership, like the CEO, asking them to buy digital gift cards on their behalf.
There are a few ways you can spot these fake emails. The first step is always to check the address of the person who sent it. Sometimes the email address will be completely different from what it should be. If your CEO is named Mark Wright but the email address is from John Doe, it’s easy to tell this isn’t from who it should be. Other times there’s a small typo, like adding a repeated letter that shouldn’t be there. If the email is coming from Wallmart instead of Walmart, it’s a phishing scam. If there are a lot of grammatical or spelling errors, this is also often an indicator of a fraudulent email. If there are logos used, they may be a mirrored version of the company’s logo or the the wrong color.
Text Phishing
This is also known as Smishing, or SMS phishing. These scams come in forms like a claim that there’s an issue with your Netflix billing or that you’ve won a gift card. You may see targeted attacks similar to the CEO email scam, where an unknown number sends a message claiming to be the company CEO and asking for information or money in some form.
Watch for any texts that want you to click a link to a secondary site. If you don’t recognize the sender, always be wary with any links. If the text is coming from a company claiming you have a billing issue or someone like your bank claiming your account is overdrawn, go to the company’s website directly rather than clicking the link, as they may have a realistic looking login screen they use to steal your information. If there actually are any issues with your accounts, they’ll be visible on the company website. Messages sent at odd hours, like the middle of the night, are also suspicious. A company won’t be trying to reach you about your billing at midnight.
A scam known as pig butchering has also become commonplace in recent years. It begins seemingly innocently with an apparent wrong number text. If the recipient responds, the sender will continue the conversation and try to build a relationship. This scam moves slowly, building long-term trust with the victim and eventually convincing them to invest in a cryptocurrency scam where their money is stolen. These types of scams are also commonly begun on dating apps. The name comes from the idea of “fattening up” the victim by slowly building trust before stealing from them.
Social Media Phishing
Similarly, be wary of strange messages on social media. Scammers will hack people’s accounts and send messages to their friends, which makes it seem legitimate since it comes from someone you know. If someone you haven’t talked to in a while reaches out with a message like “can you believe this person got arrested?” and a link to click, do not engage with it. Those with a high-level clearance may also face targeted honey pot attacks on social media, where attractive people attempt to seduce them to steal information.
Phone Call Phishing
Vishing, or voice phishing, is another common type of attack to watch for. You may receive a call reaching out about your car’s extended warranty or telling you there’s a warrant out for your arrest. If an unknown number that your phone doesn’t identify as potential spam pops up and you aren’t expecting a call from anyone not in your contacts, it’s best to let it go to voicemail. If they leave a voicemail and it’s either a robocall or in a language you don’t speak, you can mostly assume it’s a scam.
If you receive an email, text or phone call that you’re not sure is a scam and tells you something you’re concerned about, like that you’re wanted for tax fraud or that there’s an issue with your bank, don’t engage with the potential scam. Check your accounts and contact your bank, local law enforcement or relevant party directly. It’s better to take the 10 minutes to clarify if you actually do have something to be concerned about than to end up dealing with a stolen identity for months or years.
AI voice tools are also allowing for phone call scams that spoof the voice of people in your life and use it to fool you. They may do this to ask for personal information or money. In more extreme cases, they will fake a threatening situation, like a loved one being kidnapped, to apply pressure and force you to respond before you can realize it’s a scam. When in doubt, ask further questions of the person you’re talking to that would identify if they’re who they say they are, or create code words that your loved ones would know to say in such a situation to prove identity.
The Evolution of Phishing Trends and What to Expect in the Future
With the current economic downturn, attacks threatening people’s finances in some way, like a faked claim that someone’s account is overdrawn, are more likely to occur. When people are facing financial stress, they are more likely to engage with an email claiming their money is at risk than they would be otherwise. As the State of the Phish report found, financial loss as a result of phishing attacks have increased significantly since last year.
Click here to download
AI is also a new threat that could lead to more sophisticated phishing attacks at a higher volume, according to Forbes. With software like ChatGPT, phishers can create a message in seconds that won’t have the grammatical or spelling errors that many scams currently have. When it only takes a few seconds, they can create far more messages to use. They can also train the AI on past scams that were successful in tricking a high volume of people in order to consistently create more effective attacks. However, AI can also be used in combatting phishing scams through AI-powered tools that are trained to distinguish between legitimate and illegitimate senders and emails.
Training will always be the greatest defense against phishing. The State of the Phish report found that there is currently a large knowledge gap in many organizations, with only 53% of them having a security awareness program that trains all their employees. Even when they know what risky actions are, they may not implement those skills. 71% of those surveyed reported having taken a risky action, with 96% of those doing so knowing it was risky. Training needs to aim to not only educate but also change behavior. Organizations that fall prey to phishing scams pay a major price, whether it be monetary or informational. Proper training is a necessity for all employees regardless of what their role is.
If you’re looking for help with training for your cleared facility, Adamo can help. Our FSO support services can run your trainings or help you manage the more tedious parts of your job so you can focus on improving your facility’s security.
Originally Published April 2023. Updated to reflect current trends and statistics.
