Phishing has been around for over 25 years. You'd think it would have given way to another form of attack by now, but it has only become more commonplace. According to the Anti-Phishing Working Group's Phishing Activity Trends Report, APWG observed 1,025,968 total phishing attacks in the first quarter of 2022. That's the worst quarter we've ever seen when it comes to phishing.
What's going on here? Why is phishing still so ubiquitous after all these years, and what can we do to protect ourselves? Here's why phishing remains such a potent form of attack, why we keep falling for it, and how to prevent yourself from getting hooked.
Why people keep falling for phishing scams
Phishing works because it triggers an instinctive and powerful human psychological response. Phishing messages often try to alarm us, for example by warning us that we're in trouble with the IRS or claiming that we've sent naughty pictures to someone on the internet and have been found out. Hackers use these scare tactics to create a false sense of urgency in the hope that we'll take action before thinking too carefully about what's actually going on. Hackers also use our trust in people we know to deceive us in phishing attacks. For example, it's not uncommon to get a Facebook friend request from someone you're already friends with there. If you accept the request without making sure it's legitimate, you could end up inadvertently inviting a fraudster into your digital life. This deception can show up at work, too. CEO fraud and business email compromise (BEC) scams typically involve a cyber criminal posing as the company's CEO or chief financial officer, demanding via email that an employee further down the organizational chart quickly provide them with sensitive financial account information. The message looks authentic and no one wants to disappoint the boss, so the employee feels pressure to immediately grant the request. Cyber criminals also pay close attention to trends like the rise in remote work, knowing full well that as the boundaries between our work and personal lives become increasingly blurred, we may be less vigilant in screening the communications we receive. And as the technology we use have evolved, hackers have quickly adapted their attacks to keep up with the times.How phishing has evolved
According to Computerworld, the term 'phishing' was coined back in 1996. At that time, hackers were using phishing attacks to steal America Online passwords and log into users' accounts without their knowledge. Not long after that, unsuspecting internet users began receiving dodgy phishing emails en masse. In time, almost everyone received a phishing email or at least knew how to identify one. The hackers had no choice but to move on, so they cast an even wider net. These days, a phishing attack may arrive via almost any digital channel you can think of. There's vishing, in which fraudsters call you and leave suspicious voicemails; smishing, in which cyber criminals send you cryptic texts that encourage you to click on malicious links; and social media phishing, in which they simply slide into your direct messages (DMs) – sometimes posing as an official account, other times pretending they're people you know. According to Dark Reading, cybersecurity firm Malwarebytes recently discovered that some hackers were sending Twitter users DMs saying that they'd flagged their accounts for hate speech and demanding that the users authenticate their Twitter accounts on the spot to avoid suspension. If the Twitter users clicked on the link provided, they were directed to a fake Twitter help center web page where they were encouraged to enter their account credentials. Once they complied, the hackers had all the information they need to log into their victims' Twitter accounts. Even Discord, an instant messaging platform that was originally popular with gamers and software developers before enjoying more widespread adoption among regular internet denizens, isn't immune to phishing attacks. Some Discord users have received messages from friends or strangers accusing them of sending explicit photos. To prove that it wasn't them, these Discord users are invited to click on a web link and provide a QR code that then allows malicious actors to commandeer their accounts.Tips for preventing phishing attacks
Phishing is unsettling, and it just keeps coming. Unlike before, when phishing was limited to email, now you have to keep an eye out for it on nearly every digital channel you use. You can keep yourself secure from phishing scams with a little bit of know-how, though. Here are some tips for doing just that.- Keep an eye out on all digital channels. Cyber criminals will use any and all platforms, including Twitter and now Discord, to target their potential victims. As Gizmodo reports, even LinkedIn isn't safe. With that in mind, keep your guard up wherever you might be sending and receiving messages online.
- Stay vigilant while working from home. When you're in comfortable surroundings, it may be easy to forget that a phishing message could still easily show up in your work email or one of your social accounts. If you see a suspicious message come in, take a beat and decide whether it's legitimate before acting on it.
- Verify messages from people you know. If you get a message from someone you know and it seems slightly off, reach out to them using a separate communications channel to confirm if they actually sent it. (The same goes for messages from institutions like banks and the IRS.) If you see a friend request come in from someone you're already friends with on the same social network, follow the same rule of thumb.
- Use a password manager to spot phishing sites. Sometimes phishing messages and the sites they link to look like the real deal. If you use a password manager to securely store your passwords, check to see if it recognizes the site and fills that information for you. If it doesn't auto-fill anything on your behalf, that may be a sign you're dealing with a phishing attack.
- Be careful with MFA prompts you don't recognize. If you receive a notification via a multi-factor authentication (MFA) tool that someone is attempting to log into one of your accounts, your antennae should go up. If it wasn't you, don't grant the login request. And if there's no option to grant or deny the login request, change your password for that account straight away.