Cunning phish are on the rise, according to industry experts at Microsoft. Additionally, phishing attacks continued to be the top attack vector through 2018. While ransomware attacks have decreased by 60% since 2017, the cleverness of phishing attacks has been increasing. Don’t fear, there is still plenty of truly-cringeworthy phish assaulting your network, but you should be on the lookout for new, more thoughtful phishing attacks in 2019. As our industry’s defenses strengthen over time, malicious actors must seek new and inventive ways of targeting and exploiting our users. Some of these new phishing attacks do just that very effectively.
2019’s New Phishing Attacks
In the past, phish sent for financial gain were pervasive and popular, but now criminals are going for something even more valuable: your business. Over the course of 2019, be prepared to see an increase of phish targeting SaaS credentials over financial information. Phishing emails will appear in the form of Dropbox, Slack, G-suite, or Office 365 login pages, and the attackers are hoping to gain persistent access to an aspect of your network.
Additionally, 2019 will bring with it an increase in malicious payloads deployed through shared file services. As most email systems will scan for malicious links in an email, attackers are now using these trusted URLs to execute their attacks. Combine a malicious DropBox link with the above attack, where the criminal may have access to one of your user’s accounts, and this is a recipe for disaster for enterprise environments.
Finally, be on the lookout for more business email compromise phish, where a malicious actor begins an email exchange with an innocuous email to a key stakeholder in your organization. Once the exchange begins, the attacker’s foothold is in place and they will begin to grow the relationship. This type of phishing attack can be used in tandem with other social engineering attacks, such as vishing. Social-Engineer, LLC’s CEO, Chris Hadnagy, explains that many enterprises are feeling increasingly confident in their security postures due to strong firewalls and IPS. However, the evolution of industry security is matched by the evolution of the attackers’ means and mindset.
How can you defend against new phishing attacks?
There are strategies to protect your network against ever-evolving phishing threats:
- Education: Test and train all of your employees. Your employees are a valuable line of defense between your enterprise environment and the criminals’ goals. Ensure regular testing and training of all your internal users so that when the attackers inevitably circumvent security protocols, your users’ education can be a strong line of defense.
- Password Managers: Implement enterprise-wide password managers. This allows for strong, unique passwords to be made for every login an employee uses, and the password managers will auto-populate credentials in known, verified websites and not fraudulent links. However, with this be sure your employees are trained to always navigate directly to the password manager to log in and never follow a link in an email to the alleged login page. Be sure that the master passwords to these managers are always safe and secure which is most effectively done through education.
If you need assistance strategizing, improving, or implementing your enterprise-wide phishing education and awareness programs, be sure to get in touch. We are here to help! Social-Engineer, LLC are the only social engineering experts offering fully-managed phishing programs for your enterprise using our patented Phishing-as-a-Service (PHaaS®) methods.
Sources:
https://www.darkreading.com/attacks-breaches/phishing-attacks-evolve-as-detection-and-response-capabilities-improve-/d/d-id/1334109
https://www.forbes.com/sites/forbestechcouncil/2019/01/10/four-phishing-attack-trends-to-look-out-for-in-2019/
https://www.darkreading.com/endpoint/whos-at-greatest-risk-for-bec-attacks-not-the-ceo/d/d-id/1332711
http://www.www.social-engineer.com/not-all-phishing-programs-are-created-equal/
http://www.www.social-engineer.com/phishing-as-a-service-phaas/
