Phishing in 2019: Trends and Research

No matter how much cybersecurity improves over the years, there will always be a highly vulnerable element: Humans

As long as we rely on passwords for security, malicious actors will target individuals with social engineering, and some percentage of these attacks will inevitably succeed. Phishing attacks, in particular, are pervasive, and improving awareness won’t be enough to completely stop all attacks. Recent research and major attacks show just how common the problem is.

In the 2018 iteration of its Spam and Phishing report, Kaspersky Lab noted the rise in phishing attacks compared to Q2. As one of the global leaders in security solutions, Kaspersky Lab is at the forefront of detecting and halting attacks, and its research helps reveal the state of security as it stands today. In total, Kaspersky Lab stopped more than 137 million attempts to get users to visit fraudulent pages. This is a sharp rise from Q2, when it detected and stopped fewer than 108 million such attempts. Unsurprisingly, businesses dealing with financial transactions were commonly targeted, with 18 percent of attacks targeting banking customers and 10 percent targeting payment systems. Topping the list, however, was global internet portals, accounting for 32.3 percent of attacks.

Hijacking attempts also varied between countries. The new leader for phishing attacks this quarter was Guatemala, which saw nearly 19 percent of users attacked, followed by the previous leader, Brazil, at 18.6 percent. Spain occupied the third position, with 17.5 percent of its users targeted. Globally, 12.1 percent of Kaspersky users were targeted. Methods of attack have evolved. Because social media outlets frequently offer verification to certain users, such as the blue check on Twitter accounts and elsewhere, some phishing attempts offer the promise of verification once a user enters the account password on a phishing website linked from the fraudulent email.

Email remains the most common source of phishing attempts, and this is unlikely to change for the foreseeable future. However, users still need to be aware of other potential attack vectors. Search engine result hijacking can be especially dangerous. Even though many people now know to look closely at links opened through an email client, many are less cautious when clicking on a search engine result. Major search engines typically detect these fraudulent sites quickly, but some sites can slip through the cracks. In general, it’s best to load sensitive websites directly in a new tab instead of searching for the institute’s website through a search engine.

Infected websites remain a popular source of malicious attacks, with phishing being a popular option. By feigning security notices and other notifications, an infected or malicious website can use social engineering to target users. One vector that’s notoriously difficult to handle is hijacking attempts sent through advertisements. Vulnerabilities in an ad server’s software can cause them to send out malware quickly and across a number of legitimate websites. Furthermore, misconfigured ad software on a website can lead to cross-site scripting attacks and the potential for dangerously believable phishing attempts.

Event-Specific Campaigns

Most phishing attempts are evergreen, meaning the same campaign can be used for years with little modification. In 2018, however, some of the most notable campaigns involved specific events. The GDPR has had a major impact on the web, but the broad and confusing nature of it has led some to use it for phishing attempts by encouraging users to send information in order to be in compliance. Companies might be fooled into providing information about third parties from GDPR phishing attacks. One specific attack told individuals they had to update information to keep their Airbnb accounts intact, a request that seems reasonable to those who don’t know the details of the sweeping new regulations.

The 2018 World Cup also led to notable instances of malware attack, including widespread phishing. Lured by the promise of prize money from one of the tournament’s many sponsors, victims were encouraged to share personal information. Furthermore, apps related to the World Cup spread through spam and other attack vectors. By hijacking web browsers and installing adware and other malicious software, these programs left users vulnerable to a wide range of potential attacks, including phishing.

Criminal organizations and individuals aren’t the only sources of phishing attacks, and government-backed attempts at phishing are on the rise. In August of 2018, Google released a post encouraging users to enable two-factor authentication to reduce the likelihood of G Suite users falling victim to sophisticated phishing schemes. Users who might be at risk were even sent a notification stating that they may be the target of government-backed schemes.

Governments often have ample resources to spend on developing sophisticated campaigns, and they aren’t bound by the need to generate a profit quickly. Furthermore, governments often have privileged access to internet infrastructure, giving them the ability to use resources that would otherwise be unavailable. Companies including Google also have to deal with complex regulations imposed by governments across the globe, and those crafting these regulations can create addition phishing attack vectors. Even users who understand phishing well should note that governments can rely on psychologists and others who can devise especially clever attempts at social engineering. Vigilance is critical to avoid falling victim to attacks.

Avoiding Attacks

Fortunately, many phishing attempts leave telltale signs. In particular, spelling and grammatical errors are rampant in phishing emails. Legitimate organizations rely on professional copywriters and editors to craft their emails, and it’s exceedingly rare for errors to slip through. Be vigilant of all emails, but use extra caution if you notice clear errors. Native speakers of a language may also want to take note if an email doesn’t seems to use the language in a natural manner. Even if the spelling and grammar are strong, uncommon phrasing and other oddities might indicate that something is awry.

Use your cursor wisely. Develop a habit of hovering your cursor over links in emails to see where the URL actually points. A few minutes of research on how top-level domains work can make you an expert in detecting fraudulent links. Be extra cautious when an email states that urgent action is needed. In general, companies will provide adequate warning and give ample time for users to respond to potential issues. By telling users action is needed immediately to avoid negative outcomes, social engineers can cause critical thinkers into turn off the more skeptical parts of their minds. Take a few moments to breathe and calm down if you receive an email demanding an immediate response. If an email is designed to cause panic, there’s a good chance it’s not genuine.

In addition to instilling panic, spammers have long known that no promise of riches is too bold to deceive at least some users. If an email claims you’ve won a contest you haven’t entered, don’t respond with a click. Always bear in mind that today’s phishing attempts can be deviously clever. Phishers are always launching new and sophisticated plans, and many attempt to prey on individuals who think they’re too clever to be fooled.

Sadly, phishing attempts can even exploit tragedy and goodwill to target users. Requests for donations after tragedy ought to be treated carefully. If an email claims to be from the Red Cross, for example, it’s always also best to visit the Red Cross site directly instead of clicking on a link in an email. Even back in 2005, in the aftermath of Hurricane Katrina, the Red Cross uncovered 15 websites pretending to be the aid organization. Launching a fraudulent website in 2018 is far easier than it was 13 years ago, and the web’s global spread means there are more actors across the world seeking to exploit tragedies.