Phishing increased 29% in 2021 vs. 2020, according to a ThreatLabz study of data from the world's largest security cloud.
See more quick phishing factsThe easiest way to commit a robbery is probably to convince the victims they aren’t being robbed at all. That’s the phishing scammer’s basic model.
Phishing attacks begin with an email, phone call, SMS message, social media post, or the like that seems to be from a reputable source. From here, the attacker may have all sorts of end goals, such as tricking the victim into offering up account information, making a PayPal transfer, downloading disguised malware, and so on.
Let’s look at a common example. The victim gets an email or text message from what appears to be their bank. The phishing message mentions an expiring special offer, suspected identity theft, or similar, and asks the victim to log in to their bank account. It links to a mock login webpage, and the victim unwittingly gives the attacker their login credentials.
The attack in this example, like most phishing attacks, carefully creates a sense of urgency that fools the victim into lowering their guard instead of taking time to consider whether the message is suspicious. That may be more easily said than done, however, as there are quite a few tricks in the attacker’s playbook.
Attackers have invented a wide variety of phishing techniques to exploit different technologies, trends, industries, and users. Here’s a glance at some common types:
Phishing attacks can be extremely dangerous. Large phishing campaigns can affect millions of people, stealing sensitive data, planting ransomware and other malware as well as gaining access to the most sensitive areas of a company’s systems.
Loss of sensitive data, reputational damage, and regulatory issues are among the many possible consequences of a successful phishing attack at the organizational level, Risks for any phishing victim can include loss or compromise of sensitive data, and organizations also face possible reputational damage and regulatory issues.
At the organizational level, the consequences of a successful phishing attack can be far-reaching and serious. Financial losses can stem from a compromised corporate bank account. Data loss can stem from phishing that leads to a ransomware attack. An organization can sustain major reputational damage from any breach of sensitive data that necessitates public disclosure.
Furthermore, any of these can have even more serious consequences in turn. Cybercriminals may sell stolen data on the dark web, including to unscrupulous competitors. On top of that, many breaches will need to be disclosed to industry or government regulatory bodies that may levy fines or other sanctions. It may even involve the organization in cybercrime investigations, which can be time-consuming and attract negative attention.
Phishing increased 29% in 2021 vs. 2020, according to a ThreatLabz study of data from the world's largest security cloud.
See more quick phishing factsFortunately, most types of phishing can be stopped if you take the right precautions. That means:
When it comes to phishing, the safest users are the ones who know how to avoid getting hooked. While a short summary no substitute for focused security awareness training, here are a few key warning signs of attempted phishing:
In a 2021 survey of enterprise IT security leaders, 80% believe remote workers are at greater risk of falling victim to phishing attacks. Even so, many organizations are still relying on weak security protocols. With most expected to continue facilitating remote or hybrid work for at least some of their workforce after the COVID-19 pandemic subsides, this could expose them to vulnerabilities.
Remote workers often rely on less sophisticated security software at home than they do in the office. They also may be using personal emails or other accounts not under the control of their organization’s IT team. Moreover, because they are away from internal business controls, remote employees aren’t always forced to practice good security hygiene, and it can be difficult, if not practically impossible, for IT managers to monitor or enforce.
To stay safe in the age of remote work, you need security that can account for the needs of your more mobile, distributed workforce.
Because it relies on exploiting human nature to succeed, user compromise is one of the most difficult security challenges to overcome. To detect active breaches and minimize the damage successful breaches can cause, you need to implement effective phishing prevention controls as part of a broader zero trust strategy.
The Zscaler Zero Trust Exchange™ platform, built on a holistic zero trust architecture to minimize the attack surface, prevent compromise, eliminate lateral movement, and stop data loss, helps stop phishing by:
Learn more about the Zero Trust Exchange to see how a complete zero trust architecture can help protect your organization against phishing attacks.
2022 ThreatLabz Phishing Report—Infographic
Take a lookWebinar: Deep Dive on Phishing Trends
Watch on demandAitM Phishing Attack Targeting Enterprise Users of Gmail
Read the blogPhishing emails may have spelling errors, mismatched email or web domains, or slightly odd or clunky language. They may also include unusual requests.
Internally, it’s a good idea to have a reporting mechanism through which staff can notify IT and security teams of new threats. These teams can then determine the next appropriate action, which can include reporting to service providers who may be able to patch the vulnerability, and in serious cases can even warrant reporting to an agency such as the US Federal Trade Commission.
Phishing is extremely common. With the rise of remote working phishing attacks have reached an all time high. Around a quarter of all incidents of cyber crime come from some form of hacking.
According to a recent report, top brands such as Microsoft, DHL, LinedIn and WhatsApp are the most likely to be used in phishing attacks.
Victims can be anyone from individuals to large scale organizations. Cybercriminals may also target senior executives in order to access financial details such as company credit cards.