Several new phishing trends were evident in 2022 as cybercriminals changed their tactics for stealing credentials and distributing malware. The same tried and tested techniques were used in many phishing campaigns, including delivery failure notifications, fictitious charges to accounts, security alerts about suspicious account activity, and requests for collaboration on documents, but there have been several phishing trends in 2022 that have been gaining momentum and are likely to continue in 2023.
Phishing Attacks Soared in 2022
Data from the Anti-Phishing Working Group (APWG) shows a massive rise in phishing attacks in 2022. Q2, 2022 saw more than 1 million phishing attacks reported, more than in any other quarter to date and more than four times as many attacks that were experienced in Q1, 2020. That record was then broken again in Q3 when 1,270,883 phishing attacks were reported. One survey of 1,400 organizations found 79% had experienced an increase in phishing attacks in the past 12 months, with 92% saying at least one business account had been compromised in a phishing attack. Phishing has also become much more diverse with a wide range of lures, tactics, and techniques used in attacks.
Increase in Social Media Phishing
There has been a notable increase in the use of social media networks in phishing attacks, with LinkedIn one of the most spooked platforms. LinkedIn phishing attacks increased by more than 200% in 2022. LinkedIn phishing attacks seek credentials to the platform, which can be used for a variety of nefarious purposes. Emails are sent that use HTML templates virtually identical to the emails that LinkedIn sends, including spoofed versions of connection requests, notifications about the number of searches an individual has appeared in, and headhunting notifications.
These emails use display name spoofing to make the recipient believe the emails have been sent from LinkedIn when they have actually been sent from webmail addresses. These emails direct users to a spoofed LinkedIn site and prompt users to disclose their credentials. The increase in attacks is not surprising due to the Great Resignation, with so many individuals relying on LinkedIn for finding new employment opportunities. According to Bulletproof, LinkedIn-related phishing emails were the most commonly clicked in 2022.
Recently, a campaign was detected that used Facebook posts with phishing links, with the link to the post included in phishing emails. This method was used to bypass email security solutions, which consider Facebook.com URLs to be benign. The links in the Facebook posts direct users through a series of redirects to a phishing page where credentials are stolen. Social media posts are also used to phish for personal information that can then be used to craft convincing spear phishing emails.
Callback and Hybrid Phishing Attacks Increase
One phishing trend observed in 2022 was an increase in hybrid phishing, where more than one vector is used in the attack. This is typified by callback phishing, where a benign email is sent that contains a phone number to call to resolve an urgent issue. This method of phishing allows cyber actors to bypass email security solutions. In these attacks the phishing takes place over the telephone, with the initial contact made via email. Agari reports a 625% increase in hybrid phishing attacks, with one in four phishing attempts in the summer of 2022 involving hybrid phishing. One of the most common hybrid phishing scams notifies users about a pending charge to an account that requires a call to cancel.
Phishing Used for Delivering Ransomware
Phishing is used to gain initial access to business networks, often installing a malware dropper that is used to deliver the ransomware payload. Botnets such as Emotet are extensively used by ransomware gangs, who pay for the access that the botnets provide, with the QakBot operators similarly working with ransomware gangs. Both of these malware droppers are delivered via phishing emails. It is difficult to obtain accurate statistics on the extent to which ransomware attacks are enabled by phishing, with estimates suggesting at least half of ransomware attacks start with a phishing email, and some suggesting as many as 90% of attacks have their roots in phishing.
Phishing Attacks That Bypass Multifactor Authentication
One worrying phishing trend in 2022 was the increase in phishing attacks that bypass multifactor authentication. Phishing often has the aim of stealing credentials, but if multifactor authentication is enabled, those credentials will not grant access to accounts. With more businesses adopting MFA it has become harder for phishing attacks to succeed.
Several phishing kits are now being used that allow multi-factor authentication to be bypassed by intercepting MFA codes or stealing session cookies, in what is referred to as an attacker-in-the-middle attack. The solution is to implement phishing-resistant MFA and this is likely to be increasingly important in 2023 as more phishing campaigns are conducted that bypass weaker forms of MFA.
Work From Home Employees Increasingly Targeted
The pandemic forced many employees to work from home but as restrictions eased, many businesses continued to allow employees to work from home for at least some of the working week. During the pandemic, phishing attacks on at-home workers increased and they continue to be conducted in high numbers. One of the reasons why these attacks are conducted is because they have a higher success rate, as many businesses still lack the security infrastructure to effectively block these threats compared to when employees were office based. Further, there can be more distractions in the home, which means employees are more likely to make mistakes.
