State of phishing

August 2021

With so much personal and business information stored digitally, cybercriminals have plenty of ripe fraud targets, as well as the basic information to carry out a phishing scam. Phishing is a form of social engineering in which scammers send fraudulent emails that appear to be from a legitimate source to gain access to financial accounts or other valuable information. Phishing attacks have not only grown in frequency but also in sophistication. Business owners and leaders should educate employees and others who may have access to their systems, employ prevention tactics, and test their protocols to ensure their valuable financial information isn’t vulnerable to a phishing scam.

Social Engineering, Phishing and Vishing

Through social engineering – using interactions online or information available on LinkedIn or other social media platforms – scammers identify targets such as employees who may have access to the company’s network or financial systems. They send phishing emails that may look like they’re from a financial institution, vendor, customer, or other trusted sources that have a link or download that installs malware on the recipient’s computer.

Fraudsters may also use vishing or voice phishing, which is a scam phone call or voicemail to users of VoIP (Voice over Internet Protocol) platforms. On VoIP, scammers can spoof the inbound number on caller ID to engage with an employee as a business contact, and then direct the target to enter their login and passwords on a spoofed site. Text or SMS messages, also known as smishing, and social media interactions and messages are other methods that are gaining traction.

Once scammers have access to a company’s network through phishing or vishing, they can attempt to find financial accounts, credit card data for the company or its customers, install ransomware or request or send illegitimate payments.

The State of Phishing in 2021

According to a research report from cybersecurity firm Proofpoint¹, 57% of respondents to a survey about cybersecurity said their organization dealt with a successful phishing attack in 2020. Even more companies were the targets of unsuccessful attacks. Proofpoint also identified that link-based phishing has become far more prevalent than attachment-based phishing, and scammers are becoming more creative.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns that attackers often take advantage of disruptions such as natural disasters, epidemics or other public health crises, major elections, economic events (such as IRS deadlines), or holidays to make their move. During the coronavirus pandemic, remote work and interrupted routines, stress and increased use of new digital tools all created advantageous conditions for cybercriminals. In its 2020 Internet Crime Report, the FBI’s Internet Crime Complaint Center identified an increase of more than 300,000 complaints from 2019 and reported losses exceeding $4.2 billion.

Layer Protections to Prevent Phishing

No single cybersecurity method is foolproof, but by stacking education and protocols, companies can lower the risk of a successful phishing attack.

Keep your employees, clients and customers informed about new or more commonly used tactics, such as vishing and smishing or specific email scams (e.g., emails that say a security or software update is needed). The Internet Crime Complaint Center (ic3.gov) is a good source for new and intensifying threats.
Run phishing simulations to identify vulnerabilities and demonstrate to employees how an attack may take place.
Remind employees to not reveal personal or financial information to unsolicited callers, send secure or confidential financial data via email, or log into unverified websites.
Share tips for identifying a spoofed website, such as variations in spelling of an institution’s name, and how to make sure a URL is secure and encrypted.
Require two-factor authentication for network access and dual controls for financial transactions.
Ensure firewalls, email filters and antivirus software are employed and kept up-to-date. Install security patches on all company devices, including phones and tablets, in a timely manner.
Report any suspected or successful fraud attempts immediately to the authorities, ic3.gov and financial institutions so that mitigation efforts can be more effective.

Helping your business identify and protect from common cyber scams

When phishing scams are increasing – and increasingly creative – staying ahead can be difficult. KeyBank Information Security and Fraud collaborates with your organization to keep you informed of trending criminal tactics and offer actionable ways to prevent and combat fraud. For more information on how to keep your business information secure, please visit us at key.com/cybersecurity.