Phishing breaches have evolved significantly in recent years. These attacks were once primitive, full of typos, and not particularly convincing, but nowadays, even experts have trouble distinguishing phishing emails from legitimate emails. From these phishing emails, attackers direct their targets to phishing sites that look remarkably similar to the legitimate sites they are designed to imitate.
As many businesses continue to undergo a digital transformation that was accelerated due to the COVID-19 pandemic, the damage caused by phishing breaches is only increasing. Doing business today requires an increased online presence to meet modern demands. However, an increased online presence means an increased online attack surface and increased risk. To compromise businesses, attackers don’t need to devise complex schemes such as brute-force attacks, session hijacking, and malware-based command and control; they can merely invest in convincing an unsuspecting user to hand over their valid credentials through phishing.
According to IBM’s 2022 Cost of a Data Breach Report, “In 2022, the most common initial attack vectors were compromised credentials at 19% of breaches and phishing at 16% of breaches.” On average, the costliest initial attack vector was phishing at USD 4.91 million, followed by business email compromise at USD 4.89 million.
Verizon’s 2022 Data Breach Investigations Report also cites stolen credentials and phishing as the leading causes of breaches: “There are four key paths leading to your estate: credentials, phishing, exploiting vulnerabilities, and botnets.” As the report states, “The human element continues to drive breaches. This year 82% of breaches involved the human element.”
Phishing breaches are clearly the leading cause of breaches globally. Let’s take a look at a few of the tactics that attackers are using this year.
Top 2022 Phishing Tactics
Phishing breaches exploit several different weaknesses that your end users may be vulnerable to. Here are this year’s top tactics:
Everyone makes typos, and attackers are keen to pounce on such mistakes. Attackers often register domains that users might enter by accident. For example, instead of typing www.example.com, a user might type www.exanple.com (hitting the “n” key right next to the intended “m” key). If an attacker registers the www.exanple.com domain, the user will be redirected to the attacker website instead of to the legitimate www.example.com website.
If the attacker makes the imposter website look exactly like the legitimate one, a user can easily be tricked into handing over their credentials. The attacker can use these credentials to access the sensitive resources. Depending on the content of the legitimate site, these resources can include email accounts, bank accounts, and proprietary information repositories.
Lookalike Domain Attacks
Whereas typosquatting depends on the user making a typo, lookalike domains take advantage of the difficulty in differentiating between characters or words that look similar. For example, say the legitimate domain is www.luretheuser.com (with a lowercase “l”). An attacker can craft a clever phishing email using an uppercase “I” in place of the lowercase “l,” making www.iuretheuser.com look like www.Iuretheuser.com.
Because the case makes no difference to the domain name system, an attacker can set up a phishing site on www.iuretheuser.com that exactly resembles the legitimate site on www.luretheuser.com. From here, the attacker can steal any credentials the user enters on the attacker site and use these credentials to access the user’s sensitive information.
When most of us receive an email from our boss or an executive in the company, we move on it. Therefore, executive impersonation is a highly effective tactic. If attackers can compromise or spoof an executive’s email account (see “High-Level Employee Targeting” below), they can craft a phishing email cleverly designed to catch the attention of and lure unsuspecting users to an attacker-designed phishing site. The minute the user enters their credentials into the attacker site, the attacker can steal them and gain unauthorized access.
Credential Reuse Attacks
Unfortunately, credential reuse is very common among your end users, as creating new credentials for every application is inconvenient. If a phishing attack successfully retrieves one set of credentials, attackers can attempt to access other applications using the same credentials.
Prominent examples are the recent Facebook scams, which were first reported in September 2021 and have continued periodically since then. These scams trick users with messages in Facebook Messenger that link to phishing sites. The messages come from other accounts that have been compromised but look like they are coming from the users’ Facebook friends. Catchy taglines such as “Guess who died?” and “Check this out!” bait users into clicking malicious links.
Once baited, users are taken to a phishing site that tricks them into entering their Facebook credentials. Attackers will reuse the credentials to attempt to log into the users’ accounts on multiple online applications, including sensitive corporate applications. Because of how common credential reuse is, this type of attack often grants attackers access to several accounts across a variety of sites.
High-Level Employee Targeting
High-level employees have access to sensitive, confidential, and/or proprietary information that most other employees do not have access to. With their login credentials, employees now access sensitive corporate data (which was historically stored within an enterprise network perimeter) in the cloud. As such, credentials have become the keys to the kingdom, and stolen credentials are now capable of creating large-scale data breaches that were traditionally mitigated by network perimeter solutions.
Furthermore, the credentials of executives, board members, and other high-level employees are even more of a target because these individuals have privileged access to the most critical and sensitive information. If an attacker steals these credentials, they’re often able to gain access to the company’s most sensitive, private, and confidential information.
Phishing campaigns not only target credentials but may also aim to scam money or steal financial information from end users. In a financial scam phishing attack, a user is tricked into visiting a phishing site and baited into supplying personal and/or financial information and possibly into making financial transfers or transactions.
For example, if a site is purporting to be a charity raising money for pandemic victims, unsuspecting users might be fooled into donating. Or, attackers may try to bait financial company customers into providing sensitive personal and financial information on a fake site.
Having end users scammed by what they thought was your legitimate site opens a variety of challenges, such as loss of customer/user confidence, fraud, theft, and reduced traffic (and business) to your legitimate site. If you can quickly discover and take down these scam sites, you can mitigate the risks associated with fraud and brand reputation loss.
Top 2022 Phishing Breaches:
Now that we have a better understanding of some of the attack types and risks, let’s apply these tactics to notable recent breaches:
Acorn Financial Services (August 2022)
An Acorn employee was likely targeted via phishing, and their email credentials were stolen. Once attackers had access to the employee’s email account, they accessed internal information contained in the email account. Attackers stole names, addresses, dates of birth, driver’s license numbers, financial account numbers, Social Security numbers, and other client account-related information. Acorn launched a full investigation and sent a breach notification to their impacted customers. Acorn could have further mitigated exposure should they have implemented a phishing detection and takedown service before their employee fell victim to the phishing breaches.
Twilio (August 2022)
In this breach, employee credentials were stolen via an SMS (text message) phishing attack that baited and redirected employees to a fake site resembling Twilio’s real authentication site. The employees that took the SMS bait entered their credentials on the phishing site thus putting these credentials directly into the hands of the attackers. Attackers were then able to authenticate themselves on Twilio’s real site, gaining access to internal company resources and ultimately stealing customer data.
The hackers used their Twilio access to compromise 93 Authy accounts and authorize additional attacker-controlled devices.. Authy has roughly 75 million users. Meanwhile, the Twilio breach potentially exposed 1,900 accounts on the encrypted communication app Signal, and attackers seem to have used the access to initiate account takeovers. Because of how Signal is designed, attackers wouldn’t have gotten access to a user’s message history or contact list but would have been able to impersonate the user and send messages while in control of the account.
One method of protection that Twilio could have employed would be to proactively identify and take down fake authentication sites before employee credentials were stolen.
Allegheny Health Network (July 2022)
Employee credentials were stolen via a phishing campaign. Once attackers had access to the employee’s email account, they used these credentials to access the sensitive personal and health information of about 8,000 patients, including patients’ names, dates of birth, dates of service, medical record/ID numbers, medical history, mailing addresses; phone numbers; driver’s license numbers; and email addresses.
Once again, automating the detection and take down of digital risks online would have helped identify the phishing campaign and stop further damage. Because medical history is permanent, protecting the integrity of over 8,000 patient data should have been treated as top priority.
Mailchimp (March 2022)
Attackers socially engineered Mailchimp employees by tricking employees to hand over their credentials. The attackers used these credentials to gain unauthorized access to Mailchimp customer accounts. In total, they accessed 319 MailChimp customer accounts and exported the mailing lists pertaining to 102 accounts. Using the accounts, the attackers launched phishing breaches, which appeared to be legitimate because they were coming from Mailchamp emails. Attackers may have also gained access to application programming interface keys that could be used to launch additional email-based phishing campaigns in an automated fashion.
Furthermore, cryptocurrency wallet company Trezor reported that attackers used data stolen from the Mailchimp breach to launch a phishing campaign against its customers. The email sent to Trezor’s customers contained malicious code and tricked them into downloading this code and entering important information required to access their Trezor wallet. Attackers leveraged this access to transfer funds to attacker-controlled wallets. The Trezor incident is one example of a “downstream” attack cascading from the Mailchimp breach. Detecting these phishing campaigns early could help mitigate “downstream” effects of supply chain attacks.
Other notable phishing breaches in 2022:
- Living Innovations (August 2022)
- Klaviyo (August 2022)
- Florida Springs Surgery Center (May-June 2022)
- Valley View Hospital (January 2022)
- Charleston Area Medical Center (January 2022)
Ways to Avoid Phishing in 2023
The same conveniences that enable businesses to succeed can also be used to phish employees, steal private data, and destroy customer trust. Traditional solutions that address phishing threats, such as email security tools and law enforcement investigations, are not enough to stop most online malicious activities, which will continue to grow into 2023 and beyond. Traditional email security measures don’t protect against the dangers of social engineering because they cannot protect businesses against threats that operate entirely outside of their area of control and operation—as phishing breaches very much do.
A new approach for organizations looking to mitigate risks in 2023 is to be proactive about seeking out and stopping malicious phishing sties from proliferating. Phishing sites that soil your company’s good name, target your employees, seek access to internal resources, cost you time and money, and lead to time-consuming and costly breaches need to be taken down before they create a series of problems.
Rarely do organizations have the necessary in-house resources to perform continuous monitoring, effectively leverage available tools, and execute takedowns. Moreover, they neither have the relationships nor the access to perform takedowns, such as asking an internet service provider to remove a fake website, let alone the access to underground forums and chat rooms—access that cannot be acquired overnight.
Invest in an automated solution that can accurately detect and take down phishing and scam sites at internet scale. With phishing breaches surging in 2022, it is more mission critical now than ever to find a high fidelity, high speed solution to address these modern challenges. Also, invest in a zero-touch detection and takedown solution that will help alleviate any undue burden to security staff and be sure that the solution has a near-zero false positive rate to ensure that your organization get accurate and actionable threat intelligence. A few key features to look for in your 2023 phishing mitigation strategy are:
- Automated takedown of malicious phishing sites and content in the matter of minutes
- Targeted detection and removal of executive impersonations on social media
- Identification and takedown of false ads, scams, fraud, and counterfeits on the web or app stores
- Visibility into phishing and attacker activity on the dark web
Bolster offers an industry first automated digital risk protection platform that removes fraudulent sites in minutes, without the need for human intervention. Real-time, artificial intelligence–driven phishing and scam detection plus automation means that breaches resulting from phishing breaches and credential theft are pre-empted and averted.
Take a demo with Bolster to see how you can automatically protect against phishing breaches in a centralized, easy-to-use platform. Click here to get started!
We would love to share more about how we can keep you off next year’s list.