In 2019, phishing was widely proclaimed to be the biggest and most consequential cyber threat facing both businesses and consumers. According to the most recent Phishing Activity Trends report available from the Anti-Phishing Working Group (APWG), during the third quarter of 2019 phishing attacks had increased by 46% from the previous quarter — almost double the number seen during the fourth quarter of 2018. Sustaining momentum from the last couple of years, we anticipate the phishing trends in 2020 will continue to spike.
From the proliferation of off the shelf phishing kits and Phishing-as-a-Service operations (PaaS or PHaaS), to micro-targeted attacks through Business Email Compromise (BEC), Social Engineering and Deepfakes — Phishing remains a top threat for 2020 as the scams become increasingly sophisticated, easy to execute and highly profitable.
Below are Some of the Top Phishing Trends to Keep an Eye On in 2020
While phishing kits are nothing new, they are increasingly sophisticated making it quick and easy to set up and execute campaigns. Turnkey phishing kits include everything necessary for experienced or novice attackers alike to replicate login pages appearing to belong to legitimate and trusted brands to scam victims into delivering account credentials. Many of the phishing kits take advantage of URL randomization generators to create multiple URLs which can be used in the phishing campaigns so, even if one URL gets blacklisted, the attacker still has multiple other functioning URLs. Having multiple URLs also allows for the short-lived nature of phishing sites which can last fewer than 24 hours. With phishing kits ranging in costs from $0 up to $300, it doesn’t take much effort for cybercriminals to turn a profit.
Phishing-as-a-Service (PaaS) operations make phishing even easier than the turnkey phishing kits. PaaS allows attackers to subscribe to phishing services for monthly fees that have been reported to range from $50-$80/month. The cybercriminals behind the PaaS businesses are using traditional and legitimate business practices to promote their services through professional looking websites with shopping carts and product ratings. Like phishing kits, PaaS takes minimal effort to generate a profit.
Business Email Compromise (BEC)
Business Email Compromise (BEC) is another area of phishing, specifically spear-phishing, which uses micro-targeting to focus on individuals working at targeted companies. The most frequently targeted industries include tech companies, payment gateways and financial institutions. Once the attackers have defined their targets, they rely heavily on social engineering tactics to manipulate victims into directing big funds into fraudulent accounts. The FBI’s Internet Crime Complaint Center reports billions of dollars in aggregate loses attributed to BEC incidents. Unfortunately, these losses only account for what companies are willing to report or confirm so the actual losses are likely to be exponentially higher.
Like the other areas in phishing, social engineering isn’t new, but we do anticipate this year will bring larger scale attacks than previous years. While a spike in social engineering scams can be predictably tied to the US election cycle, scams that use advanced voice technology to create voice deepfakes and SIM swapping are high on the list of contributing factors.
Voice Technology and Deepfakes
Deepfake technology leverages the latest advances in artificial intelligence and deep learning to create fake or altered audio content. Because synthetic audio sounds authentic to the human ear, deepfake video and/or voice-spoofed audio content are an increasingly popular choice of phish bait used to ensnare high risk individuals like CEOs, politicians and others with financial decision making power within their organization. In August of 2019 the Wall Street Journal reported on one of the first instances of an AI generated voice deepfake used to scam an accomplished CEO out of nearly a quarter of a million dollars. In the coming months, we expect to see the use of deepfakes intensify.
As the mobile universe continues to expand, SIM swapping is gaining ground. SIM Swapping is a social engineering tactic which circumvents the 2-factor authentication (2-FA) protective layer by tricking the victim into supplying the one-time passcode sent via text messages from what appears to be the victim’s carrier. Once the attacker has the code, they move on to convince the mobile carrier to port the victim’s phone number to their SIM — allowing the attacker to receive all SMS and voice calls intended for the victim. Once this takes place, the attacker is able to intercept any one-time password sent via text or phone call to gain access to bank accounts or any other personal or business accounts tied to the victim.
The phishing threat landscape is vast and the trends we mention above are just some of the top threats we will see escalate over the next year. Please stay tuned in the coming weeks as we take a deeper dive into the 2020 threat landscape exploring all the top threat trends from phishing to ransomware to device malware to cloud and infrastructure misconfiguration vulnerabilities, and more.
zvelo provides the industry’s leading AI-driven URL web content categorization platform to deliver unparalleled objectionable, malicious, and phishing detection services to valued partners around the globe. Keeping a close eye on the evolving threat landscape and making sure that we keep pace with the latest technologies and tactics used by attackers is critical to supporting our partner network as we work together towards a common mission to make the internet safer and more secure.