A recent report from Swiss technology company Acronis revealed that phishing remains the most popular tactic for stealing credentials, making up 73 percent of all cyberattacks. The phishing trends for 2024 include smishing and deepfakes, as the race in developing AI technology continues to be a critical one between cybercriminals and cybersecurity experts..
The following phishing trends will dominate the cybersecurity landscape in 2024 and impact businesses and organizations.
Spear Phishing
Spear phishing is a highly targeted form of phishing that targets specific individuals or organizations. Cybercriminals use personal information to dupe victims of spear phishing into thinking emails are sent from someone they know and trust. These emails often involve urgent requests related to money or confidential data and can typically be the first step in an organized attack intended to gain access to a larger network. 91% of successful data breaches started with a spear phishing attack, according to PhishMe.
Organizations are especially vulnerable to spear phishing tactics focused on a singular employee. Employees are often a significant vulnerability for a business, with human error being the number 1 cause of unplanned system downtime, underscoring the need for regular anti-phishing training.
In a spear phishing scenario, the attacker targets a specific employee. Using details from the employee’s social media, the cybercriminal impersonates a company media manager and sends a tailored email, alluding to a recent work event and inviting the employee to click a link supposedly leading to event photos. This personalized approach makes the malicious link more convincing, increasing the likelihood the employee will inadvertently deploy malware or surrender login credentials.
According to Cisco, the following types of employees are common targets for spear phishing:
Employees with valuable data: Spear phishing targets usually have access to valuable information. Low-profile employees in departments such as accounts payable, payroll, and HR not only have access to critical data but also regularly a high volume of emails, making it easier for phishing emails to blend in.
Inexperienced employees: Scammers often target lower-level or newly hired employees as they are unfamiliar with company protocols or cybersecurity best practices. Spear phishing emails may assert false authority or urgency, capitalizing on a new employee’s natural inclination to comply with perceived authority.
Smishing
Smishing utilizes fake mobile text messages to trick people into downloading malware, sharing sensitive personal information or sending money to cybercriminals. The term is a combination of “SMS” (short message service) and phishing. Smishing works much like email phishing and rely on a combination of technological manipulation and psychological trickery to fool victims into sharing personal information, such as financial account information.\
Types of smishing attacks include: account verification scams, tech support scams, bank fraud alerts, tax scams and service cancellation. Many attackers use an email address to automate sending text messages and avoid detection. The phone number listed in caller ID usually points to an online VoIP service such as Google Voice, where you can’t look up the number’s location. Cybercriminals often use well-known consumer brand names to dupe victims into sharing information.
Organizations can help prevent smishing through:
Education and Awareness: Provide staff with regular training sessions on cybersecurity threats, including sending fake smishing messages to see how recipients respond. These tests identify areas where more training might be necessary.
Reporting Mechanisms: Establish clear channels for employees to report potential smishing attacks and enable the organization to issue warnings.
Regular Updates: Keep software, including mobile operating systems and security tools, up to date to defend against the latest known threats.
Deepfakes
Bad actors are constantly on the lookout for low-effort, high-return attacks methods and generative AI has facilitate a new generation of deepfakes that can produce realistic audio and video, which bad actors can use to commit crimes. Deepfake phishing is a relatively new phishing tactic where attackers manipulate victims by using a combination of clever social engineering techniques and deepfake technology. In fact, instances of deepfake phishing and fraud have surged by an astounding 3,000% in 2023, according to a report by London-based Onfido.
Deepfake technology is making it easier for cybercriminals to create new identities and steal the identities of real people. Attackers use the technology to create false documents or fake their victim’s voice, which enables them to create accounts or purchase products by pretending to be that person.
Phishing is the most common form of cybercrime, with 3.4 billion phishing emails alone sent per day. Advancing technologies, such as generative AI, will continue to change the phishing landscape as bad actors identify the latest trend and use it to their advantage.
