What’s new in phishing?

I was recently asked to comment on what’s new in phishing. In some sense, phishing attacks are always the same. They count on the fact that some (small) percentages of people will follow links or provide information to sources that haven’t been verified or shouldn’t be trusted. They also know that even though most IT and security organizations publish guidelines to limit the chance of staff members succumbing to a phishing or vishing attack or becoming the victim of a virus or ransomware attempt, some people will not follow those guidelines on a minute by minute basis. 

One of the new vectors in phishing is targeting mobile devices and various social messaging applications. Even though the same principles apply to these devices as they do to somebody using a desktop or laptop, it seems as though every time a new platform is targeted – smart phones, tablets, IoT devices – we have to go through the same learning process and update and expand on our ongoing user education as well as the developers creating these applications (e.g., Messenger, Facebook Messenger, WhatsApp, and Skype). Not surprisingly, the most popular brands are targeted because of their vast user population: Amazon, Google, Apple, and Facebook to name a few. 

Also, in the same way that we’re seeing increased creativity in spam calling (e.g., the originating phone number is very similar to your phone number), phishing attacks are often more specific to the target audience. For example, attacks that are uniquely focused on specific occupations such as journalism, political support groups, or users of specific technology like Office 365, Gmail, or Android vs. iOS users.

The best advice to ensure that IT and security guidelines are followed is to use hardware and software that prevents employees from doing otherwise – try not to count on personal day-to-day vigilance.