Phishing is a social engineering tactic where hackers use fraudulent practices to collect sensitive data of users on the internet. Phishers acquire valuable details under the garb of anonymity and commit fraud with no fear of identification.
Through phishing attacks, scammers can get their hands on personal info, like financial details and login credentials, or implant malware into the host system.
Year-on-year, phishing attacks are increasing. A report by SlashNext shows that phishing activities have consistently increased during the pandemic, with there being 255 million phishing attacks in 2022 alone. Of these attacks, credential harvesting remains the most common form of attack.
This article will review some recent examples of high-profile phishing attacks and their results. It will then provide a few quick tips and pointers to prevent phishing attacks at your organization.
Twilio and Signal
In August 2022, cloud communications platform Twilio was hit by a social engineering attack where employees were tricked into handing over sensitive customer information through an SMS (text message) phishing attack.
Employees reportedly received messages from Twilio’s IT department suggesting they needed to log in to reset their passwords.
Employers were directed to a fake website resembling Twilio’s site and urged to click on malicious links. Once employers clicked on the embedded links, attackers got hold of their credentials and used them to access Twilio’s internal system and steal vital customer info.
After investigating the incident, Twilio released a statement saying a total of 93 Authy accounts and 209 customers were affected by the incident. Messaging service Signal also revealed that this incident could have compromised the personal data of around 1,900 of its customers.
Allegheny Health Network
On May 31, 2022, Allegheny Health Network (AHN) suffered a phishing attack that resulted in the protected health information (PHI) exposure of approximately 8,000 patients.
An employee at the network was targeted with a malicious email link, resulting in their account being compromised. Once the link was opened, attackers could gain access to the employee’s email account and, through that, access critical sensitive information of patients.
According to AHN, compromised PHI included patients’ names, dates of birth, ID numbers, medical history, diagnosis and treatment, email addresses, phone numbers, and driver’s license numbers.
Upon discovering that their system had been compromised, AHN immediately isolated their IT system and implemented preventive measures. They also enlisted the help of a cybersecurity agency to get to the root of the incident.
AHN even offered two years of identity protection services at no cost to individuals whose social security numbers and financial details had been leaked.
In March 2022, hackers used social engineering techniques to target Mailchimp employees and compromise their accounts. First, attackers got hold of user credentials illegally to gain access to Mailchimp customer accounts. Then, using the accounts, hackers launched targeted phishing attacks on businesses that used Mailchimp emails.
While the Mailchimp team acted swiftly to control the incident, hackers still compromised 300 Mailchimp customer accounts and exported audience information from 102 accounts. In addition, bad actors also got hold of the API keys of customers, which they used to send spoofed messages.
Again, in August 2022, Mailchimp fell victim to an Okta phishing attack that also targeted Twilio and Klaviyo.
Mailchimp was the target of yet another attack as recently as January 2023. This was the third breach in less than a year. Once again, its employees were fooled by a phishing email as a result of which their account administration tool got hacked. This time, threat actors were able to access the data of 133 customers.
In July 2022, there was an enormous phishing campaign called Oktapus that specifically targeted the customers of the identity and access management (IAM) leader Okta. Over 130 organizations were breached, 10,000 Okta credentials were compromised, and 169 unique domains were identified in the attack.
According to threat researchers at Group-IB, employees received text messages with a link to phishing websites that copied the Okta authentication page of their company. When the user clicked on the link and navigated to the malicious webpage, they were asked for a two-factor authentication (2FA) code. Once the user keyed in the code, hackers gained access to all those resources users had access to.
Targeted organizations were mostly from the U.S. and U.K., with most of them being software companies providing cloud services. Targeted companies include Mailchimp, CloudFlare, Microsoft, AT&T, Verizon Wireless, Twitter, T-Mobile, Coinbase, Binance, and Epic Games.
Despite the size of the attack, Group-IB analysis indicates that subject “X” (the threat actor behind the campaign) was somewhat inexperienced and used low-skill methods to conduct the attack.
Types of phishing attacks
A phishing email—or text or phone call—often uses language that strikes fear in a user and urges them to take quick action.
The most common types of phishing attacks include:
- Email-based attacks: Email phishing is one of the most common forms of phishing, where fraudsters impersonate legitimate organizations and send emails with malicious attachments.
- Vishing: Voice phishing or vishing is when a hacker tries to get hold of personal information by simulating a call from a reputable organization.
- Spear phishing: Spear phishing is a form of targeted attack towards specific victims or an organization.
- Whaling: Whaling is a specialized form of spear phishing attack where high-ranking executives within a company are targeted.
- Clone phishing: In clone phishing, scammers reproduce a legitimate email to spoof users into clicking on it.
Preventing phishing attacks
While there’s no way to fully prevent phishing attacks from happening, the best way to avoid any damage from them is a fully informed and vigilant workforce. You can also implement MFA and use anti-phishing software for further protection.
Only open emails from trusted sources
It’s recommended to only open emails from trusted sources you know, avoid clicking suspicious links, and never download attachments without first confirming their legitimacy.
Emails from unknown sources can contain malware and other threats. Even if you know the sender but the email’s content looks strange, it’s better to delete than open it.
Other ways to determine if it is an untrustworthy mail are:
- It contains embedded macros.
- It uses formats like .reg, .exe, .msi, .cmd, and .js files.
- It’s riddled with grammatical errors.
Train your employees
One of the best ways to prevent phishing attacks in an organization is by training your staff in secure communication practices and educating them on the repercussions of a phishing attack. Organizations should regularly conduct training programs to make employees aware of phishing activities and help them spot suspicious activities.
A robust anti-phishing employee training program should include reporting capabilities, compliance training, up-to-date educational content, simulated phishing materials, and threat intelligence features.
Use multi-factor authentication (MFA)
Making MFA a part of your phishing strategy is an important step for protecting your devices. MFA uses additional authentication methods like a PIN, a physical security token, or a biometric ID to confirm a user’s identity. This means even if hackers manage to get past the first layer, they would still require another authentication method to access a user account.
Use anti-phishing software
With individuals and organizations regularly falling prey to phishing attempts, using a good anti-phishing software is one of the best precautions against phishing attacks.
Anti-phishing software scans incoming emails for impersonation and identifies and isolates malicious messages in real time, thus protecting your privileged systems. Additionally, these solutions block you from accessing malicious websites.
The key features to look for in an anti-phishing software include the following:
- Inbox scanning.
- Quarantining infected devices.
- Mobile device compatibility.
- Malicious link identification.
- Mail server agnostic.
Frequently Asked Questions (FAQs)
What is the most common phishing attempt?
Fake emails are one of the most common phishing attempts made by fraudsters. These fraudsters register a phony domain mimicking a genuine organization.
The user will get an urgent email containing the organization’s name and a nearly indistinguishable URL, and they’ll click on it, supposing it is authentic.
They’re then taken to a page that is an almost perfect replica of the actual login page, where they will be prompted to input their credentials so they can be stolen by the fraudsters.
What are the signs of a phishing attempt?
While phishing emails are common, they’re still tricky to spot. Here are some of the common signs of a phishing attack—though it’s important to stress that not all phishing attempts will have all or any of these features.
- Emails with spelling errors.
- Emails with unusual content.
- Emails soliciting personal info.
- Emails sent from unknown email addresses.
Bottom line: Spotting and avoiding phishing scams
Phishing attacks are costly not just in terms of monetary losses but also loss of reputation and trust when companies fall victim to scammers. And with cyber criminals becoming more innovative and successful in targeting individuals and organizations, users and organizations need to be aware of cybersecurity best practices.
Implementing multi-layered security measures, using anti-phishing tools, and educating users and employees to recognize phishing emails are necessary to stay ahead in the game—so your company can avoid becoming featured in the next version of this article.
For more information to stop phishing attempts on your employees, here are eight best practices, and a guide to training your employees on what to watch for.