Phishing attacks have soared to record levels over the past year, driven in large part by the increased use of popular messaging platforms as a delivery mechanism. Forty percent of IT professionals say they’ve seen an uptick in messaging-delivered phishing attacks over the past 12 months, according to one study.
Malicious actors are exploiting some of the largest business messaging providers. For example:
- WhatsApp, the world’s most popular messaging app, experienced a 2,000 percent increase in phishing scams on its platform last year, according to analysis by Lloyds Bank.
- A phishing campaign on Facebook Messenger has tricked more than 10 million Facebook users into revealing their login credentials over the past year.
- Twilio has confirmed that hackers have accessed customer data after using a phishing scam to harvest employees’ login credentials.
These attacks represent a marked shift in attack techniques. Email has always been the attack vector of choice for phishing campaigns that use a variety of social engineering techniques to trick victims into revealing sensitive information. But with team collaboration and messaging now surpassing email as the go-to communication platform in most companies, hackers are changing tactics. Here are three of the common phishing techniques being used.
Malicious Links. Messages with malicious attachments or links to malicious websites remain the most common attack method. Typically, messages appear to have been sent by a known contact or trusted colleague. Clicking on the link will either install malware on the user’s device or direct the victim to a spoofed website. Two recent campaigns used spoofed messages, purportedly from pharmacy chains CVS and Walgreens, that invited recipients to participate in surveys to earn free gifts. Links take users to fake survey pages where they are prompted to enter their personal information, including name, address, phone number, email address and credit card number.
Impersonation Scams. As the name suggests, attackers impersonate a legitimate sender to trick recipients into giving up information or money. One popular technique is the “Hi Mom/Dad” scam, in which a scammer impersonates a family member, claiming their phone has been lost or damaged. After establishing a rapport with the victim, the scammer will then ask for money to pay a bill or replace the phone, or for personal information such as login credentials for a banking app.
Account Hijack. Scammers use this type of attack to gain control of a victim’s messaging account. For example, messages purporting to be from the company’s IT staff may direct recipients to a spoofed page to update their login credentials. Scammers can then use the hijacked account to send new phishing messages to all of the victim’s contacts. They can also access private messages that could contain sensitive information.
The following suggestions can help organizations reduce the risk of message-borne phishing scams:
- Conduct regular training to inform employees of the latest phishing techniques
- Be wary of all messages containing external links, even those that appear to be from trusted contacts. You don’t know if their accounts have been hijacked.
- Look for misspellings, grammar errors or other irregularities that might indicate a phish.
- Don’t forward links. Scammers often ask their victims to share links with their contacts. This gives the malicious message an air of legitimacy coming from a trusted contact.
- Confirm the legitimacy of any request for credentials or cash with a phone call to your contact.
- Use messaging platforms that feature end-to-end encryption.
- Make sure your phone operating system and security apps are updated.
To learn more about the latest phishing scams and techniques for securing your messaging platform, contact the security experts at Verteks. We can help you conduct training programs and implement other best practices to improve your ability to detect and avoid attacks.
