By October of 2021, data breaches in 2021 had already exceeded data breaches in 2020 by 17%. In addition, an estimated 49 million Americans were victims of identity theft, resulting in a loss of $56 billion USD. According to Identity Force, which focuses on identity security and protection, “1 in 6 Americans lost money to a scam last year.”
The most common methods used by cyber-criminals to steal identities came from three social engineering attacks — phishing, smishing, and vishing. A social engineering attack is when a bad actor uses methods of deception to steal a person’s data.
A phishing attack is a social engineering attack where the perpetrator sends out a malicious email, text, or instant message, with the primary goal of stealing an individual or company’s personal data. A smishing attack is when a bad actor tries to collect login credentials by sending out a malicious text message. A vishing attack is when a caller pretends to be from a company and tries to manipulate their victim to disclose their personal information.
Phishing, by far, was the most prevalent type of social engineering attack aimed at American consumers in 2021. For this brief, Overwatch analysts focused on phishing attacks and the steps consumers can take to mitigate the risk of becoming victims of a social engineering attack to steal their data.
Phishing Attacks
Phishing attacks have grown by 65% in the last year, partially due to the remote workforce growing and cyber-criminals developing more sophisticated methods to target potential victims.
According to a report from Check Point Software Technologies LTD, the following six companies are the most imitated brands in phishing attempts for the last quarter of 2021.
- DHL – 23%
- Microsoft – 20%
- WhatsApp – 11%
- Google – 10%
- LinkedIn – 8%
- Amazon – 4%
In 2021 phishing attacks impersonating DHL, the world’s largest logistics company, were likely higher than Microsoft due to the holiday season and consumers buying gifts. Many phishing attacks from DHL impersonators come from fake package delivery notices. According to DHL, scammers use emails, text messages, and fake DHL social media accounts to launch their social engineering attacks.
Phishing attacks on Microsoft were prevalent for Office 365 users in the corporate environment. One common phishing email that 365 users received might have looked like this.
There are several red flags within this email. The first red flag is the sender’s email address, info@newsletter.cbc.ca. Any email about a server error in Office 365 would come from Microsoft domain email. The second red flag is the spelling and grammar in the notification, “Your microsoft office 365 account has encountered a server error. Acess To Your Email will be Expired.” Then the message tells the Office 365 user to change or reset the password, which of course, we won’t do. However, the attacker also knows that many people will see this kind of email and only skim the details, seeing the Microsoft logo, that there was a server error, and they need to reset their password, which is why cybercriminals target so many Microsoft accounts.
In 2021, many WhatsApp users, an encrypted messaging app with two billion users, received a code on their phone, then a WhatsApp message from a person on the WhatsApp user’s contact list. The attacker would then ask the friend to share the code, providing the cybercriminal with access to their WhatsApp account.
Google Docs has over 2 billion users, and in 2021 Google users were targets that asked them to download a document. Security Magazine reports on a phishing attack that was used on Google Docs. “The attacker wants the victim to ‘Click here to download the document,’ and once the victim clicks on that link, they will be redirected to the actual malicious phishing website where their credentials will be stolen through another webpage made to look like the Google Login portal.”
With LinkedIn, a platform with 800 million users, 2021 phishing attacks came from fake accounts offering false job opportunities to users. LinkedIn users would receive messages from phishing accounts by using a LinkedIn user’s job title, then asking their potential victim to help with projects or for consulting. The message would include a malicious link that would lead them to a login page to steal their credentials or attempt to manipulate them to open a malicious file.
In late 2021, Amazon users were targeted by a phishing attack that spoofed Amazon order notifications. However, like the Microsoft 365 email mentioned above, comparing what an Amazon order notification looks like vs. the fake notification shows that the two don’t match one another.
No payment is confirmed on the actual Amazon order notification or note about rare circumstances.
Many other companies and brands were victims of phishing attacks in 2021, but for brevity, Overwatch covered the top six brands used by hundreds of millions of Americans.
Contrary to popular belief, cyber-criminals do not solely target elderly individuals and those who aren’t tech-savvy. Instead, Cyber-criminals target people and companies with vast amounts of information readily available for exploitation.
Cyber-criminals leverage current events and modern technologies to create more effective and convincing scams. This adaptability to modern technologies has become increasingly evident as cyber-criminals have targeted younger individuals by spreading phishing scams through Instagram, TikTok, and SMS messaging in 2021.
Likewise, during the COVID 19 epidemic, cyber-criminals took advantage of the crisis and targeted individuals, posing as hospitals, the CDC, in addition to federal and state health departments.
The following is a list of vulnerabilities that cyber-criminals look for in potential victims.
- Individuals who use their work email to conduct private business such as online shopping or signing up for various services.
- Remote workers using less secure home networks.
- Individuals who do a large amount of online banking and shopping put important personal information on the internet.
- Those active on social media, posting photos of their homes, vehicles, or vacations.
- People who work in energy, technology, critical infrastructure, or logistics management.
Steps You Can Take to Mitigate Your Risk of Becoming a Victim –
- Keep your browser up to date.
As browsers release security updates, users need to stay up to date to keep their devices and accounts secure. Loopholes within browsers – which are often exploited by cybercriminals – are patched by updates. The most used browsers, such as Google Chrome and Firefox, can be updated manually by the user whenever an update is available.
- Limit the connection between email addresses, usernames, platforms, and personal finances.
The more an individual uses an email address or username to access online platforms, the higher the risk of an incident. To compromise an account, cybercriminals attempt to identify the account’s username based on an individual’s email address. They will then attempt to enter the account with a variety of techniques such as brute force and credential stuffing. If the attacker can access the account and subsequently identify financial information therewithin, the outcome can be detrimental to the account’s owner.
- Refrain from using business email addresses for personal matters.
In addition, the more an email address is used for online services, the more likely it is to be shared. Some online services enable a “voluntary” information exchange that is only disabled when requested by the user. If a user’s business email address is being shared amongst services, it creates vulnerability to the business. Socially engineered attacks, such as phishing or smishing attempts, can then be directed toward the entire company.
- Create an alternative email address to use for products and services.
To protect personal information from association to email addresses and websites, it is recommended that users create alternative email addresses to conduct certain online activities such as subscribing to services and newsletters, or online shopping. Utilizing additional email addresses to separate sensitive data (such as financial information) from your personal identifying information will enhance your online security.
- Think twice before clicking!
If a hyperlink within your email inbox or online feels fraudulent, there is a chance it is. Before clicking an unfamiliar link, utilize open-source URL analyzer tools such as “URLvoid” (https://www.urlvoid.com/). This tool will display abnormalities of the link and enable the user to make an informed decision before deciding whether or not to click.
- Use A Password Management Tool
Password management tools are an effective way to store many login credentials and help ensure that you don’t use a simplified password or the same password repeatedly. Threat actors identify common passwords by researching their victims and conducting brute force attacks on their accounts. Choosing a strong password with twelve or more characters can help alleviate such risks.
Our Assessment
Following the personalized phishing attacks cyber-criminals developed in 2021, Overwatch assesses criminal tactics will be more challenging to detect in 2022 and beyond. Cyber criminals will employ various increasingly complex tactics leveraging more notable brands, capitalizing on remote workers on less-secure networks and more intricate social engineering.
Cyber-criminals will continue to follow a pattern of targeting notable brands like Microsoft and others because of the number of users each brand has. In addition, as more people use encrypted-messaging applications, attackers will devise new phishing attacks to attack those platforms, as they did on WhatsApp in 2021.
Cyber-criminals will focus on exploiting people who share an excess of personal information online, posting photos or videos showing their homes, vehicles, jewelry, and forms of income.Remote workers working from their home networks may present additional vulnerabilities when using devices on less secure home networks.
As more people use encrypted-messaging applications, attackers will devise new phishing attacks to attack those platforms, as they did on WhatsApp in 2021.
The effects of these attacks do not stop at the level of the individual either. Such was the case with the Colonial Pipeline Ransomware incident in 2021 and the Twitter Bitcoin scam in 2020, where initial social engineering attacks at the individual level led to much larger events. In the case of the Colonial Pipeline incident, critical energy infrastructure was targeted and led to panic and hoarding of gasoline in the areas most affected and a $5 million payout by the company to the Russian-based hacking group responsible for the ransomware attack. With the relatively low cost of these attacks, high payout, and increased competition in cyberspace between state actors and non-state actors, Overwatch determines this type of progression from individual social engineering scams to larger-scale cyber-attacks will become more common.
Individuals who don’t practice healthy digital identity management will likely find themselves more susceptible to a social engineering attack like phishing in 2022. These attacks may have repercussions beyond themselves. Attackers will continue to exploit data broker websites, which list people’s personal information, including first and last name, address history, phone numbers, emails, relationships/associates, and use that data for a social engineering attack.
What EAG Can Do for You
At Echo Analytics Group, we teach our clients how to protect themselves digitally, mitigating the level of risk of becoming a victim of a phishing attack or identity theft crime. We review your digital footprint and online vulnerabilities for this process. This review will also provide much information on better protecting yourself and practicing healthier digital footprint management.
In addition, Echo Academy, our training division, which has trained thousands of professionals on OSINT, can teach you how to better protect yourself digitally in a virtual or classroom setting.
Ensuring you and your employees have the necessary training and support will be vital as the rate and magnitude of cyber-attacks increase in 2022 and beyond.
Ask us more about our services today.