Phishing in 2023

A deep dive into Europe´s biggest cyber thread

Even the most common dangers — the sort we think we know — can grow new teeth. That’s one of the many revelations within the European Union Agency for Cybersecurity’s (ENISA) Threat Landscape 2022 Report. . Published last November, it considers the main risks to organizations within and beyond the EU, declaring that phishing “is once again the most common vector for initial access” to sensitive data. 

So, what’s new this time around? Well, aside from increasing malware and supply chain attacks, phishing is becoming harder to spot and prevent. Russia’s war in Ukraine, for instance, is being exploited just like the COVID-19 pandemic. Hackers are sending emails requesting humanitarian donations that lead employees to malicious websites or download links. Meanwhile, “consent phishing” — whereby users hand over their login credentials without realizing it — is rising. More advanced, targeted phishing assaults are blowing holes in companies with ties to Europe and global supply networks. 

The ENISA report reminds us that staying safe means staying on your toes. Even if you have a strong, comprehensive security culture that teaches people what to look for, it may not be enough anymore. Instead, consider the technology you’re using every day. 

You might consider yourself safe because you're using two-factor authentication and because you’re told that’s all that counts. The truth is, 2FA doesn’t protect you from phishing. We’ve designed a solution to counter phishing before it ever fools someone into handing over their password. Mistaken identity won’t matter, because there’s nothing to steal. 

Phishing: The hook and bait for compromised credentials

You might be new to this and wondering how hackers can reel you in. So, first, let’s explain what phishing is. 

Basically, phishing is performed over email or chat. It either imitates a person or organization you trust, sending a message that asks you to perform an action that unknowingly compromises your data and network. This tends to involve: 

• Asking directly for financial details or user credentials — for example, to “restore” an account that has been locked. 
• Prompting the user to download an attachment with a hidden virus (under the guise of someone they know). 
• Taking the user to a website (often posing as a trusted domain) where malware code begins to spread through the network gateway, find files and encrypt them. 

Just a single successful phishing attempt can open a crack in your security architecture, giving an attacker the access they’re searching for. From there, they can escalate and grab all the data on your network, sometimes lingering for weeks or months. If your colleagues and partners use the same passwords for multiple platforms, then you’re exposing more of these datasets to a break-in. 

Phishers use a range of tactics to hook a target. There’s the “spray and pray” strategy, which opts for quick messages to thousands of people. However, that’s now being superseded by “spear phishing:” a patient, personalized technique that uses names, company content, and authentic-looking logos and websites to convince users that the message is legitimate. Execs aren’t safe either. “Whaling” focuses on high-profile stakeholders, occasionally making the attempt more convincing with phone calls and live text chats. 

Whether phishing occurs via email, SMS or phone conversations is irrelevant, though. You’re never totally sure that an employee, freelancer, customer or partner — anyone with network access — can tell whether they’re being phished or not. 

What do recent attacks look like?

When phishing finds a way into protected accounts, it can be devastating. And, it’s more common than you might assume. The APWG’s Phishing Trends Activity Report tells us that organizations in the EU faced more than a million phishing attacks in the first three months of 2022. And, these are just the attempts we know about. Most companies want to downplay the risk, especially if a hacker has managed to infiltrate their system. There are doubtless many more phishing incidents concealed in the shadows. 

However, here are some major cases we are aware of:

The Chase Bank scam 

In Spring 2022, Chase customers received a message telling them about “suspicious activities” in their accounts. Following the link led to a proxy website and instructions to enter their Chase usernames and passwords. Despite a red flag in the initial message, Mailguard states that “the data requested in this phishing scam [was] scarily in-depth,” opening access to personal financial accounts as well as user email controls.  

China versus Belgium 

Some attacks are incredibly personal. Samuel Cogolati, a Belgian MP, wrote a statement in 2021 that criticized the Chinese government's treatment of Uyghur Muslims. Swiftly, he became the target of alleged state-sponsored spear phishing. According to the Financial Times, Cogolati opened an email from a fake news organization that sought to give him more information on human rights abuses. In reality, the message tried to install a tracking pixel on his browser, setting up additional emails with dangerous links and attachments. 

Yahoo imitations 

Check Point Research (as quoted by Intelligent CIO Europe) found that Yahoo, one of the most popular search engines below Google, was “the most impersonated brand for phishing attacks during Q4 of 2022, climbing 23 places and accounting for 20% of all attempts.” Cybercriminals typically posed as Yahoo employees handing out awards or prize money.