The past 12 months have seen phishing attacks rise 29% globally to reach a new record of 873.9M attacks, with the highest uptake of over 400% in the retail and wholesale industries, according to the 2022 ThreatLabz Phishing Report by ZscalerTM.
One of the reasons this type of attack grows in prevalence every year is its low barrier to entry, further showing a trend for reliance on phishing-as-a-service methods, as well as new attack vectors, such as SMS phishing, becoming one of the more prevalent methods of intrusion.
According to N26’s Lead Trust & Safety Analyst, Kyle Ferdolage, phishing “requires very little fraudster know-how and even the most basic or easy-to-spot schemes continue to net results, which makes these very attractive to the fraudsters.”
Kyle added that this trend is “unlikely to slow down unless the general public can better identify phishing attacks or we reach a point where the risk of getting caught defrauding people outweighs the reward the activity brings.”
This is why N26 claims it is “dedicated to raising awareness of threats and regularly sharing tips and tricks on how to spot potential scams, encouraging customers to remain vigilant.”
At N26, they are reportedly focused on continuously optimizing their security measures and “ensure that we are always one step ahead of potential fraudsters, while also working closely with the police, regulators and other banks to report fraudulent activity.”
We recently connected with Kyle Ferdolage to discuss these developments. Our conversation is shared below.
Crowdfund Insider: Last year saw a dramatic increase in phishing attacks at a global scale. What would you say has driven this?
Kyle Ferdolage: Phishing requires very little fraudster know-how, with even the most basic or easy-to-spot schemes continuing to net results. Infact, despite being one of the longest-running Internet scams and seeming more like a punchline than a threat today, the classic “Nigerian Prince” email scam still makes fraudsters a profit, reaching as much as $700,000 in the US in 2019.
Scams like this have adapted and become more sophisticated over the years and we now see ‘fraud as a service’ style ‘phish-kits’ where a bad actor with a list of potential targets can easily obtain the means to push out a much more legitimate-looking scam en masse for little investment. These innovations combined with a pandemic-accelerated push to move more of our everyday lives online has helped to create a bustling environment for bad actors to run their scams.
Crowdfund Insider: How do fraudsters choose their victims? What are specific traits they look for in potential targets?
Kyle Ferdolage: Most scammers won’t bother to do much in the way of ‘research’ and instead target large groups via a ‘spray and pray’ style attack. This approach is used generally and can be applied both to the general public and to organizations. This is especially relevant given the prevalence of data breaches over the last few years, which have further simplified this style of attack, thus expanding its reach.
In the case of using a “spray and pray” approach to target an organization, it is common for bad actors to go after companies that have lists of employees and their contact points published and/or use easily identifiable methods to generate their employee credentials. On those occasions, it is likely for an attacker to target the organization as a whole, increasing the possibility of an employee falling victim to a phishing attack.
However, some bad actors might go that extra mile and initiate social media searches to try and understand their target’s identity, looking into where one might have a weakness they can exploit, or how much wealth someone may have. Tailoring attacks to a specific target is called “spear phishing” and tends to require more time and research, but often open up more opportunities for the attacker to make a larger profit.
Those most likely to fall for phishing attacks include people who are less technology-savvy and more likely to click into malicious content without knowing how to spot a potential scam. Age ranges, education levels, an individual’s locality or the area they were raised can all provide an idea of how tech-savvy someone may be as well as people with an extensive social media presence who might be easily researchable to a bad actor.
Crowdfund Insider: Even though more awareness is being brought to the subject, is it likely for the increase in phishing attacks to continue?
Kyle Ferdolage: Fraudsters know that they can make easy money without requiring a large investment on their end. With the recent advent of fraud as a service, bad actors running a campaign likely have resources similar to those of the companies they are targeting or the cyber security groups working against them.
This entails having access to almost everything needed to scam someone without the need for a notable investment – from the likes of phish kits, potential target lists, or call centers to social engineer people that have been baited. The use of typical CRMs with mass mail tools and dashboards makes fraud as a service function almost like any other customer-driven business. The common availability of these resources allows fraudsters to rapidly scale a smaller attack that is deemed successful.
To top that off, it is all too rare that bad actors are caught or held accountable by law enforcement. Until this stops being profitable and we reach a point where the risk of getting caught defrauding people via these means outweighs the reward the activity brings, we’ll continue to see people preyed on in this manner.
Crowdfund Insider: What can companies do to curb, or better yet, halt the boom in phishing attacks?
Kyle Ferdolage: Just like the rest of us, fraudsters are in the business to net a profit. As long as there are people falling for these scams, fraudsters will continue to benefit from them. There are two ways companies can help in slowing down the spread and impact of phishing attacks on the general public.
The first one involves a holistic and continuous approach in leading customer education on the most common and evolving fraud techniques. Ensuring that potential targets can identify scams and are regularly informed of new methods is crucial to curbing the reach and success of phishing attacks. Regardless of companies’ efforts to be one step ahead in detecting issues and communicating those to customers, if a user is convinced to willingly provide the keys to their account, there is little a company can do to prevent an attacker from victimizing the account. Thus highlighting the double sided effort necessary to curb the impacts of phishing – the company’s consistent user education, as well as vigilance on the side of the customer.
Meanwhile, the second factor in minimizing the presence of phishing in society is making the risk outweigh the reward. Ensuring that fraudulent cases are quickly brought to the attention of law enforcement can help the authorities to more easily identify bad actors and take action. Companies can take the initiative to provide updated information to the general public on ways to reach the relevant law enforcement institutions to ensure that communication of phishing schemes reaches the right receivers.
Crowdfund Insider: What are some ways that companies can educate customers to spot potential phishing attacks easier?
Kyle Ferdolage: Ensuring that information about typical scams and how to spot them is spread widely is a great preventative measure. People need to be equipped with the understanding that many of the tactics used by scammers will simply not happen in a legitimate arena. An example of this is phone calls from banks or law enforcement institutions (Interpol has been trending in Germany, IRS phone calls have been trending in the US) about fines someone owes.
It’s key to remind customers that these institutions will only initiate contact via official means – paperwork would be expected, not a phone call pressuring someone into acting without proof of an issue. Companies can urge the general public to contact the institution directly via a listed point of contact in case they believe an issue might be legitimate. An example of educational material from N26 that helps to educate on identifying phishing scams can be found here.
Another way to educate the general public to be more cautious of phishing attacks is by teaching good internet hygiene. This entails encouraging people to not reuse passwords across multiple websites or services and always opting into multi-factor authentication (MFA) if it’s offered on a particular account. For instance, at N26, MFA is required by default for all users. Lastly, companies should instill a sense of skepticism for users of what they are asked to do via email, text messages or phone call. As a rule of thumb, anything that seems either unusual, out of place or too good to be true, it probably is.
Crowdfund Insider: Alternatively, how can organizations ensure that their employees remain vigilant regarding phishing attacks?
Kyle Ferdolage: Similarly to the efforts necessary to continuously educate the general public on how to spot potential phishing, organizations need to provide employee resources and raise awareness on a frequent basis. Organizations should ensure that all employees take part in a security training at a regular cadence and strive to have an engrained security-first culture as well as mechanisms to allow staff to report potential issues.
Organizations can also run phishing exercises to gauge employee knowledge. In those cases, the company’s security team sends a ‘phishing issue’ directly and uses this to measure employee knowledge, thus gaining a better understanding of what training may be required.
Furthermore, companies can also ensure they are using a competent email system that allows for spam/phishing filtering and easy reporting to flag potential risks.
Crowdfund Insider: What is the role of law enforcement institutions in preventing phishing attacks from happening? What are ways that the general public or organizations can support them in curbing the spread of scams for fraudsters?
Kyle Ferdolage: Law enforcement and government institutions can play a critical role in minimizing the impact of phishing. Law enforcement generally has a larger reach and better ability to broadcast the risks associated with phishing and educate the general public of best practices for protection.
On the flipside, the general public can help law enforcement institutions by reporting anything suspicious immediately. Be it direct reporting of fraudulent activity to the relevant authority, or reporting to a company that is being impersonated, are both steps that people can take when they notice something suspicious or become a victim of a phishing attack.
Email or mobile phone providers further allow the ability to report an email or a phone number as Scam or Phishing, helping the internet as a whole to become a safer place and could prevent others from being defrauded by the same bad actor. Lastly, there are various cyber security companies for action and analysis that anyone can share phishing attacks or attempts, and raise awareness.