Eight out of ten fraudulent emails are phishing emails, according to the 2023 BSI report. Many fraudsters pretend to be financial service providers or support charitable programs.
The current BSI situation report on IT security in Germany has once again made waves. The BSI reports, among other things, 250.000 new variants of malware, 21.000 systems infected with malware every day and 70 new security gaps per day.
Crisis situations as a hook for phishing emails
The topic of phishing also continues to play a major role in the cybersecurity mix. Concrete. According to the BSI, 84% of all fraudulent emails are so-called phishing emails. Criminals usually use these to try to obtain identity or authentication data in order to launch attacks.
For the past 12 months, the BSI has reported many phishing attempts in the area of finance phishing, in which fraudsters pretend to be banks or financial service providers. Another driver for the growing number of phishing attempts were social crisis situations, which were used as a starting point for phishing emails. The crisis on the energy market was discussed particularly frequently. Attempts have also often been made to deceive email recipients in the name of charitable programs. The war in Ukraine and earthquakes in Turkey and Syria were often used as an opportunity to send dangerous emails.
Source of danger AI
According to the BSI, the ongoing development of AI also acted as a turbocharger for phishing in 2023. The increasingly powerful AI language models are increasingly being misused to make phishing emails more authentic and therefore more convincing.
“We have seen the danger posed by phishing emails for years. With the ongoing energy debate, the war in Ukraine, the conflict between Israel and Hamas as well as the elections in the USA and the heated migration debate, there will also be many topics on the agenda in 2024 that are very suitable for phishing emails,” warns Sascha Spangenberg from Lookout. “Phishing is not only a problem for private digital identities, but also for companies and their employees’ accounts. Stolen employee credentials are one of the most effective ways for attackers to infiltrate a company's infrastructure. Once they have the credentials of one of the accounts in hand, it is much easier for them to bypass security measures and gain access to sensitive data.”
Mobile phishing: Every third device affected
In its Mobile Phishing Report, Lookout examined how attackers in the corporate environment gain access and passwords. This global study from Lookout found that the number of mobile phishing attacks in 2022 was higher than ever before, with one in three personal devices and one in three corporate devices exposed to at least one attack per quarter. This trend continued unbroken in the first quarter of 2023.
Hybrid work environments and bring-your-own-device (BYOD) policies could be two reasons for the increase, Lookout said. Companies have had to accept that personal mobile devices are increasingly being used for professional purposes. However, it is important to remember that any mobile device – personal or corporate, managed or unmanaged, iOS or Android – is vulnerable to phishing attempts.
How BYOD has changed the phishing landscape
Smartphones and tablets have made it easier for employees to be productive from anywhere, but they've also brought new challenges for IT and security teams. BYOD policies mean more people than ever are using their personal devices for work. This means that the risks they face when using these devices for personal reasons also pose risks for the company. IT and security teams also have significantly less visibility into these devices than corporate-owned devices, meaning it's harder to control these heightened risks.
These factors mean that attackers are now targeting users' personal devices to penetrate corporate environments. An employee can fall victim to a social engineering attack through private channels such as social media, WhatsApp or email. Once this is the case, attackers can gain access to his employer's networks or data. This is also not a one-time event, as data from Lookout shows that in 2022, more than 50 percent of personal devices were exposed to some type of mobile phishing attack at least once per quarter.
Millions are at stake
Data isn't the only thing companies risk when employees fall for a phishing scam. Lookout estimates that the maximum financial impact of a successful phishing attack has increased to almost $5.000 million for companies with XNUMX employees. Highly regulated industries such as insurance, banking and legal are considered the most lucrative markets and are particularly vulnerable to attacks due to the large amount of sensitive data they hold.
These high costs come at a time when phishing attacks are at an all-time high. Compared to 2020, the number of phishing attacks is now 10 percent higher on corporate devices and 20 percent higher on personal devices. Also, people are clicking on phishing links more often than they were in 2020, which could mean attackers are getting better at crafting authentic-looking messages. With more risk and more money at stake than ever before, organizations must adapt their security strategies to protect their data.
Protect data against mobile phishing attacks
The mobile phishing landscape is more treacherous than ever, especially as remote working increases. IT and security teams must employ strategies that enable them to visualize, detect, and mitigate the data risks posed by phishing attacks across all employee devices. This applies regardless of whether the devices are company-owned or private. With the right strategy, based on the Zero Trust principle and SASE (Secure Access Service Edge), it is possible to make the hybrid working world secure.
“On-device and AI-powered phishing detection via a cloud-based security platform makes it possible to stop attacks where they start. A security solution like this prevents users from connecting to phishing websites on both corporate and personal devices,” said Sascha Spangenberg, Global MSSP Solutions Architect at Lookout. “Such a solution detects and blocks phishing attacks via any mobile app and prevents employees from revealing credentials or downloading malicious software. Protection against mobile phishing threats must be a priority if hybrid working is a reality.”
More at Lookout.com
About Lookout Lookout co-founders John Hering, Kevin Mahaffey, and James Burgess came together in 2007 with the goal of protecting people from the security and privacy risks posed by an increasingly connected world. Even before smartphones were in everyone's pocket, they realized that mobility would have a profound impact on the way we work and live.