One thing has always been the same in phishing attacks: social engineering, such as luring people into clicking on a link and providing information so it can be captured and sent off to a drop zone.
MacEwan University in Edmonton was the victim of a phishing attack that resulted in the loss of $11.8 million. Whether it’s an educational institution, a Fortune 500 company or a small business with a digital payment site, their brand, customers and employees are targets for phishing.
Phishing actors adjust the same way a security analysts would so it's it like a constant game of chess, except they have more pieces and always on the offensive.
They also evolve to keep up with the changes happening in everyday life. How we work and communicate, and the channels on which we do so, are always changing—as are the way we use sensitive personal and financial data.
Phishing has spread beyond the inbox to mobile apps, social media, and instant messaging platforms (basically, anything that connects people) and replicate exactly the apps we trust with sensitive data every day to fool people.
Security technology is evolving alongside to detect phishing, but threat actors are always adapting. They notice patterns by anti-phishing groups and alter code and use redirects to bypass the detection logic of these systems to continue to deliver their phishing payloads.
The skill level of phishers varies. Some simply find phishing kits online and alter a little code. However, others target businesses with highly sophisticated business email compromise (BEC) or spearphishing campaigns. These campaigns replicate apps used by these companies in their day to day operations, or spoof the email addresses of employees to trick employees into divulging highly sensitive and confidential information.
These attacks go after who are the traditionally less security savvy folks in HR and finance departments. These people must be alerted to the dangers of phishing, and make sure they are verifying the authenticity of every single email asking for sensitive information—that means researching the purported company online and picking up the phone and calling if necessary.
Meanwhile, anti-phishing solutions assist in identifying determining commonly viewed phishing threats, even how they evolve. These solutions can then automatically alert the browsing companies to block the threat and adding it to their blacklist.