5 of the Top Phishing Trends in 2022

Cyber and information security is a continually evolving field. As security professionals improve and fortify defences, in turn cyber criminals and hackers are forced to find new ways to exploit systems.

This ongoing game of cat and mouse means that every year we see new information security developments. From the standardisation of multi-factor authentication to the proliferation of sophisticated new ransomware, these trends have a big impact for those within the field.

Phishing, being no exception, has also seen its fair share of changes in terms of both refinement and general tactics. With that being said, here are the top 5 phishing trends that you should be aware of in 2022.

Phishing Attacks Triple

The Anti-Phishing Working Group (APWG) has seen the number of phishing attacks more than tripled since early 2020, from between 68,000 and 94,000 attacks per month, to 2022's first quarter average of 341,000.

Representing a worsening threat landscape, further research by the UK government indicates that of those businesses which report having cyber security breaches or attacks in the last year, 83% have been subject to phishing attacks.

Most frequent amongst medium to large businesses and high-income charities, phishing is approximately three times as common as the second most common threat of impersonation (of those identifying attacks, ~27% report impersonation).

Although these statistics alone do paint quite a bleak picture, it is important to bear in mind that despite the overall rise in frequency, organisations can still have a significant impact upon mitigating the risks associated with this threat.

Less Than 20% of Businesses Test Staff

Despite the rising frequency, sophistication, and costs associated with phishing attacks, research shows that only 19% of businesses (and only 15% of charities) are testing the cyber security skills of staff with exercises such as simulated phishing campaigns.

Representing a 1% fall for businesses and rise for charities (20% and 14% in 2021), the overall proportion of organisation offering some level of engagement and training is thankfully higher (29% and 25% respectively), though things are still a long way for ideal.

Although these rates do vary with respect to the size of organisations, it is not unreasonable to ponder why so many organisations are failing to adequately equip the staff with the skills necessary to mitigate phishing attacks, especially considering the known effectiveness of anti-phishing training (including simulated phishing campaigns)?

As the Cyber Security Breaches Survey accurately points out, "staff vigilance is essential to protect against the threat of phishing attacks", we at Hut Six recognise simulated phishing campaigns as being part of an effective information security strategy.

Financial Organisations Targeted Most

It comes as no surprise that cyber criminals and hackers have preferences when it comes to targeting industries and considering that the majority of attacks are financially motivated, it logically follows that financial organisations find themselves dealing with a disproportionate number of phishing attacks.

In research again conducted by the APWG, it was found that in the first quarter of 2022, attacks targeting the financial sector, which includes banks, received the most attacks of any sector examined.

Accounting for 23.6% of all phishing instances, the financial services industry saw an increase of 35% in the number of attacks during the first three months of 2022. A period which ranks as the worst quarter for phishing ever seen, with APWG observing over one million total attacks (1,025,968).

Phishing Enabled Ransomware Keeps Growing

In 2022, it is uncontroversial to assert that ransomware is increasingly a global concern for organisations and information security professionals alike.

In the first four months of last year, the UK's National Cyber Security Centre (NCSC) dealt with the same number of ransomware incidents as for the whole of the preceding year -- which was itself over three times greater than the year before that.

It is estimate that the vast majority (in some cases, over 90%) of ransomware attacks are enabled by phishing emails. Acting as a delivery mechanism for the malware, users are often tricked by phishers into either opening malicious attachments or into following links to compromising websites.

With the average cost of a ransomware attack (not including any ransom paid) around 4.5 million USD, the role phishing attacks play in this highly damaging form of security threat should not be overlooked.

By failing to adequately deal with the problem of users not identifying malicious phishing emails, organisations remain vulnerable to the growing risk of ransomware and an additional host of associated security threats.

LinkedIn Phishing Most Clicked

A common tactic of social engineers is to impersonate a trusted party. As the largest professional networking platform, and with over 750 million users, LinkedIn is a recognisable name which phishers know they can exploit.

In fascinating research conducted by Bulletproof, it was discovered that "LinkedIn-related phishing emails [are] the top clicked-on social media mail (42%), ahead of the likes of Facebook (20%) and Twitter (9%)."

With attackers reportedly targeting recent employees (usually within a month of changing their job status on LinkedIn) with emails designed to appear to have originated from a member of C-level personnel, targets of these sophisticated phishing campaigns were generally instructed to either purchase "gift vouchers or call a given phone number to discuss an urgent requirement."

Perfectly representing the increased sophistication with which cyber criminals are designing their devious attacks; this trend is also emblematic of why it is no longer possible for organisations to apathetic to the risk of phishing attacks.