According to the 2022 X-Force Threat Intelligence Index, phishing was the most common way that cyber criminals got inside an organization. Typically, they do so to launch a much larger attack such as ransomware. The Index also found that phishing was used in 41% of the attacks that X-Force remediated in 2021. That’s a 33% increase from 2021.
One of the biggest reasons threat actors are increasing phishing attacks is that all it takes is one employee to make a split-second mistake to cause major business and reputation loss. Cybersecurity workers must continually stay on top of new phishing trends. That way, they can use the right technology to help prevent the right types of attacks. Most importantly, they need to focus on training employees on how to spot and prevent attacks.
Here are five phishing trends that your organization is likely to see in 2022:
You likely think of spam calls as just annoying. But that’s why vishing, or voice phishing, is on the rise. Cybersecurity training stresses not to click on links. However, many users do not realize that spam phone calls may actually be the start of a cybersecurity attack. In a vishing call, the person on the other end of a VoIP phone typically impersonates a legitimate organization, such as the IRS or a bank. From there, they ask the person who answered to visit a website. The attacker then uses the information entered into the website to launch a cyber attack. Common vishing scams include imposters (meaning the caller pretends to be someone else), debt relief scams and charity scams.
Vishing became such an issue in 2021 that the FBI even issued an alert. Proofpoint’s State of the Phish report found that 69% of the organizations were the recipient of a vishing attack. That’s an increase of 54% from 2020. Most concerning is that the X-Force index found that vishing attacks were three times more effective than a classic phishing scheme. Because the attack starts with the phone, using cybersecurity applications to stop the attack is challenging.
Train your employees about the rise of vishing and how to spot a vishing attack. Many vishing attacks are successful because employees don’t recognize this tactic as a potential cybersecurity attack. Stress to employees that they should never visit a website given to them over the phone. Keep employees updated on current vishing scams to help them more accurately spot threats.
If you receive an email from a bank that you’ve never used before, then it’s very likely that you will recognize it’s a phishing email and hit delete. But if you get an email from your own bank, you are much more likely to fall for the scam. The difference is the first type of attack was a general phishing attack. The second is referred to as spear phishing, which is an attack targeted at specific people.
A 2021 FireEye report found that spear phishing recipients were 10 times more likely to click on the link than general phishing email recipients. Not surprisingly, spear phishing is on the rise. Proofpoint found that 79% of organizations were targets of spear phishing attacks. That’s an increase of 66% from 2020, which is a very concerning increase.
The IBM Threat Index found that the brands most imitated by threat actors were large and trusted companies. Attackers might pretend to be from Microsoft, Apple or Google. In addition, these types of attacks work as spear phishing since most consumers do business in some shape or form with these companies. Train employees to carefully look at logos and check email addresses. Often phishing attacks use an email that looks official at first glance. After close investigation, you’ll be able to see it is phony, such as Apple99991@gmail.com. You can also reduce the likelihood of a spear phishing attack gaining control of an employee’s access by installing multi-factor authentication on all employee accounts.
Smishing is when threat actors target someone over SMS texting. One of the reasons that this type of attack is even more effective is many people do not have cybersecurity software on their phones. The same attack might get blocked on their laptop. Many people are not as aware of smishing. Therefore, they may be more vulnerable to falling prey over text than email. Proofpoint found that 74% of organizations faced smishing attacks in 2021, which is an increase of 13% from 2020.
Many people began using food delivery and meal kits during the pandemic. So, cyber criminals began creating smishing schemes mentioning these services. Other common schemes include upcoming package deliveries and giveaways.
Start by updating your cybersecurity training to include smishing. Surprisingly, Proofpoint found that only 26% of organizations included Smishing in cybersecurity training. You should also let employees know what type of legitimate SMS messages they may receive from your organization. That way, they know what to expect from their commonly used work systems. As new smishing schemes emerge, keep employees updated on new types of text messages to watch out for.
Attackers are increasingly turning to social media for their phishing attacks. Proofpoint found that 74% of organizations were targeted by social media phishing attacks. That’s an increase of 13% from 2020. Many people are suspicious of blatant phishing attacks on social media, such as a stranger messaging you through a private message on social media with a link to click. But other schemes are harder to spot. Attackers often take over accounts and then target their friends with phishing attacks. Other schemes include social media quizzes that get users to enter information that can then be used for social engineering accounts. Threat actors also create clone accounts of real companies to get people to click on malicious links thinking they are trustworthy.
With employees using personal devices for work with increased remote and hybrid work, social media phishing attacks are likely to continue to pose a big risk. You should include a section in your cybersecurity training on social media phishing and keep employees updated on new types of schemes. Require that any personal devices that employees use for work have the latest patches and company-approved cybersecurity technology installed.
Phishing is expected to remain a top threat as attackers get more creative in their social engineering and targeting techniques. By staying on top of the latest phishing schemes, you keep your employees up to date, too. If employees know that the latest trend is to impersonate a specific company or type of email, then they are going to be more aware and suspicious when that message lands in their social media account, email, text or even at the other end of a phone call.
Security Intelligence, April 28, 2022
Multi-factor authentication (MFA) solutions are not new to data security. Already decades in use, MFA adoption became more commonplace post-pandemic thanks to remote work conditions. While companies like Google and Microsoft have claimed how MFA blocks all but .01% of account abuse attacks, the sad truth is that MFA is far from perfect, and attacks are on the rise.
Verizon research pegs 82% of all cyberattacks on human error (stolen credentials, phishing, misuse). Attackers need some level of human involvement to circumvent MFA controls. Phishing and social engineering tactics help distract users while different techniques are employed to hack MFA defenses.
MFA only makes sense if it is resilient against bypassing and hacking; otherwise, why would anyone enable MFA to only get mildly better protection? Here are three best practices that can help.
1. Deploy phishing-resistant MFA if possible.
The U.S. government has been mandating all federal agencies to use “phishing-resistant” MFA. This means organizations must steer clear of any MFA technology that can easily be phished (such as one-time passcodes, SMS text messages, dynamic codes and push notifications). The strongest forms of MFA are based on the FIDO2 framework that allows users to unlock access to resources using fingerprint readers, cameras and other device-level/hardware security checks on their devices. Since credentials don’t leave a user’s device and are not stored anywhere, it eliminates the risk of phishing and credential theft.
2. Make existing phishable MFA solutions less phishable.
There are a number of things organizations can do to make their current MFA less phishable. This includes adding more information and context to user logins since most MFA solutions oversimplify (via simple allow/reject buttons) instead of displaying more context so that users can be more assured of what they are logging into. This can include things like device name, global ID and device location. MFA solutions must also be tied to specific URLs, devices and hosts, so if a MitM attack is involved, the solution will not allow access to the resource.
Additionally, ensure MFA is built using NIST-approved (or FIPS-validated) cryptography. These are time-tested, publicly reviewed protocols; there is no need for people to invent their own cryptography. Further, stop allowing an easy reset of credentials when MFA is not working—the recovery and bypass process must instead be rigorous. Finally, ensure that anything like a session cookie, security token or a seed value expires in less than 24 hours.
3. Improve security awareness around MFA.
The core foundation of any security strategy is mitigating the root causes of threats. For example, ransomware is not the problem; more worrisome is how ransomware got in. Similarly, in the case of MFA attacks, phishing is the key root cause that needs to be addressed. No matter how strong your MFA solution is, all stakeholders must understand the strengths and weaknesses of MFA and how hackers exploit users to bypass MFA defenses. Employees must be trained to spot and report unusual activity; they must especially be careful with push notifications and login attempts they’re not directly involved with. Additionally, they should use unique, 20-character passwords to avoid credential theft.
Always opt for a defense-in-depth approach. Eliminate the risks associated with standard MFA by deploying one based on FIDO2. Ensure employees are awareness-trained to identify a cyber threat masquerading as an MFA request.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Follow me on Twitter or LinkedIn. Check out my website.
Stu Sjouwerman
Stu Sjouwerman is the founder and CEO of KnowBe4 Inc., a security awareness training and simulated phishing platform. Read Stu Sjouwerman’s full executive profile here.
Forbes, August 11, 2022
Netlok® has announced its patented Photolok™ technology, which replaces passwords with photos, has been selected as the 2018 winner of the Cyber Defense 2018 Global Awards in the category of Most Innovative Multi, Single and Two Factor Authentication.
The industry competition honors the top companies, technologies and products in the world for online security, with particular emphasis on solutions for preventing hacking and other cyber threats. Photolok is Netlok’s groundbreaking product, which protects the online entry point (login) from Internet and Intranet cyber disruptions, or attacks, using proprietary-coded photos that make logging in substantially more secure and easier to use than passwords.
“We are thrilled to receive this award for our Photolok authentication system because there is nothing like it on the market today that prevents unauthorized access to your computer and mobile devices,” said Tony Perez, CEO at Netlok. “The escalation of cybercrime demands that new solutions be found and Netlok is committed to protecting online privacy by shutting down the entry points for hackers.”
Photolok employs a unique approach to secure authentication: Photolok’s image-based technology enables the user to have a positive emotional connection to his/her security login through the use of personal photos or photos that represent the user’s passions or interests – making them easier to remember than passwords. More importantly, photos are more secure than passwords, thanks to Netlok’s application of unique, proprietary coding to each user photo.
Photolok also offers situational security for instances where the user is working online in high-risk environments, such as airports or coffee shops, where the potential for hacking is greater. The user can designate a personal photo, or Netlok-provided photo, as a “single use” security login or “duress” security login in situations where the user’s immediate safety and security is at risk.
This is Cyber Defense Magazine’s sixth year of honoring cyber defense and information security innovators, spanning start-up and early stage companies to later stage and public entities. Nominations were judged by an independent panel of experts – CISSP, FMDHS and CEH certified security professionals – who voted based on their independent review of the company’s product for innovation and uniqueness, rather than number of customers or revenues. Netlok’s patented Photolok™ technology was a stand-out among those nominated in this category, because of its innovative use of photos in the authentication system, combined with a simple set-up process and its ease-of-use.
“Cyber Defense Magazine spent six months searching the globe to find the most innovative and cutting-edge cyber security companies for its Cyber Defense 2018 Global Awards,” said Gary S. Miliefsky, Publisher, Cyber Defense Magazine. “Netlok won this award for Most Innovative Multi, Single and Two Factor Authentication because it is an innovator on a mission to help stop breaches and get one step ahead of the next threat.”
Netlok® announced today that its patented Photolok™ technology, which replaces passwords with photos, has been selected as the 2018 winner in the category of Cybersecurity Authentication and Identity from Business Intelligence Group in its inaugural Fortress Cyber Security Awards. The industry competition honors the top companies, technologies and products in the online security space, with particular emphasis on solutions for preventing hacking and other cyber threats. Photolok is part of Netlok’s groundbreaking Netlokr® product, which integrates private messaging, confidential file sharing and protected data storage in one secure environment. 
“We are thrilled to be the first recipient of this award for our Photolok authentication system because there is nothing like it on the market today that truly protects the most common activities you do as a business or an individual online,” said Tony Perez, CEO at Netlok. “The escalation of cybercrime demands that new solutions be found and Netlok is committed to protecting online privacy by shutting down the entry points for hackers.”
Netlokr, featuring the Photolok authentication technology, pairs its patented photo-based login system with a cloud-based cybervault that operates in Netlok’s own proprietary eco-system, avoiding the vulnerable public pathways of the Internet. The system is designed to protect personal, business or client information and correspondence that are deemed highly confidential, sensitive or private. The Netlokr market includes individuals, groups and organizations, small and medium-sized businesses, large enterprises, government entities, celebrities and other high-profile individuals.
“According to recent reports, only 38 percent of global organizations say they are prepared to handle a sophisticated cyber attack and, worse, an estimated 54 percent of companies say they have experienced one or more attacks in the last 12 months,” said Russ Fordyce, Managing Director of Business Intelligence Group. “Netlok and the other 35 elite companies selected as winners of the Fortress Cyber Security Awards are creating breakthrough solutions that will stem the cybercrime tide and bring real protection to online activity.”
Nominations were judged by an independent panel of experts within the information security industry using a proprietary scoring model to determine uniqueness and innovation. Netlok’s patented Photolok™ technology was a stand-out among those nominated in this category, because of its innovative use of photos in the authentication system, combined with a simple set-up process and its ease-of-use.
ABOUT NETLOK
Netlok is a cyber security company founded on the belief that everyone has something they value and wish to keep secure and private, and it extends to the way in which they operate online. From personal information, to confidential documents, to private communications with others, Internet users want to protect certain aspects of their online activities from unauthorized access. Netlokr®, the company’s inaugural product, addresses the need for online privacy and security using a break-through photo authentication technology called Photolok™ for private messaging, as well as file and data sharing and storage. Netlok’s products are built for the full range of Internet users: individuals, businesses, large enterprises, organizations and associations, and government entities. Netlokr customers enjoy a highly secure, simple and affordable product that creates peace of mind for what matters most to them online. Netlok is based in Playa del Rey, in the heart of Southern California’s Silicon Beach. To learn more about the company and its security solutions, visit www.netlok.com.
ABOUT BUSINESS INTELLIGENCE GROUP
The Business Intelligence Group was founded with the mission of recognizing true talent and superior performance in the business world. The Fortress Cyber Security Awards, unlike other industry recognition programs, are judged by business executives with deep experience and knowledge in the online security space. The organization’s proprietary and unique scoring system selectively measures performance across multiple business domains and rewards those companies whose achievements stand above those of their peers.
Today’s students are often considered experts on all things technology because they grew up in an online, tech-savvy world.
These digital natives have a comfort level with – and even a fearlessness about – anything technology-related and they view the Internet as a familiar playground for much of their day-to-day activities. Unfortunately, it has also made them highly de-sensitized about online security and that can get them into significant trouble.
Compounding their risks online is today’s culture of sharing personal information in very public forums such as social media.
From one’s interests and habits to highly personal information, this over-sharing tells hackers and other “bad actors,” everything they need to know to exploit them, as well as their friends and families.
Unfortunately, students are at risk for attacks – online and offline – from not only anonymous hackers, but people they know. The dangers posed fall into two categories:
In the case of theft or fraud, cybercriminals target students based on lax security measures: using public Wi-Fi, forgoing password protections or using easy-to-break passwords, storing passwords and other personal information online, failing to keep security software and other programs updated, leaving laptops or mobile devices unattended in public settings like the library or coffee shops.
Phishing scams and other methods for manipulating students into revealing personal information or providing access to bank accounts and credit card information are other ways that students are falling victim to financial crimes and identity theft.
Stalking and harassment are sweeping college campuses and many of these crimes begin online, thanks to the wild frontier of social media and the breadth of personal information being shared there. In posting personal photos, checking into locations and providing constant updates on their activities, family, friends, shopping habits, purchases and more, students are providing a comprehensive dossier for those with bad intent.
Students and others believe (falsely) that they can screen those who have access to their social media accounts, but hackers have ready access through a variety of tools to breach these networks. The result is a sharp rise in online stalking and harassment that often moves into the offline world where significant harm can occur.
The first step in preventing online threats is to understand how they occur and what you are doing to contribute to your risk. Some ways to protect yourself:
Students cannot afford to become victims of cyber attacks.
The loss of money, time and reputation can be devastating. By taking a few precautions and being more mindful of the vulnerabilities and risk for exploitation, students can protect themselves from the crimes playing out online every day.
Know a student who might find these tips helpful? Pass this post along to them using the share buttons on this page.
Netlok® announced today that its patented Photolok™ technology, which replaces passwords with photos, has been selected as the winner of the “Authentication Solution of the Year” award from CyberSecurity Breakthrough, an independent organization that recognizes the top companies, technologies and products in the global information security market today. Photolok is part of the company’s groundbreaking Netlokr™ product, which integrates private messaging, confidential file sharing and protected data storage in one secure environment.
“We are thrilled to receive this prestigious industry recognition for our Photolok authentication system because there is nothing like it on the market today that truly protects the most common activities you do as a business or an individual online today,” said Tony Perez, CEO at Netlok. “The escalation of cybercrime demands that new solutions are found and Netlok is committed to shutting down the entry points for hackers.” 
Netlokr, featuring the Photolok authentication technology, pairs its photo-based login system with a cloud-based cybervault that operates in Netlok’s own proprietary eco-system to avoid the vulnerable public pathways of the Internet. The system is designed to protect personal, business or client information and correspondence that are deemed highly confidential, sensitive or private. The Netlokr market includes individuals, groups and organizations, small and medium-sized businesses, large enterprises, government entities, celebrities and other high-profile individuals.
“CyberSecurity Breakthrough’s authentication award category was highly competitive this year, with 41 impressive nominations from a variety of leaders and innovators in the information security market,” said James Johnson, managing director, CyberSecurity Breakthrough. “We congratulate Netlok for breaking through the pack with their innovative approach to authentication to receive this recognition and we look forward to continued success for Netlok in 2018 and beyond.”
Nominations were evaluated by an independent panel of experts within the information security industry, and CyberSecurity Breakthrough judges considered authentication solutions featuring a variety of approaches, including multi-factor and password-based methods. Netlok’s patented Photolok™ technology was a stand-out among those nominated in this category, because of its innovative use of photos in the authentication system, combined with a simple set-up process and its ease-of-use.
The mission of the CyberSecurity Breakthrough Awards is to honor excellence and recognize the innovation, hard work and success in a range of information security categories, including Cloud Security, Threat Detection, Risk Management, Fraud Prevention, Mobile Security, Email Security and much more. This year’s program attracted more than 2,000 nominations from over 12 different countries throughout the world.
ABOUT NETLOK
Netlok is a cyber-security company founded on the belief that everyone has something they value and wish to keep secure and private, and it extends to the way in which they operate online. From personal information to confidential documents, to private communications with others, Internet users want to protect certain aspects of their online activities from unauthorized access. Netlok products address the need for online privacy and security using break-through photo authentication technology for file and data sharing and storage, as well as private messaging. Netlok is built for the full range of Internet users: individuals, businesses, large enterprises, organizations and associations, and government entities. These Netlok customers enjoy a highly secure, simple and affordable product that creates peace of mind for the things that matter most to them online. Netlok is based in Los Angeles, California. To learn more about the company and its security solutions, visit netlok.com.
ABOUT CYBERSECURITY BREAKTHROUGH
The CyberSecurity Breakthrough Awards program is devoted to honoring excellence in information security and cybersecurity technology companies, products and people. The CyberSecurity Breakthrough Awards provide a platform for public recognition around the achievements of breakthrough information security companies and products in categories including Cloud Security, Threat Detection, Risk Management, Fraud Prevention, Mobile Security, Web and Email Security, UTM, Firewall and more. For more information visit CyberSecurityBreakthrough.com.
Member – Insider GovTech
FOLLOW US ON SOCIAL MEDIA
©2015-2026 Netlok. All rights reserved.