Phishing Attacks Surge By 173% In Q3, 2023

Cyber scams like phishing trick people into disclosing personal information or downloading malware that can then result in bad actors using these stolen identities for fraudulent activities that cost companies and individuals billions of dollars annually. 

To stay safe, it’s important to understand what phishing attacks are, the different types of scams, and how to prevent them. Let’s explore a recent report that highlights the prevalence of phishing attacks and the industries that are most affected, as well as what you can do to prevent phishing attacks for yourself and your business.

What is a phishing attack?

A phishing attack is a form of cyber scam that uses falsified credentials – a fake email from an established company, a fake identity as a customer service or government representative, a fake homepage for a social media site, etc. – to steal identifying information like usernames and passwords from individuals, trick users into downloading dangerous malware, or taking other actions that might leave them vulnerable to other cybercrime. This is most commonly done via email or direct message on social media by claiming there’s been some kind of security incident or contest requiring you to log into your account or provide information. 

Phishing relies heavily on social engineering, or forcing someone to take action via social pressure or manipulation. These attacks rely on making you feel as if you’ve done something wrong – made a bad purchase, trusted the wrong company, had a transaction bounce, etc. They also rely on creating a sense of urgency, the idea that you’ll need to resolve the problem right now or risk it getting substantially worse.

There are several types of phishing attacks to consider. 

• Bulk email phishing is the most common version of this scam. Users receive an email “from” a major company that “informs” them of a problem with their account, asking them to log into it. This email is a falsified message from a scammer who’s created a facade to mimic the real company. 
• Spear phishing targets an individual victim rather than being a mass email. It may be a message posing as a loved one, coworker, or other associate known to the person in their own life. These messages might include personal information skimmed from social media to seem more legitimate and often contain a request that would be reasonable for this individual – paying off a forgotten debt in a business, a friend needing money for a bill, or a family member needing money for an emergency.
• Business email compromise (BEC) is a specific kind of spear phishing that aims to steal either a large sum of money or important information from a business. These messages impersonate members of the company to attempt to scam other members of the company into making a bad purchase or sending information to a bad actor.
• SMS phishing is a falsified text containing a bad link that collects information. These often pose as 2FA messages from social media sites. 
• Voice phishing is a newer kind of attack that uses VoIP services to spoof the IDs of companies or government agencies in an attempt to collect information over the phone. 

The prevalence of phishing attacks

According to a new report from Vade Secure, phishing attacks have risen by 173% in Q3 of 2023 alone. The researchers comment that August was the most heavily affected month, sporting more than 207.3 million phishing attempts via email, which is nearly double the amount sent in July. This activity continued into September when an estimated 172.6 million emails were sent. 

Of the most commonly impersonated companies, Facebook and Microsoft took the top spots, keeping their places since 2020. Facebook was the most impersonated overall, at 16,657 faked URLs, and experienced a rise of 169% in the prevalence of these URLs from Q2. The company accounted for more phishing URLs than all seven of the next most spoofed companies combined, whose total was 16,432 spoofs.

Though all companies saw major increases in attacks, according to Vade, the most affected companies were

1. Government agencies at 292%
2. Cloud computing services at 127%
3. Social media programs and applications at 125%
4. Financial services at 121%

The only industry that saw a decline in phishing attempts was Internet and telecommunications.

How to prevent phishing attacks

There are many things you can do to recognize and prevent fallout from a phishing attack. Here are some helpful tips. 

• Practice good password hygiene. Use unique, long, and varied passwords for each of your accounts. Store them in a password manager for safekeeping and do not share them with anyone. It’s also a good idea to change your passwords regularly. 
• Use anti-virus software on your devices. This includes firewalls, email filters, and anti-spyware programs. Keep these updated. 
• Use common sense internet safety. Be wary of messages and emails from unknown senders, do not click links from unfamiliar senders or concealed links, and if there is a supposed issue with an account, contact the service directly rather than relying on a single message or link. 
• If you think you’ve been the victim of a phishing scam, secure your accounts immediately. Change passwords, report the attack, and keep a close eye on your accounts for any unusual activity. 

One of the best things you can do to secure your data is to implement multi-factor authentication on your accounts. This makes it more difficult for scammers to gather all of the required information to access your data by layering security together. 

If you are a business looking to implement MFA, consider using a modern, more advanced authentication method such as Photolok. Photolok is a passwordless IdP that is simple, effective, and offers a range of benefits including AI and ML defense, device authorization, and one-time-use authenticators. With Photolok, users submit images and label them for use as authenticators. When attempting to access the system, they simply choose their image from a grid. They can also label an image as Duress, which allows them access but notifies administrators so that, if they are forced to access the account, the proper authorities can be notified quickly for their safety. 

You can request a demonstration of the Photolok system for further details and a consultation to see how this advanced authentication system can benefit your business. 

Why MFA is Critical to Business Cybersecurity

If you are a business looking to implement MFA, consider using a more advanced authentication method such as Photolok IdP. Photolok is a passwordless IdP that is simple, effective, and offers a range of benefits including AI and ML defense, device authorization, and one-time-use authenticators. With Photolok, users select images and label them for security use. When accessing a network, application, and/or API, users simply choose their image from several photo panels, and they are in. Users can also label a photo as Duress, which acts as a silent alarm.  The Duress option allows the user access but notifies IT administrators that the user’s account is compromised and they need to execute the company’s security procedure quickly to protect the company and the user’s safety.