Streamline your cloud experience and maximise your cloud investment with Microsoft Azure-aligned public cloud services.
Host all of your workloads in the most appropriate location while experiencing the simplicity of one cloud from Six Degrees.
Enhance your cyber security and safeguard your organisation with our cyber security strategy and advisory, consultancy, and managed services.
Connect your business through a comprehensive connectivity portfolio delivered via our owned and operated core Next Generation Network (NGN).
Secure your productivity on any device, anywhere, any time.
Streamline your hosting with comprehensive colocation services delivered from three UK data centres.
Gain clarity and control of your 5G estate, ensuring ongoing cost efficiencies are managed on your behalf through our managed service.
Gain confidence in your cloud direction and achieve accelerated time to value through our assured and optimised cloud services.
Master today’s complex threat landscape and protect your business with our intelligence-led security services.
Videos and webinars are a great way to digest the latest technology insights.
Our eBooks and whitepapers provide in-depth insights from our experts.
Our thought leaders publish regular blogs on up-to-the-minute topics.
Learn all about the latest news from Six Degrees as we continue to evolve.
We host regular in-person and virtual events for our clients.
Discover how Six Degrees has driven success for others.
Learn how we enable our clients to achieve more; providing superior secure solutions, powered by our passionate people.
We are proud to partner with many of the world’s leading vendors, enabling you to leverage our continual investment in difference-making technology.
Learn how CNS at Six Degrees delivers intelligence-led security services that protect organisations in today’s hostile landscape.
We are committed to operating in an environmentally and socially conscious way. Learn more about our commitments as a business.
We are proud of our secure cloud credentials. Learn why we’re one of the most highly accredited providers in the UK.
We are a friendly and passionate bunch here. Whether you want to work with us or for us, we think you’ll enjoy the Six Degrees experience.
Home » Blogs » Phishing Attacks Have Become More Sophisticated
Phishing emails, in particular, have seen even big business names like Sony, Google, and Facebook falling foul. In fact, scams of this nature are so prevalent that they cost businesses an average of $3.92 million in settlements, repairs, and more each year.
2020 witnessed a 73% spike in phishing attacks — likely driven by the remote working shift and economic downturn. Worse, the face of phishing has changed, with new and often independent cybercriminals going for the jugular with targeted emails and scams that play on business vulnerabilities/personal concerns.
To stay safe, companies must reassess security, and shift their defences to meet these new challenges. The question is, what exactly do phishing attacks look like in 2021, and how can you protect yourself in an uncertain future?
Phishing attacks have always preyed on people’s vulnerabilities, and never has that been more the case than this past year. The first coronavirus-themed phishing emails were spotted as early as March last year, and these tailored attacks have been gaining traction ever since.
Perhaps more worryingly, this switch towards scams that tap into current concerns goes alongside a significant increase in keyloggers and clone phishing. These methods allow hackers to hijack business email addresses and accounted for 70% of data breaches last year.
These two trends work dangerously alongside one another to enable phishing scams that can mimic the World Health Organisation (WHO), Centers for Disease Control (CDC), gov.UK, and even your own in-business email address. Employees inside your enterprise are thus far more liable to click a link as these malicious emails get lost among the multiple official notifications that the past year has sent to our inboxes. As such, it’s now more important than ever that organisations prevent these sometimes difficult-to-spot phishing emails from reaching employee inboxes in the first place.
While mass phishing attacks are common, and help cybercriminals gain widespread personal information, we’ve also seen an increase in targeted phishing attacks — a.k.a spear-phishing. These tailored and personalised attacks involve emails sent to well-researched targets. Thus, attackers can more easily appeal to recipients, and may even use first names for authenticity, alongside geo-specific information in their attempts to steal important data.
While not necessarily a trend in the past year alone, this spear-phishing focus has come to the fore alongside lower-volume attacks that have very much arisen out of 2020. Small businesses, in particular, are open to targeted attempts to gain access, with a company of between 1-250 employees receiving malicious links within one in every 323 emails. This, compared with a much lower rate of one in every 823 emails for companies employing between 1001-1500 employees.
A shift towards smaller-scale attacks makes malicious emails far harder for security software to recognise, while tailored focuses drastically increase the risks that multiple members of an ill-prepared remote team could be convinced. This means that hackers can make use of the changes already inherent in company landscapes as well as undermining existing security structures. To overcome this, it’s vital that companies implement fast responses amidst an endpoint focus that protects wider business networks despite individual device breaches.
Cybercriminals are exploiting the high levels of anxiety inherent with the pandemic. This, mixed with those targeted attempts, has led to a somewhat unsurprising increase in the use of ransomware that threatens to publish customer bank accounts, phone numbers, etc. In fact, an astounding 65% of organisations were somehow impacted by ransomware in 2020.
Effective ransomware defence (like cyber security in general) requires a multifaceted strategy, and each component is as important as the next.
On that last point specifically, ABI has recently supported the inclusion of ransomware payments in cyber-insurance policies. This is an important contingency option to explore. However, it’s worth keeping in mind that a willingness to pay ransoms may be partially behind the spike in attacks. More than half of businesses paid their ransoms in 2020, compared with just 45.1% in 2019.
Suggested reading: To learn more about ransomware, check out our blog — Ransomware trends 2021.
We’ve already spoken about how clone phishing has seen a rise in the amount of official enterprises being dragged into cyber-attacks this past year. However, on a business-specific level, phishing attempts have also become a whole lot cleverer, using the prevalence of Microsoft 365 adoption to gain access to an organisation’s inner workings.
In a way, this is nothing new, with Microsoft having long held the top spot as the most spoofed brand due to the cohesive package that it offers. However, this past year has seen phishing attacks taking this focus further, with emails impersonating other brands that still lead back to Microsoft logins.
Spoofs of this nature have proven especially lucrative as newly remote employees don’t even question being sent files, etc. Worse, a step away from blatantly Microsoft-related attacks adds a curtain behind which cybercriminals can successfully hide, and only by increasing their security training with these risks at the forefront can companies prevent their employees from jumping right into these downloads.
This last year has seen an astounding 80% of phishing websites gaining HTTPS tags, which previously pointed towards an SSL certificate worth trusting. Admittedly, this trend has been rising for years, but the added authenticity required for successful attacks in 2020 has been a turning point.
As these tags continue to gain traction with threat actors, so-called SSL security benefits are proving to be more of a curse than a blessing, as they prevent the Google red-flags that many of us rely on. What’s more, HTTPS proves nothing other than the fact that information shared is on an encrypted network between you and the website owner. Unfortunately, that’s absolutely useless if said website owner is looking to phish your details. Realistically, this is just one more thing to keep in mind and start accounting for across all of your other phishing defence priorities.
With the above in mind, organisations need to return to the security drawing board with multi-faceted approaches that both overhaul employee training and security software. Specifically, in the face of phishing changes, businesses need to focus on what to do if an attack does land, because some are almost guaranteed to get through. As such, security in 2021 should be about both prevention and further focuses such as:
Unfortunately, these once standard security practices are harder to employ than ever in a risk landscape that’s still very much shifting. Worse, companies are increasingly falling behind as they scramble to perfect security in scattered BYOD landscapes.
At Six Degrees, we help our clients face unknown threats and challenges just like this. For example, a combination of MDR (managed detection response) and an endpoint security system can dramatically reduce your organisation’s total exposure to phishing attacks, and simplify the challenge of managing remote workflows securely. However, that’s just one option. If you want to learn more, get in touch — we’re happy to help!
As the UK continues to phase out 3G…
Whether they admit to it or not, most…
We are proud to announce that Six Degrees…
The Digital Operational Resilience Act (DORA) entered into…
More information on our Privacy and Cookies Policy can be found here: https://www.6dg.co.uk/privacy-cookies/. You can update how we contact you in the future by visiting our Communications Preference Centre here: https://www.6dg.co.uk/preference-centre/.