Itās no wonder then that so many use phishing as their default attack method. Malicious emails can be used to reach many targets with relative ease, and criminals can purchase ready-madeĀ phishing kitsĀ that bundle together everything they need for a lucrative campaign.
After analyzing three months of phishing email traffic, we found that most attacks follow the money to either big tech or leading financial firms. Facebook, Apple and Amazon were the most popular tech brands being spoofed in phishing URLs. On the financial side, Charles Schwab was by far the most popular target, and was the most used brand URL overall, accounting for 13.5 percent of all cases. Chase Bank ā an American subsidiary of JP Morgan Chase & Co ā RBC Royal Bank and Wells Fargo were also widely used in phishing URLs.
Our investigation found that Chase has received a growing level of attention from cyber criminals over the last year, so we took a deeper dive into the tactics being used to target the bankās customers.
The shift to mobile
One of the most prominent trends apparent in our investigation was the growing focus on mobile devices as part of phishing attacks. SMS text messages, WhatsApp and other mobile messaging services are increasingly used to launch attacks.
Attackers are adopting these methods in response to stronger email security solutions. The average mobile device is less likely to be well secured against phishing compared to a desktop endpoint. Even if the mobile device has a business email application on it, channels such as SMS and WhatsApp will bypass any anti-phishing protection it might have.
Threat actors may also mix email and mobile messaging in a single attack, for example sending a phishing email which includes a QR code that must be scanned by a smartphone, thereby jumping the attack over to the mobile endpoint. We have seen an uptick in QR-based attacks as the relatively overlooked technology became more popular during theĀ pandemic. These attacks are again effective at evading traditional email security tools, as the QR code itself is not a malicious asset and its link destination cannot be read by detection technologies optimized for text URLs and virus signatures.
Mobile-based phishing attacks are also harder to identify due to mobile devicesā smaller screen and simplified layout, compounding the lack of security solutions on mobile.
How phishing kits mean anyone can phish like a pro
Cyber Fraud: Tactics, Techniques and Procedures
