Phishing is nothing new and almost everyone knows of its dangers. Yet in 2021, more than 40% of all Belgians were victims of phishing. Why does this technique continue to be so successful?
The aim of phishing is to tempt victims to click on fake links and then log into fake Web portals that resemble sites such as their company's intranet, an online banking platform or social networking site. Once the victim clicks on the fake link sent by the attacker, he is redirected to the attacker's fake website. When the victim logs on, he passes sensitive information to the attacker.
Specific targets
We have noticed a recent change in the methodology of phishing emails. We see that attackers are more often targeting senior-level or C-level executives; this process is called whaling. Cases of spear phishing are also on the rise. In this situation, attackers send out highly personalised phishing emails to individuals. Targets often include financial profiles, IT security profiles or new employees.
Today, the extra layer of security that many users activate in the form of multi-factor authentication (MFA) is also being targeted by attackers. Cybercriminals, for example, try to retrieve one-time passwords (one-time and time-based passwords generated by a verification app) by mimicking an MFA screen on fake websites where unsuspecting users are asked to enter their one-time password.
We also see attacks where cybercriminals create fake QR codes. When these QR codes are scanned, victims are offered a big discount for restaurants, supermarkets or another brand in exchange for - of course - an online payment. This payment then goes to the attacker's account.
Phishing via text messages or phone calls
Besides the classic phishing email, there are also other forms of phishing. The two most common are smishing and vishing. In smishing, the victim receives a text message, often from a bank, courier or a loved one who has allegedly changed phone numbers. Usually, the text message also contains a fake link. Vishing involves calling the victim, often a computer voice saying there is a problem with your computer or that you are wanted by the police. The attackers expect the victim to follow this voice's instructions, which usually leads to the transfer of money to 'get help'.
Train your employees
Because the phishing landscape is changing so rapidly, phishing remains the number one attack vector. Attackers continue to find new ways to make it harder to distinguish between genuine and fake messages. Phishing can only be effectively tackled by raising end-user awareness and proper training.
Some interesting resources that can help you train your employees are:
- The training module 'Watch Where You're Going' is the first part of the series Browsing Without Worry, a series of simple and accessible online training courses on cybersecurity developed by the Center for Cybersecurity Belgium (CCB) and the Cyber Security Coalition (CSC).
- The phishing test on Safeonweb and corresponding advice.
- The Cyber Security Kit developed by the CCB and the CSC, which includes a number of useful tools for small and medium-sized organisations.
- Secuso's 'No Phish' videos (in English).
Raf Gillisjans studied applied computer science in Bruges and has been a part of the security team at Belnet for almost 2 years. He evaluates new solutions to make the Belnet environment a more secure place and is also part of the security awareness team. Outside of Belnet he can be found in a radio studio, behind a camera or behind his pc playing some game.