In 2023, no fewer than 94 percent of businesses were impacted by phishing attacks, a 40 percent increase compared to the previous year, according to research from Egress.
What's behind the surge in phishing? One popular answer is AI – particularly generative AI, which has made it trivially easier for threat actors to craft content that they can use in phishing campaigns, like malicious emails and, in more sophisticated cases, deepfake videos. In addition, AI can help write the malware that threat actors often plant on their victims' computers and servers as part of phishing campaigns.
Phishing as a Service, or PhaaS, is another development sometimes cited to explain why phishing threats are at an all-time high. By allowing malicious parties to hire skilled attackers to carry out phishing campaigns for them, PhaaS makes it easy for anyone with a grudge – or a desire to exfiltrate some money from unsuspecting victims – to launch phishing attacks.
Phishing has become agile
A true understanding of what's behind the surge in phishing requires an analysis of how threat actors are using AI and PhaaS to operate in new ways – specifically, by responding more quickly to changing events.
In the past, the time and effort required to create phishing content manually (as opposed to using generative AI) made it challenging for threat actors to capitalize on unexpected events in order to launch high-impact campaigns. Likewise, without PhaaS solutions, groups that wanted to target an organization with phishing often didn't have a quick and easy way of getting an attack underway. Recent developments, however, suggest that this is changing.
See trending phishing and impersonation TTPs in The Phishing & Impersonation Protection Handbook
Phishing Attacks Targeting Evolving Events
Phishing has a habit of latching on to current events in the world to take advantage of excitement or fear surrounding these events. This is especially true when it comes to evolving events, such as the CrowdStrike "Blue Screen of Death" (BSOD).
Phishing in the wake of the CrowdStrike BSOD
CrowdStrike, the cybersecurity vendor, issued a buggy update on July 19 that rendered Windows machines unable to boot properly and left users staring into the infamous Blue Screen of Death (BSOD).
CrowdStrike fixed the problem relatively quickly – but not before threat actors had begun launching phishing campaigns designed to take advantage of individuals and businesses seeking a resolution to the failure. Within the first day following the CrowdStrike incident, Cyberint detected 17 typo-squatting domains related to it. At least two of these domains were copying and sharing Crowdstrike's workaround fix in what was apparently an effort to solicit donations via PayPal. By following the breadcrumbs, Cyberint traced the donation page to a software engineer named Aliaksandr Skuratovich, who also posted the website on his LinkedIn page.
Efforts to profit by collecting donations for a fix that originated elsewhere were among the more mild efforts to take advantage of the CrowdStrike incident. Other typosquatted domains claimed to offer a fix (which was available for free from CrowdStrike) in exchange for payments of up to 1,000 euros. The domains were taken down, but not before organizations fell victim to them. Cyberint's analysis shows that the crypto wallet linked to the scheme collected around 10,000 euros.
Phishing Attacks Responding to Planned Events
When it comes to planned events the attacks are often more diverse and detailed. Threat actors have more time to prepare than they do in the wake of unexpected events like the CrowdStrike outage.
Phishing at the Olympics
Phishing attacks related to the 2024 Olympics in Paris also showcased threat actors' ability to execute more effective campaigns by tying them to current events.
As one example of attacks in this category, Cyberint detected phishing emails claiming that recipients had won tickets to the Games and that, to collect the tickets, they needed to make a small payment to cover the delivery fee.
If recipients entered their financial information to pay the fee, however, the attackers used it to impersonate victims and make purchases using their accounts.
In another example of phishing linked to the Olympics, threat actors in March 2024 registered a professional-looking website claiming to offer tickets for sale. In actuality, it was a fraud.
Even though the site was not very old, and therefore did not have strong authority based on its history, it ranked near the top of Google searches, increasing the likelihood that people searching to purchase Olympics tickets online would fall for the ruse.
Phishing and football
Similar attacks played out during the UEFA Euro 2024 football championship, Most notably, threat actors launched fraudulent mobile apps that impersonated the UEFA, the sporting association that organized the event. Because the apps used the organization's official name and logo, it was presumably easy for some people to assume they were legitimate.
It's worth noting that these apps were not hosted in the app stores run by Apple or Google, which typically detect and take down malicious apps (although there's no guarantee they'll do so quickly enough to prevent abuse). They were available through unregulated third-party app stores, making them somewhat harder for consumers to find – but most mobile devices would have no controls in place to block the apps if a user were to browse to a third-party app store and try to download malicious software.
Phishing and recurring events
When it comes to recurring events, too, phishers know how to take advantage of situations to launch powerful attacks.
For instance, gift card fraud, non-payment scams and fake order receipts surge during the holiday season. So do phishing scams that attempt to lure victims into applying for fake seasonal jobs in a bid to collect their personal information.
The holidays create a perfect storm for phishing due to the rise in online shopping, attractive deals, and a flood of promotional emails. Scammers exploit these factors, leading to significant financial and reputational damage for businesses.
When it comes to phishing, timing matters
Unfortunately, AI and PhaaS have made phishing easier, and we should expect threat actors to continue adopting these sorts of strategies.
See The Phishing & Impersonation Protection Handbook for strategies businesses and individuals can take.
Businesses can, however, anticipate spikes in attacks in response to specific developments or (in the case of recurring phishing campaigns) times of the year and take measures to mitigate the risk.
For example, they can educate employees and consumers to be extra cautious when responding to content associated with a current event.
While AI and PhaaS have made phishing easier, businesses and individuals can still defend against these threats. By understanding the tactics used by threat actors and implementing effective security measures, the risk of falling victim to phishing attacks can be reduced.