In February of this year, the FBI released their annual report on cybercrime. The report revealed that, in 2019, businesses and individuals lost a total of $3.5-billion to cybercriminals; an increase of 23% when compared to 2018. The most common form of internet crime was phishing, affecting 114,702 victims.
So, we know phishers are everywhere. But from a bird’s eye view, let’s ask, phishing attacks are what percentage of cyber attacks?
According to Security Intelligence, in 2019, attackers used phishing as an entry point for almost one-third of all cyber attacks.
And the COVID-19 pandemic has only made things worse. Phishing attacks have increased by a massive 600% since the end of February, as bad actors seek to exploit the fear and uncertainty of the current moment.
Here’s a lesser-known fact though:
- Phishing attacks occurring through social media – rather than email – constitute an increasing proportion of attacks.
Social phishing attacks take the same form as email phishing attacks: bad actors send people a malicious link, which (typically) spoofs a real login page and steals credentials once they are entered. The only difference is the malicious link comes in a direct or shared message, not an email.
And phishing links appearing in direct messages can be even more threatening than links appearing in emails. Why? Because people are more likely to open them without thinking. As SafeGuard Cyber CTO and co-founder, Otavio Freire, explains:
“Unlike your email inbox, which more than likely has a fairly sophisticated spam filter, the direct message function on most social media apps is not protected and is, therefore, a great avenue for phishing attacks. It’s almost second nature to open a message on Twitter, Instagram or LinkedIn and click on a link. This is particularly dangerous because plenty of people don’t even know those are phishing attack vectors.”
In 2019, Facebook experienced a staggering 176% year-on-year growth in phishing URLs. Experts point to the rise of Facebook Login, a social sign-on using Facebook accounts, as a cause. Facebook Login becomes attractive to cybercriminals because it enables them to see what other apps a user has authorized, and spread their targeting accordingly.
Get Safe Online, a leading awareness resource for consumer cybersecurity, reports that “With over 1.3 billion people logging on to their favourite social media accounts every month, and the trust that many have in the wider community of users, social media phishing represents a rich source of income for fraudsters.”
In Safeguard Cyber’s experience working with companies across a range of industries, social media phishing attacks occur with approximately the same frequency as email phishing attacks.
Phishing in its broadest form needs to be protected against. The 2019 Verizon Data Breach Investigations Report confirmed that nearly one-third of all cybersecurity breaches involve phishing. (The report added that, for cyber-espionage attacks, the number jumps to 78%.) Many of these phishing threats still come in over email. CISOs are right to secure email gateways as an essential element of a perimeter defense structure.
But modern security teams now need to consider phishing as more than just an email problem. Today, combating phishing means scanning social media and chat channels with the same vigilance that we scan emails. Especially as phishers are getting better and better at what they do, thanks to off-the-shelf tools and templates, and phishing kits and mailing lists available on the dark web.
Over the years, there have been some devastating phishing attacks. Between 2013 and 2015, Facebook and Google were scammed out of more than $100-million by a Lithunian hacker running an elaborate fake invoice scam. In 2014, Upsher-Smith Laboratories, a U.S. drug company, was swindled out of more than $50-million by phishers impersonating the company’s CEO via email. In the coming years, we should expect social media phishing attacks to begin to succeed on this scale.