Here are the key takeaways for phishing in 2023

• AI-Powered Phishing: Cybercriminals use AI to create highly personalized phishing attacks, making them more difficult to identify.
• Deepfake Phishing: Deepfakes are being used to create convincing fake video or audio messages from trusted figures, tricking people into revealing sensitive data or clicking malicious links.
• Mobile Phishing: Phishing attacks specifically designed for mobile interfaces have seen a sharp rise, exploiting the limited display size of mobile devices to hide malicious intent.
• Whaling: This targeted form of phishing involves high-profile individuals or organizations, aiming to gain access to a large amount of sensitive data or to orchestrate significant financial transfers.
• Multi-Factor Authentication (MFA) Bypass Phishing: Phishing attacks designed to bypass MFA protections have increased, involving the real-time interception of authentication codes or manipulation of the authentication process.
• Cloud Storage Phishing: Phishing attacks now frequently involve fake alerts or requests from cloud storage providers, convincing victims to provide their login credentials.
• Search Engine Phishing: This technique involves setting up fraudulent websites offering cheap products or services that appear in ads or sponsored links in search engine results, tricking users into providing personal details.

As we close in on the halfway point of 2023, it's clear that phishing, a form of cyberattack where targets are targeted by email, telephone, or text message by someone posing as a legitimate institution, continues to be a significant threat. Near weekly attacks and data breaches resulting from phishing are in the news. This article covers the most common successful phishing techniques used this year, aiming to raise awareness and boost defenses against these insidious attacks.

1. AI-Powered Phishing

The advent of AI and Machine Learning has unfortunately also had some negative implications in the cybersecurity space. Cybercriminals are now harnessing the power of AI to create highly personalized phishing attacks. By scraping social media platforms and other online resources, they can customize their phishing emails or messages to mimic the tone, style, and content of communication from individuals or organizations you trust, making them more difficult to spot.

2. Deepfake Phishing

Deepfakes, synthetic media in which a person's likeness is swapped with another's, have been a growing threat. Deepfake phishing uses this technology to create highly convincing fake video or audio messages from trusted figures, asking for sensitive data or promoting malicious links. This technique has been notably successful, especially when targeted toward employees in a corporate setting.

3. Mobile Phishing

The increasing reliance on mobile devices has not gone unnoticed by cybercriminals. Mobile phishing, where phishing attacks are specifically designed for mobile interfaces, has seen a sharp rise. These attacks often exploit the limited display size of mobile devices, truncating URL addresses or altering interfaces to hide malicious intent.

4. Whaling

A more targeted form of phishing, "whaling," involves high-profile individuals or organizations as targets. These attacks are meticulously planned and executed, often involving extensive research on the target. The goal is typically to gain access to a large cache of sensitive data or orchestrate a significant financial transfer.

5. Multi-Factor Authentication (MFA) Bypass Phishing

MFA has been a strong line of defense against unauthorized access. However, 2023 has seen an uptick in phishing attacks designed to bypass these protections. These attacks often involve real-time interception of authentication codes or manipulation of the authentication process, convincing victims to enter their codes into a fake platform.

6. Cloud Storage Phishing

As businesses and individuals increasingly rely on cloud storage, cybercriminals have adapted their tactics. Phishing attacks now frequently involve fake alerts or requests from cloud storage providers, urging victims to click a link or provide login credentials due to a purported issue or threat.

7. Search Engine Phishing

This technique involves cybercriminals setting up a fraudulent website that offers cheap products or services. They then pay for their site to appear in the ads or sponsored links in search engine results. When a user clicks the link, they're taken to the fraudulent site where they're asked to provide credit card information or other personal details.

—-

Phishing techniques are highly dynamic, making it critical to stay informed and vigilant. Remember, the best defense against phishing is a proactive approach: scrutinize emails, be wary of unsolicited requests, and ensure your devices and accounts are secured with the latest protective measures. In the age of increased remote work and digital reliance, cybersecurity is a shared responsibility. 

In addition to security awareness and phishing training, phishing simulations are an important step to keep employees engaged in new phishing techniques and to continuously gauge the risk of phishing attacks at your company. Haekka’s phishing simulator delivers up-to-date, relevant phishing messages to inboxes and triggers real-time training in Slack.