Ninety-three per cent of successful phishing sites are utilising HTTPS verification to conceal their deceitful nature.
The number of mobile users falling for phishing attacks has increased significantly in 2021, according to a recent report by Wandera, a Jamf company titled Phishing Trends Report 2021.
According to the report, one in ten people clicks on phishing links while on their mobile devices. Furthermore, the number of mobile users falling for phishing attacks has increased by 160 per cent year-over-year over the past 12 months.
“This isn’t reflective of the volume of attacks present online but rather the rate at which people are falling for them,” the report said.
“This increase in people taking the bait is likely due to attackers evolving their techniques. They are now using trusted apps to deliver them, they are registering compelling domains, and imitating well-known brands to reach more users with less investment,” it added.
Difficult to spot phishing attacks
Phishing attacks are more difficult to spot on portable devices. Furthermore, phishing is being delivered outside of email, where people aren’t expecting it.
According to the report, 93 per cent of successful phishing sites are utilising HTTPS verification to conceal their deceitful nature. This number has increased dramatically from 65 per cent in 2018.
Attackers are also increasingly using “punycode” to make their phishing domains harder to detect. “Punycode converts words that use unicode characters (in languages like Cyrillic, Greek and Hebrew, for example) into ASCII characters so that computers can understand them,” the report explained.
Attackers are also leveraging top-level domains.
“Top Level Domains (TLD) used to be mainly just .com, .net, .org, etc. In recent years, more domains using different country code top level domains (ccTLD) and businesses-specific TLDs, (eg. .attorney, .technology, .airline) have begun popping up,” the report said.
“The danger here is that users might see a brand name they recognize, but with a TLD that isn’t the usual one. For example, a hacker might register microsoft.xyz to host a Microsoft-themed phishing attack, and when it gets discovered, replace it with microsoft.info or microsoft.network, and so on,” it further explained.
Moving away to global brands
Another trend that the report highlighted is that cyber attackers are moving away from regional attacks (e.g., using a local bank’s brand) to those that incorporate global, tech-oriented brands.
“People are more likely to fall victim to a phishing attack when the bait is for a site they actually have an account with. As single-sign on technology is incorporated into more and more apps, credentials for large influential companies such as Apple, Google, Amazon, Microsoft, etc. provide access to more than just email,” the report explained.
Such attacks can provide more layers of personal and business data.
“It’s not these companies that are at fault, they are simply used by the malicious actors because they are recognisable and considered rich sources of valuable information,” it added.
Malicious actors are increasingly targeting applications used for work, such as Office 365 and Google’s G Suite apps.
According to the research, the top three brands used in phishing attacks that were successfully used to trick users into accessing the phishing link in 2021 were Apple, PayPal and Amazon, which accounted for 43 per cent, 27 per cent and 9 per cent of those attacks respectively.
“Phishing attacks exploit the most vulnerable part of an organisation: its employees. Employees are often a corporation’s most valuable asset, but when it comes to keeping data safe, they double up as their biggest security weakness,” the report said.
“That’s why a zero-day phishing solution – specifically one that operates across all communication apps, not just email – is critical in stopping both the common attacks and the more sophisticated ones that are being launched against your business,” it added.