In a recent survey, Proofpoint found attackers successfully phished more than 80% of organizations in 2021 – a whopping 46% jump from 2020.
And, with the latest phishing scams in 2022, it’s a trend you should expect to continue.
It’s not always easy to spot these scams, but with the right procedures in place, you give yourself the best chance possible.
To avoid breaches in your security, you must maintain your security stack, block known threats, and train your users.
But, to accomplish these goals, you need to stay current on the latest phishing techniques.
Let’s take a look at some of the latest phishing scams in 2022 you and your business face.
Multi-Factor Shortcut: Be Annoying
Though Multi-Factor Authentication (MFA) plays a critical role in securing an organization, attackers have discovered a way to bypass it, sending users a push-button prompt to gain access.
Here’s how it works:
When an attacker obtains credentials protected by this type of MFA, they try to trick you into clicking the authorization button to grant access by:
First, they call the potential victim, claiming to be a member of the organization. They claim to need authorization for a fabricated reason, and tell the victim to expect an MFA request.
Once they earn the victim’s trust, the scammer simply sends the MFA request, and the victim unknowingly authorizes it.
When sending the MFA requests, some attackers try to be subtle, sending one or two prompts a day. Here, they’re hoping the victim will click and IT won’t notice.
But, other attackers want to be noticed, using MFA prompt bombing to flood the user with many MFA requests.
It seems ridiculous, but it works.
When delivered at 1 am in the morning, attacks can trick targets into accidentally pushing the button, or bully the victim into accepting the MFA. Anything to make the noise stop, right?
If you’ve ever planned on sleeping in, but forgotten to turn off your alarm, you know the frantic swiping on your phone to shut it off. This attack works the same way.
Successful MFA prompt-bombing examples include a Russian nation-state hacker behind the Solar Winds supply-chain attack, and Lapsus$, a teenage hacking gang that breached Microsoft, Okta, and Nvidia.
One member of Lapsus$ even bragged: “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”
Impersonating Credible Sources
One of the oldest scams in the book is to impersonate credible sources. And, the latest phishing scams in 2022 are no different.
Now, scammers are simply changing who and how they impersonate.
Often, they’ll send out legitimate looking emails to lure people to click a malicious link. Or, they’ll create a legitimate looking web page to mimic a real-life business.
Think “amaz3n.com,” or “faceboock.com”
Though the top brands to impersonate are Facebook (14%) and Microsoft (13%), the financial industry as a whole represents 35% of all phishing pages. However, government impersonations are on the rise as well.
For example, the Russian threat actors known as ‘DarkWatchman’ successfully impersonated the Russian Ministry of Justice’s Federal Bailiffs Service. Here, the DarkWatchman group tricked Eastern European organizations with official-looking emails containing malware.
The notorious Lapsus$ group even went one step further.
First, they used various methods to obtain legitimate US law enforcement email access. Then, they used these real email addresses to send fake Emergency Data Requests.
Verizon reveals it received 114,000 data requests from some of the 18,000 law enforcement agencies in the US in the second half of 2021 alone.
With such a huge volume, it is easy to see how these types of attacks might go unnoticed.
And, the high-profile success of the Lapsus$ group will only encourage other attackers to pursue similar techniques.
Email Malware-Detection Bypass: Mimic Microsoft
Sure, pretending to be Microsoft can be successful, but it’s not always easy.
To help gain access to your systems, attackers also gain Microsoft’s credibility by borrowing the Azure domain or Office file types.
Azure’s new App Service enables organizations to quickly create and deploy web-based apps on the Azure platform. And, the latest phishing scams in 2022 have been quick to adapt.
To obtain domain credibility, attackers host their malware on Azure so that firewalls and DNS servers see the source IP as an Azure domain – instead of a potentially malicious source.
Microsoft attempted to cut off macros as an attack vector by blocking internet macros by default as of February 2022.
However, the hugely successful Emotet responded by changing their delivery method to use OneDrive URLs to deliver .xll files. Though it displays the well-known Microsoft Excel icon, it actually contains executable malware code.
While some companies might be able to block these sources, many can’t. At least, not without dramatically impacting their operations.
Final Thoughts on the Latest Phishing Scams in 2022
Phishing scams work for two reasons: through sheer volume of tries, and credible-looking attempts.
Unfortunately, the latest phishing scams of 2022 have both.
An investment in training, or even an awareness newsletter, can help your employees avoid clicking on malicious links.
But, considering the effectiveness of these digital con artists, you’ll want to take extra precautions.
Back up your data whenever possible, use effective email security, overlap layers of IT defense, and actively monitor your business to deal with the inevitable successful attack.
For temporary or ongoing help in phishing education or phishing defense, contact Ideal Integrations and Blue Bastion Cyber Security today at 412-349-6680 or fill out the form below.
Our experts will provide a no-obligation consultation of options that fit the needs of your organization.