Dubai, UAE: 20/02/2024 - Positive Technologies experts analyzed phishing attacks against organizations in 2022–2023. Most often, in phishing messages, criminals pose as contractors. The phishing-as-a-service model has become common practice. Experts predict an increase in the role of AI in both conducting and preventing phishing attacks. 

The main objectives of phishing attacks are data theft (85%) and financial gain (26%). One of the channels where criminals can sell the stolen sensitive information is the dark web, where the demand for personal data and credentials of companies' employees and clients is traditionally high. Information can also be stolen for the purpose of spying on an organization or country. 

A particular focus of the research is on hacktivists who have become especially active in the midst of the current geopolitical situation. Their main objective is to harm a victim by any means possible, as was the case with the attack on Iran's petrol stations last December, allegedly carried out by an Israeli APT group.

Phishing-as-a-service has become commonplace, a trend our experts forecasted several years ago. Today, phishing-as-a-service is used by professional APT groups, savvy independent attackers, and even newcomers without any special knowledge or skills. Positive Technologies analyzed messaging apps and forums on the dark web where social engineering was mentioned. The analysis showed that the most popular requests and offers were related to ready-made phishing projects, tools for conducting phishing attacks, and the development of phishing web pages.

The majority of phishing attacks are carried out through email (92%), but criminals can adapt to the particularities of the target company and use messaging apps (8%) and SMSs (3%) to deliver their malicious messages. A common attack scenario involves impersonating a company executive or employee through various communication channels. To create a fake profile for sending malicious messages, an attacker only needs to have the name and photo of the target organization's executive or employee. 

'Phishing is mainly evolving through the automation of attacks with the help of AI tools,' says Alexey Lukatsky, Information Security Business Consultant at Positive Technologies. The AI tools are becoming increasingly popular and are used both by cybersecurity experts to counter cyberthreats and by criminals to prepare and execute phishing attacks. Cybercriminals use AI to maintain engaging and relevant dialogues with their targets, generate convincing phishing messages, and create deepfakes of voices, images, and videos.'

More than half of the phishing attacks examined in this study were targeted at a specific organization, industry, or country. Most often, attackers target government agencies (44% of incidents with industry-specific targeting) and military enterprises (19%). Rounding out the top three primary targets of phishing attacks are organizations in the field of science and education (14%). 
According to the research, criminals most often pose as contractors (26% of attacks). 'They send fake reconciliation statements, invoices, contract renewal documents, and other data related to interactions between contractors,' comments Ekaterina Kosolapova, Information Security Analyst at Positive Technologies. This tactic is widespread because it is applicable to almost all organizations and legitimates the presence of links or attachments in the message. In 58% of attacks, such lures were sent without reference to a specific industry. However, this method is used more than any other in targeted attacks on medical, financial, industrial, and telecommunication organizations.' 
To prevent, detect, and respond to phishing attacks, experts suggest that companies educate their employees on cybersecurity and conduct phishing simulations. We also recommend using reputation mechanisms based on security solutions like SWG (Secure Web Gateway), NGFW (Next Generation Firewall), and SASE (Secure Access Service Edge), as well as EDR (Endpoint Detection & Response) solutions and sandboxes for mail traffic and protection against phishing, built into popular browsers or implemented through additional plugins. Basic cyberhygiene on personal computers and mobile devices should not be neglected either, such as regularly updating software and granting minimal privileges to applications