2023 is just around the corner. Understanding the new and ongoing phishing trends is crucial to ensuring your business data remains safe in the new year to come. Based on industry reports and research, we have rounded up 4 major cybersecurity threats that will significantly impact your business. If you’re training employees with phishing simulations, you might as well want to include some of these topics in the training.
#1 Energy scheme scams
Energy scheme scams involve bad actors impersonating to be energy providers or regulators to obtain your funds or business information. National Grid has warned that the cold snap and a cut-off of Russian gas to Europe could lead to power cuts. Concerns around energy supply and prices within the UK have led to more malicious cyber operations. While the government is providing support to businesses and families with the Energy Bill Relief Scheme and £400 Energy Rebate, cybercriminals are also taking aim at these newly implemented schemes and preying on our vulnerabilities.
Actionfraud, the UK’s national reporting centre for fraud and cybercrime reported that cybercriminals pretended to be the energy regulator, Ofgem to send phishing emails in the form of a ‘GOV.UK’ style asking people to enter their bank details to get the energy rebate.
Furthermore, thanks to the rising wholesale prices and energy prices, many energy suppliers have collapsed over the past year. The Guardian reported that scammers took advantage of the situation. They posed as debt collection firms, sent phishing emails to users and attempted to steal valuable credentials. The news agency also quoted the upward trend of the scams. Figures from Action Fraud showed that in the first quarter of 2022, scams mentioning the biggest energy suppliers had risen 10% compared with the same period last year. January alone saw a 27% increase from 2021.
According to research conducted by Citizens Advice in 2022, over 40 million people have been targeted by scammers and 12% of scams are related to energy. We have already observed an uptick in energy-theme phishing; this trend is expected to continue in the coming year. Your employees who are given access to bank account information to make regular payments should be well-trained in order to combat this threat.
#2 Artificial intelligence (AI) scams
Artificial intelligence-powered software is increasingly being used for nefarious purposes. These AI-powered scams are able to produce realistic computer-generated images, videos, faces and even voices. They allow criminals to create compelling phishing messages with counterfeit and manipulated images on a massive scale.
AI phishing content is highly sophisticated and difficult to spot. Wired.com, a popular information source for technology, quoted a surprising result presented by Singapore's Government Technology Agency. The agency found that AI actually wrote better phishing emails than humans in an experiment. They sent simulated phishing emails they crafted themselves and others generated by an AI tool to 200 of their colleagues. They were shocked to find that there were significantly more of their colleagues clicked the links in the AI-generated email instead of the human-written ones.
PYMNTS.com, a leading global news website revealed that the world-famous professional networking website LinkedIn has been facing a serious problem of fake accounts. The Sustainability Professionals Group from LinkedIn blocked 12,700 suspected fake profiles in 2022.
American non-profit media organisation National Public Radio mentioned the AI-generated faces issue on their website. The above are suspected AI-generated faces from fake LinkedIn accounts found by Stanford University researchers. The researchers suggested that the central positioning of the eyes is a telltale sign of a computer-created face.
“We receive over 500 fake profile requests to join on a weekly basis,” said the team leader of the group, Hamish Taylor. “It’s hit like hell since about January of this year. Prior to that, we did not get the swarms of fakes that we now experience.”
McAfee, the world-famous antivirus software company, has just released their Consumer Threat Predictions for 2023. They anticipated that AI tools will be one of the main threats that will empower scammers and cyber criminals who wish to lure unsuspecting users.
Educating your staff about AI phishing is important. Make sure they are armed with the necessary knowledge to distinguish AI-generated profiles and avoid interacting with those fake accounts.
#3 Supply chain threats
Supply chain attacks, also known as third-party attacks, are when a criminal infiltrates your system through a trusted vendor with access to your business data. Almost all organisations work with outside partners or third-party suppliers and share business data with them. A supply chain often involves many vendors doing many different tasks, and that's why supply chains can be large and complex. Protecting business data in your network can be challenging because vulnerabilities can appear at any point in the supply chain.
The latest supply chain attack we can take as an example took place just a few days ago. Uber once again suffered from a serious data breach. The breach affected around 80,000 of their staff. Business data, such as employees' email addresses, corporate reports and IT asset information were stolen. Investigations have found that the data was not leaked directly by Uber, but by one of their third-party vendors in their supply chain, Teqtivity, which provides asset management and tracking services for Uber.
This incident spotlighted how a weak point in a supply chain can tremendously affect your company. Ian McShane, vice president of strategy at Arctic Wolf, commented on the breach in an interview saying “Vendor risk assessment is a critical aspect of any organisation’s security operations, and this must be a priority for 2023.” Many cybersecurity experts have agreed with this point of view. Avani Desai, the CEO at Schellman and a member of the Forbes Technology Council expressed the same concern in an article. She emphasised how supply chain attacks have become a key concern in the board room and continue to afflict organisations.
In response to the growing number of incidents, NCSC also issued new guidance in Oct 2022 over the threat of supply chain attacks to highlight this area for concern. It is expected that this challenge will continue in 2023. To mitigate this risk, educating your staff on your organisation’s third-party communications is essential.
#4 Multi-factor authentication (MFA) threats
Multi-factor authentication (MFA) has become a critical tool for businesses to protect their accounts. However, cybercrooks have invented more sophisticated techniques making MFAs no longer completely fool-proof.
Since June 2022, Scattered Spider, a financially-motivated threat actor has reportedly been leveraging social engineering via phone calls, SMS and Telegram messages to impersonate IT personnel, and trick victims into entering their credentials on a phishing page. Scattered Spider would as well interact with the targets directly to acquire their one-time password if multi-factor authentication was enabled.
The CISO Perspective, a popular source for cybersecurity news, has made a video to explain the ways that cybercrooks could use to bypass MFA. Although the message of the video was a bit unnerving to hear for cybersecurity professionals, one fact we should all recognise is that hackers are now able to figure out ways to intercept MFA and access other people’s accounts without authorisation.
Nowadays, many users access work resources from personal devices like cell phones or home PCs. It's no doubt that cybercriminals will continue to gain ground in the field of MFA. Due to the increasing number of MFA threats, Microsoft has recently issued a warning. They pointed out that these unprotected devices are a prime target for MFA thieves.
In 2023, it is believed that we will see more threat actors find new ways to steal information via MFA. If your employees are using different types and devices for work purposes, it’s important that they are given phishing training to protect business data on those devices.
Equip your staff with the necessary knowledge
No matter what kind of scam it is, sending phishing emails will remain the top approach utilised by cybercriminals. After all, it's the most efficient and direct path to the organisation’s greatest IT vulnerability, and that is end users. To fight against cybercrimes, organisations must keep pace with current and emerging cybersecurity trends. Try our 14-day free phishing simulation or book an on-demand demo and equip your staff with the necessary knowledge to combat the new phishing challenges in the year ahead.