The Risk of Multichannel Phishing Is on the Horizon

As security conferences return to local locations, the cybersecurity community is buzzing with concerns about multi-channel phishing attacks, with mobile phishing being the biggest concern, as hackers turn to mobile to launch smishing and compromising text attacks.

By moving all the way to the cloud, apps and browsers are all we need to communicate with work, family and friends. While most of us are aware of cybersecurity, we are not infallible. We may be lured into providing personal information and credentials or installing malicious apps that could undermine even the most sophisticated cybersecurity defenses. Our reliance on mobile devices with little or no protection against malicious attacks leaves personal data and business data at risk.

Multi-channel phishing attacks are on the rise and more breaches are successful because hackers deliver highly targeted attacks on a massive scale – powered by automation technology, taking advantage of human psychology and exploiting our use of apps, browsers and multiple communication channels.

Humans are the most strategic cybersecurity entry points in an organization because criminals can use psychology to trick us into overriding or undermining even the most sophisticated cybersecurity protection setups. And today’s sophisticated attacks are largely invisible to the human eye. Gone are the poorly spelled phishing emails from yesterday. Today’s human hacking can trick even the most security-conscious professional into following a malicious URL or logging on to an illegitimate website and revealing data and a network. For the attacker, it is much more straightforward and at a lower cost to attack a human than a network or a well-defended machine.

‘Furthermore, our world – and the way we use technology – has changed dramatically. This has further increased the risk of human hacking attacks. After the pandemic, a large percentage of the workforce will continue to have some hybrid remote / office events – meaning we are mixing our personal and professional worlds online more than ever. It opens us up to more threats, especially when human hacking attacks come from legitimate infrastructure. We have turned to interacting through apps and working on browsers. Using collaboration channels like Zoom and Slack and doing almost everything through our smartphones has opened up several attack vectors.

Gone are the days when phishing emails were easily detected due to low quality logos, poor grammar or just the incredible nature of the email. Now the attackers are well-equipped and very strategic around their attacks, and the credible text message or invitation on social media from a cybercriminal is far more dangerous.

Then the large number of these channel users multiplies the risk equation for companies. Add to that the fact that attacks have evolved to the point where a single attack will use multiple channels to convince users that they are legitimate. There is also the big question of underestimating the risk of the human factor – today’s attacks are simply impossible to detect with only human views, assessments and investigation.

What to look for

Now, especially as the browser is becoming the enterprise operating system, the number of channels for attack has increased. Browser extensions and plug-ins are available through highly respected major brands, including Android and Apple, but they are not always secure. In addition, browser search results can be integrated with attacks, attracting the user’s attention with something they are interested in and more likely to click on. And of course, regular Microsoft 365 apps and enterprise productivity apps like LinkedIn, Dropbox and WhatsApp are open to phishing abuse.

Since human hacking is a unique problem, we need to focus on humans to solve it. It is important to train people to recognize threats, but the attacks are too difficult to spot by users to train employees to be careful about having adequate security. Asking people to forward suspicious requests to IT is a help, but not a cure. There are simply too many compelling attacks coming in on all channels for IT to keep up with those being forwarded.

There are better ways. First, recognize that cybercriminals attack people in organizations and then defend them – on every digital channel. Second, take advantage of artificial intelligence and machine learning to identify threats and then apply that protection to endpoints in an organization’s network – from employee smartphones to Zoom accounts.

In a world where we are trying to be one step ahead of hackers, it’s time to acknowledge the scale of the multi-channel challenge on the horizon – and a new approach that empowers the people who are under attack.

About the author

Patrick Harr

Patrick Harr is the CEO of SlashNext, the authority in multichannel phishing and protection against human hacking across email, web and mobile.

William

Leave a Reply

Your email address will not be published.