SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
COVID-19 vax most popular topic for phishing attacks in 2021
Thu, 27th Jan 2022
FYI, this story is more than a year old

While phishing attacks remain a consistent threat to online security, attackers are switching up the topics they use to bait unsuspecting victims, according to a study by Positive Technologies.

The company analysed the ten most popular phishing attack topics and found that social engineering rose 16% between 2020-2021, suggesting that attackers are refining their methods and adapting to the changing environment.

The study found that phishing-as-a-service will play a major part in the collaboration between cybercriminals and the trade of tools used to conduct cyber attacks. These ‘off the shelf' tools include malicious scripts and fraudulent websites.

Positive Technologies' list of the top 10 phishing attacks in 2021:

  • COVID-19, particularly vaccinations: scammers offered fake QR codes and certificates and held fake employee vaccination surveys to harvest data.
  • Corporate communications – attackers took advantage of news related to changes in salary, social benefits and bank charges.
  • Mail services – Attackers stole money and data, asking customers of such services to "pay" for delivery and customs clearance, or "check" the status of their package.
  • Cryptocurrency or oil and gas investments:  Attackers created fake websites imitating the sites of well-known companies, and fake investment platforms.
  • Banking – Attackers posed as well known brands to attract victims with the promise of payouts, soft loans or compensation for fraud victims, and by notifying users about "problems" with mobile banking.
  • Upcoming TV shows and movies – Scammers stole account data and bank cards through fake websites that imitate popular streaming services.
  • Subscriptions – Attackers send emails to victims about renewing subscriptions to cloud, TV, or music platforms.
  • Sporting events – Last year the Tokyo Olympics and the UEFA European Championship were prime targets. Attackers also conducted attacks related to the 2022 FIFA World Cup.
  • Travel and holidays – Phishing emails and websites used discounts and promotions t ask people to book holidays or tickets.
  • Dating – Attackers stole from victims by creating fake profiles in dating apps.

The company predicts that the FIFA World Cup and Winter Olympics could become this year's new fodder for phishing attacks.

“Attackers may take advantage of the launch of the digital ruble prototype to create phishing sites and sell fake cryptocurrency. We can also expect the expansion of fraudulent schemes using social engineering in the field of investment. The victims here will be private investors persistently targeted by scammers under the guise of professional investors, authors of training courses, and fake investment platforms,” comments Positive Technologies Information Security Analytics Research Group head Ekaterina Kilusheva.

Positive Technologies recommends that people always check a sender's email address, to avoid clicking on suspicious links and to make sure a website is real before entering login details or payment data. Users should also sandbox or scan all files they receive.