Phishing exploits communications platforms
By Rotem Shemesh, Lead Product Marketing Manager, Security Solutions at Datto
Simple, easy to launch, and highly effective; is it any wonder that phishing attacks are increasing and broadening their reach to other platforms? While phishing is not new, it is often the first step to large-scale cyberattacks. A decade ago, phishing emails were relatively easy to spot; however, they have evolved with targeted campaigns so sophisticated they can bypass most security solutions – tricking users into sharing confidential information. Automated customization has made it extremely easy for bad actors, even those with little to no hacking experience, to launch highly tailored attacks. While no organization is immune, small and medium-sized businesses (SMBs) are being targeted at an accelerated rate.
Hackers continually look for other platforms to exploit, where people have yet to raise their guard. Nontraditional phishing mediums such as instant messaging are fast becoming the platform of choice for phishing attacks. This comes as no surprise; since the onset of the pandemic, the use of digital communications tools such as instant messaging has skyrocketed, resulting in a tsunami of phishing attacks. In 2021, nearly 80% of workers reported using collaboration tools for work, up a whopping 44% since the pandemic. In conjunction with organizations migrating to the cloud, instant messaging platforms have become the norm for today’s hybrid office, making it an attractive venue for hackers and intensifying the phishing threat.
Why instant messaging provides a fertile ground for phishing
Many IM apps like Slack, Microsoft Teams, Skype, WhatsApp, etc., are not designed with security features, so threat actors have found an open playing field that is easy to prey upon. Although many organizations have basic security measures in place, such as a generic security layer supported by their email provider, and some companies have a few additional layers of security, the majority have yet to deploy robust cybersecurity. This means that messaging platforms remain largely unprotected.
In addition to using instant messaging platforms for external communications, many companies are now relying on these apps for internal communications as well. A common belief among employees is that internal communications are controlled and secure, giving them a false sense of confidence that they are unlikely to be exposed to potential threats. Since most employee training and phishing awareness programs relate to email-based scams, even vigilant employees may be less likely to spot an instant messaging phishing technique. The combination of the hybrid workplace and false sense of security results in people letting their guard down – creating a perfect storm for successful phishing.
What users need to know about instant messaging phishing attacks
In the past, bad actors used a more sophisticated phishing approach, where targets were primarily ‘big fish’ victims. Today, it’s become common practice for cyber criminals to leverage new technologies to simultaneously send large quantities of phishing messages for maximum impact and success. No longer limited to professional cybercriminals, amateur hackers can easily purchase phishing kits on the dark web. And since customization is now automatic, both seasoned and novice bad actors are phishing less obvious and/or lucrative targets such as smaller businesses that most likely lack robust security measures.
This is typically accomplished by relying on social engineering to gain access to potential victims. Once access is gained, a commonly used method is for the bad actor to send instant messages that require users to provide an immediate response or will elicit a sense of fear. For instance, a threat actor will masquerade as a trusted source and send an instant message informing users of the detection of an application vulnerability or that an account has been compromised and deactivated. In each scenario, the user is prompted to take immediate action, such as updating a password or changing an account.
How to stay under the instant messaging phishing radar
It’s no longer a matter of ‘if’ but ‘when’ your organization will encounter an instant messaging phishing attack. Companies of all sizes need to be aware, prepared and protected to successfully combat phishing adversaries. As the first step, companies must be mindful that phishing attempts on instant messaging platforms are rising. Additionally, organizations must keep abreast of current and new phishing strategies, security policies, and protection solutions.
The second step – being prepared – means making security a top priority. Employees are on the frontlines of your defense and need security education and training. Frequent education on recognizing instant messaging phishing attempts should be mandatory. Similar to how employees are more suspicious of email phishing attempts, the same caution should be instilled when reading messages on Slack, Microsoft Teams, Skype, WhatsApp, etc. The more training provided to employees the better prepared they will be to identify instant messaging phishing attempts. And once an attack has been identified, companies need to make it easy for users to report the breach quickly.
Finally, it’s imperative for organizations to implement security solutions that provide instant messaging protection. In many cases, these are the same security solutions that are being used for email protection. Since these security solutions are typically provided via application programming interfaces (APIs), they are easy to install and use and can provide instant messaging platform protection for internal and external business communications.
It goes without saying but needs to be reinforced – users should never provide any sort of credentials, financial details, or other sensitive information over instant messaging. Even when an employee receives an instant message that looks like it is from someone they know, caution should be taken. Instant messages containing odd and unexpected requests such as asking for a password are red flags and must be reported promptly.
