Phishing exploits communications platforms

An image of , News, Phishing exploits communications platforms

By Rotem Shemesh, Lead Product Marketing Manager, Security Solutions at Datto

Simple, easy to launch, and highly effective; is it any wonder that phishing attacks are increasing and broadening their reach to other platforms? While phishing is not new, it is often the first step to large-scale cyberattacks. A decade ago, phishing emails were relatively easy to spot; however, they have evolved with targeted campaigns so sophisticated they can bypass most security solutions – tricking users into sharing confidential information. Automated customization has made it extremely easy for bad actors, even those with little to no hacking experience, to launch highly tailored attacks. While no organization is immune, small and medium-sized businesses (SMBs) are being targeted at an accelerated rate.

Hackers continually look for other platforms to exploit, where people have yet to raise their guard. Nontraditional phishing mediums such as instant messaging are fast becoming the platform of choice for phishing attacks. This comes as no surprise; since the onset of the pandemic, the use of digital communications tools such as instant messaging has skyrocketed, resulting in a tsunami of phishing attacks. In 2021, nearly 80% of workers reported using collaboration tools for work, up a whopping 44% since the pandemic. In conjunction with organizations migrating to the cloud, instant messaging platforms have become the norm for today’s hybrid office, making it an attractive venue for hackers and intensifying the phishing threat.

Why instant messaging provides a fertile ground for phishing

Many IM apps like Slack, Microsoft Teams, Skype, WhatsApp, etc., are not designed with security features, so threat actors have found an open playing field that is easy to prey upon. Although many organizations have basic security measures in place, such as a generic security layer supported by their email provider, and some companies have a few additional layers of security, the majority have yet to deploy robust cybersecurity. This means that messaging platforms remain largely unprotected.

In addition to using instant messaging platforms for external communications, many companies are now relying on these apps for internal communications as well. A common belief among employees is that internal communications are controlled and secure, giving them a false sense of confidence that they are unlikely to be exposed to potential threats. Since most employee training and phishing awareness programs relate to email-based scams, even vigilant employees may be less likely to spot an instant messaging phishing technique. The combination of the hybrid workplace and false sense of security results in people letting their guard down – creating a perfect storm for successful phishing.

What users need to know about instant messaging phishing attacks

In the past, bad actors used a more sophisticated phishing approach, where targets were primarily ‘big fish’ victims. Today, it’s become common practice for cyber criminals to leverage new technologies to simultaneously send large quantities of phishing messages for maximum impact and success. No longer limited to professional cybercriminals, amateur hackers can easily purchase phishing kits on the dark web. And since customization is now automatic, both seasoned and novice bad actors are phishing less obvious and/or lucrative targets such as smaller businesses that most likely lack robust security measures.

This is typically accomplished by relying on social engineering to gain access to potential victims. Once access is gained, a commonly used method is for the bad actor to send instant messages that require users to provide an immediate response or will elicit a sense of fear. For instance, a threat actor will masquerade as a trusted source and send an instant message informing users of the detection of an application vulnerability or that an account has been compromised and deactivated. In each scenario, the user is prompted to take immediate action, such as updating a password or changing an account.

How to stay under the instant messaging phishing radar

It’s no longer a matter of ‘if’ but ‘when’ your organization will encounter an instant messaging phishing attack. Companies of all sizes need to be aware, prepared and protected to successfully combat phishing adversaries. As the first step, companies must be mindful that phishing attempts on instant messaging platforms are rising. Additionally, organizations must keep abreast of current and new phishing strategies, security policies, and protection solutions.

The second step – being prepared – means making security a top priority. Employees are on the frontlines of your defense and need security education and training. Frequent education on recognizing instant messaging phishing attempts should be mandatory. Similar to how employees are more suspicious of email phishing attempts, the same caution should be instilled when reading messages on Slack, Microsoft Teams, Skype, WhatsApp, etc. The more training provided to employees the better prepared they will be to identify instant messaging phishing attempts. And once an attack has been identified, companies need to make it easy for users to report the breach quickly.

Finally, it’s imperative for organizations to implement security solutions that provide instant messaging protection. In many cases, these are the same security solutions that are being used for email protection. Since these security solutions are typically provided via application programming interfaces (APIs), they are easy to install and use and can provide instant messaging platform protection for internal and external business communications.

It goes without saying but needs to be reinforced – users should never provide any sort of credentials, financial details, or other sensitive information over instant messaging. Even when an employee receives an instant message that looks like it is from someone they know, caution should be taken. Instant messages containing odd and unexpected requests such as asking for a password are red flags and must be reported promptly.

An image of , News, Phishing exploits communications platforms

Rotem Shemesh

Lead Product Marketing Manager, Security Solutions at Datto

AI alignment: teaching tech human language

Daniel Langkilde • 05th February 2024

However, Embodied AI refers to robots, virtual assistants or other intelligent systems that can interact with and learn from a physical environment. In order to do this, they’re built with sensors that can gather data from their surroundings, with this they also have AI systems that help them analyse data they collect, and ultimately learn...

CARMA announces acquisition of mmi Analytics

Jason Weekes • 01st February 2024

CARMA announces acquisition of mmi Analytics, expanding expertise in Beauty, Fashion, and Lifestyle sectors The combined organisation is set to redefine the landscape of media intelligence, providing unparalleled expertise and comprehensive insights for PR professional and marketers in the exciting world of beauty, fashion and lifestyle.

Managing Private Content Exposure Risk in 2024

Tim Freestone • 31st January 2024

Managing the privacy and compliance of sensitive content communications is getting more and more difficult for businesses. Cybercriminals continue to evolve their approaches, making it harder than ever to identify, stop, and mitigate the damages of malicious attacks. But, what are the key issues for IT admins to look out for in 2024?

Revolutionizing Ground Warfare Environment with Software-Enabled Armored Vehicles

Wind River • 31st January 2024

Armoured vehicles which are purpose-built for mission-critical operations are reliant on control systems that provide deterministic behaviour to meet hard real-time requirements, deliver extreme reliability, and meet rigorous security requirements against evolving threats. Wind River® has the partners and the expertise, a proven real-time operating system (RTOS), software lifecycle management techniques, and an extensive track...

The need to prove environmental accountability

Matt Tormollen • 31st January 2024

We are currently in the midst of one of the most consequential energy transitions since records began. The increasing availability of clean electrons has motivated businesses in the UK and beyond to think green. And for good reason. Being environmentally conscious attracts customers, appeases regulators, retains staff, and can even gain handouts from government. The...

Fuelling Innovation in Aftermarket

Jim Monaghan • 31st January 2024

One section of the motor trade is benefitting from the cost-of-living crisis: with consumers keeping their cars for longer, independent repairers are in huge demand. But they are also under pressure. Older cars need more repairs. They require more replacement parts, tyres and fluids. With car owners looking for value and a fast turn-around, independents...

The return of the five-day office week

Virgin Media • 25th January 2024

Virgin Media O2 Business has today published its inaugural Annual Movers Index, revealing four in ten companies are back to the office full time, despite widespread travel delays and disruptions With 2023 cementing the cost-of-living crisis, second hand shopping and public transport use surged as Brits sought to save money Using aggregated and anonymised UK...