Each year in our Phishing Trends and Intelligence (PTI) report our team highlights the continued growth and impact email-based phishing attacks continue to have on brands and people around the globe. In following these trends, email-based attacks are still steadily growing in numbers; however, this begs the question of what the future holds.
More specifically, at what point will phishing emails plateau and something else take its place?
According to one of this year’s PTI report key findings, we have a bit more insight:
Attacks targeting social media platforms have nearly tripled since last year due to the inherent trust between users and the platform or brand.
The above finding highlights phish that involve the misuse of social media brands, which can also include falsely representing them through email lures or fake login webpages. The specific number of attacks through the platforms are unfortunately more unclear as they typically don’t self-report the findings. However, a quick search shows numerous recent incidents from Russian threat actors to scammers manipulating users on the platforms.
Impact of Trust in Social Media and Social Engineering
We live in some rather interesting times, and social media tends to be at the forefront of those conversations. In the past year the general consensus on the inherent trust associated with social media has seen a heavy decline. According to Edelman’s annual Trust Barometer report, only 30 percent of people in the U.S. or 41 percent globally trust social media platforms with their data. Similar, a U.K. based study shows a slightly different picture and has their respondents stating 40 percent trust social media platforms. By comparison, the same study showed 53 percent of respondents trusted email providers and 64 percent trusted online banking services with data.
What does this all add up to? The trust we have in brands, financial institutions, and of course social media platforms and email providers results in a lowering of our guard. The more trust, the easier it is for social engineering to be effective. Take for example a request for money.
Scenario A: You get an email that says it’s from a friend, but from an unknown address, requesting $20.
Scenario B: You get an instant message on a social media platform, from a friend you are connected with, and they strike up a conversation saying they are in a bind and could use some money.
Who do you think is more likely to get venmoed the money? Scenario B. You elected to connect with that person, and therefore you have more trust in the connection and context of the conversation. Just as the Trust Barometer report showed a decline in social media trust, this exact scenario is part of the problem. At the top of the list for leading factors in distrust: Identity theft/scams.
Not only are social media delivered phishing attacks effective, they are designed to typically takeover a victims account and spiral outward. The primary key finding from this year’s PTI report reflects just that. Threat actors will attempt to either gain access to social media accounts or email accounts, and in turn use them for password reset attacks or password reuse attacks.
Social media volume increased by nearly 200 percent. It now comprises nearly five percent of all phish and is the seventh most targeted industry. Like compromised email/online services accounts, stolen social media accounts can be used to facilitate additional cybercrime.
Technology Over Security and Policy
Have you ever heard of a platform that focused on security and policy over the technology it offers? Of course not. Both of these elements slow down innovation, and when red tape comes into play, that impacts user growth and adoption. Eventually these become important, but they are often still lagging behind the necessary protections involved. A quick search for social media + policy or security issues will result in an endless array of problems stretching back years. This begs the question, who then becomes responsible when users, or in your case a brand, can be negatively impacted by these weak points?
Ultimately, the combination of social media trust and mass-harvested credentials offers threat actors a clear route to financial return, particularly when password reuse and reset attacks are considered, and that isn’t likely to change in the near future. In turn, that means both parties, and by extension consumers, need to be more vigilant about what they are sharing online, regardless of privacy settings. Fortunately your friends over here at PhishLabs can do the monitoring for you, and you can learn more about our Digital Risk Monitoring service here.
Will Other Digital Mediums Overtake Email?
The short answer is not yet, but the longer answer is that possibility. Unfortunately this is all what-if scenarios and assumes that eventually email will be less useful in the future. Just as landlines were once considered vital for long distance communication, now very few people have them. The numbers say it’s simply too early to tell, and email-based attacks will reign king for the foreseeable future.