According to the 2019 Verizon Data Breach Investigations Report, 32% of all breaches worldwide in the past year involved phishing. Understanding the current phishing threat landscape is key to managing the risks associated with phishing. Possible risks include identity theft, monetary loss, data loss, compromised data or devices, loss of intellectual property, reputational damage and more. These risks may be triggered by clicking malicious embedded links in messages, opening unexpected malicious attachments, giving sensitive information to a caller, entering your credentials on a forged website login prompt . . . .etc. For information on phishing scams and how to avoid them, please see the following Connect article, Phishing, Spear Phishing, and Whaling.
Imposter scams were a 2019 trend. Many of these scams were detailed 2019 NYU IT Security News & Alerts blog posts:
- Recent Examples of File Sharing Phishing Messages
- Silent Librarian Phishing Campaign Reprise
- Hurricane Dorian Scams
- New Imposter Gift Scams Targeting Worshipers
- Social Security Administration Phone Scam Alert
- Silent Librarian Phishing Campaign
- Scammers Use Recent Disasters to Spread Malware
- Executive Impersonation Phishing Campaign Alert
- Old Phishing Scam Makes a Comeback
- Gift Card Scam Alert/Update
The following are additional noted 2019 phishing trends:
- Nearly 30% of targeted phishing attacks are directed at generic email accounts typically shared by 2 or more employees because these attacks reach multiple targets and therefore have a greater chance of success.
- Increasingly sophisticated targeted (spear phishing and whaling) attacks in which scammers reach out via social media and other trusted channels.
- Microsoft OneDrive phishing attacks (and file sharing phishing attacks in general).
- Tax themed phishing campaigns spoofing tax authorities around the world. For more information see the following Proofpoint blog post on the subject.
- Malware delivery via fake job offers from scammers impersonating staffing companies. These scammers may use LinkedIn direct messaging, follow-up email and fake websites to distribute malware.
Reminders:
- Scammers may spoof phone numbers or email addresses, so communications may appear to be coming from a legitimate source when they are not.
- Do not provide or confirm sensitive information via email.
- Fraudulent websites, where malicious links or scam callers may direct you, are now more sophisticated in terms of their look and feel and may use trusted visual cues. For more information, please see the following blog post: Phishing Sites Now Using Green Padlock Symbols.
- Never click on embedded links or attachments in unexpected email messages. If an embedded link is present is a message coming from a company with whom you have an account, visit your account via a trusted URL that you type into your web browser to take the requested/suggested actions.
- Use multi-factor authentication (“MFA”)on all available accounts, as this second layer of authentication via a device you possess will further protect you from credential compromise. For information about NYU MFA, please visit www.nyu.edu/it/mfa.
- To confirm the legitimacy of a communication or an attachment, contact the sender via an independently obtained phone number.
Additional Resources:
- www.nyu.edu/it/security/awareness for videos on imposter scams, gift card scams and email scams generally
- NYU IT Security News & Alerts blog, The Ins & Outs of Text Message Phishing
- NYU KBase article: Recognizing phishing scams and protecting yourself online
- https://www.proofpoint.com/us/security-awareness/post/latest-phishing-may-2019