The cybercrime landscape has changed significantly over the past few years. Most CISOs are aware of headline-grabbing threats like ransomware and crypto scams, but comparatively few have kept up with shifting tactics in one of the oldest cyberattack vectors: phishing.

Attackers have become more sophisticated at impersonating organizations and their employees on websites and social media platforms, and the FBI consistently ranks phishing as the most prevalent form of internet crime. In the FBI’s most recent Internet Crime Report, it counted more than 241,000 phishing victims over the last year, which accounts for a full third of all reported internet crime and is more than double the number of victims of the second most prevalent internet crime.

Survey data from our External Threat Protection Test reveals that the majority of CISOs aren’t doing nearly enough to protect their organization from phishing. No organization can be too vigilant fighting against impersonators attempting to access company, employee or customer data. Understanding how the phishing landscape has changed is the first step toward building an effective defense.

You can’t protect what you don’t see

When it comes to phishing, the days of Nigerian princes and long lost aunts are fading into history. Today, most security-minded organizations regularly run phishing audits to identify weak spots in their defenses. This forces cyberattackers to adopt new strategies, many of which still frequently go unnoticed by businesses. Four key phishing methods have seen a significant increase in activity: website phishing, executive impersonation, whaling attacks and social media phishing.

Website phishing includes a broad range of activities such as registering domains associated with the company and designing fraudulent websites with the company’s trademark. In this way, attackers aim to trick unwitting visitors into clicking malicious links or providing personal information. While fraudulent websites are nothing new, what has changed is the pace of their deployment. Today, an estimated 1.5 million phishing sites are created every month, and the majority of sites exist for less than 24 hours to avoid old detection methods like URL blacklists.

Executive impersonation involves an attacker posing as a CEO or another leader within an organization in an attempt to extract sensitive information from other employees. This threat vector has become particularly important as organizations embrace remote or hybrid work environments where digital communication increasingly replaces face-to-face interactions. In fact, data suggests that executive impersonation attacks have skyrocketed since the beginning of the global pandemic with a 131% increase between the first quarter of 2020 and the first quarter of 2021.

Whaling attacks have also been on the rise. These phishing attempts are the inverse of executive impersonation. Instead of an attacker posing as an executive to dupe employees, the attacker poses as an executive to trick another executive, typically a CEO or CFO, into providing sensitive data or sending funds to the attacker’s account. Data reveals that nearly two-thirds of organizations report an executive being targeted by a whaling attack, and nearly 50% of organizations say their executive fell victim to the attack. According to the FBI’s 2020 Internet Crime Report, business email attacks, which include whaling and executive impersonations, resulted in $1.8 billion lost last year, making it one of the most costly forms of cybercrime.

Social media is rapidly displacing email as the preferred tool for phishing attacks. The ease with which attackers can create fraudulent accounts combined with the propensity to divulge personal information on these sites makes popular platforms a breeding ground for impersonators. Research suggests that up to half of all social media logins are fraudulent, and last year law enforcement calculated that $155 million was lost through social media attacks. 

How to fight phishing in 2022

The defining features of modern phishing attacks are speed and scale. When phishing websites only pop up for a few hours at a time and creating a fake social media profile only takes a few minutes, it’s hardly surprising that CISOs everywhere are struggling to stay one step ahead of attackers. But in many cases, CISOs aren’t even aware of the vulnerabilities facing their organization.

Our recent CISO survey revealed a staggering shortfall of phishing protection in the four key areas outlined above. Particularly troubling was the lack of protection against social media and website phishing, which rank among the most common and effective methods of compromising a business.

The majority (56%) of CISOs surveyed said they didn’t monitor social media at all or only manually checked key social media platforms like Facebook, Twitter and LinkedIn on occasion for impersonation or phishing attacks. Further, a third of CISOs don’t monitor their CEO or other executives on social media platforms and only 12% confirmed that they take a broad approach to social media protection by collecting reports on suspicious Facebook pages or regularly monitoring Facebook ads, users, pages and groups.

The results for website phishing protection weren’t much better. About a third of CISOs responded that they monitor their domain registrations for fraudulent activities on a regular basis and roughly the same percentage of CISOs monitor content changes on domains they’ve registered in the past without checking record changes as well.

When considered in the context of skyrocketing phishing attacks, the implication of the survey results is clear. CISOs need to better prepare to defend their organization from impersonators in 2022 by creating defenses that stop phishing attacks wherever they occur.

Many of the techniques employed by CISOs in the coming year will be tried and true. Educating employees, running frequent security audits and using multi-factor authentication are a must. But CISOs must also commit to increasing their awareness of the threat landscape by proactively monitoring for phishing attacks.

The speed and scale of modern social media and website phishing make them difficult to defend with manual methods. A single person can’t possibly search through millions of social media posts, links and websites for fraudulent activity on their own. This is where automated, intelligent tools have a lot to offer CISOs. AI-driven software can constantly monitor social media and websites for malicious links, fake profiles, fraudulent branding, and other precursors of phishing attacks. With real time alerts from automated sentries, CISOs can take fast action to neutralize threats before they become a problem for their organization.