Phishing has been one of the most common threats for as long as cyberattacks have existed. As the internet has grown more and more popular, threat actors have become no less reliant on social engineering and deception to carry out their attacks. Over the years, cybercriminals have developed more advanced and sophisticated methods to hone their phishing attacks for more successful and lucrative payouts.
While email is the most well-known vector, there is a diverse array of communication methods that have been leveraged in phishing attacks, from voice messages to QR codes. Multi-channel phishing attacks are only becoming more of a danger, and understanding them is the first step to protecting against them.
The Evolution of Phishing Beyond Email
As technology, the digital landscape, and threat trends develop over time, even the most tried-and-true attack tactics are bound to adapt. Phishing is one of the oldest cyberattacks, and as such, most organizations and individuals alike are at least aware of the existence of phishing as a threat. By taking advantage of newer methods and technologies, bad actors are constantly trying to increase the efficacy of their attacks.
They tend to achieve this through a few different means:
- Advanced Composition: Cybercriminals have attempted to create more sophisticated phishing messages in hopes of more effective social engineering. Some have turned to generative AI to compose their messages, making the deception more convincing.
- Evading Known Security Measures: Phishing and other attacks can sometimes be developed specifically to circumvent preventative measures that the target has in place, such as by obtaining access to an authorized account to evade tools that search for external communications.
- Alternative Communication Methods: Branching out into other communication vectors, especially to take advantage of newer technologies. Targets are less likely to be on the alert for phishing attacks in communications other than the typical email.
Alternative communication methods include a wide range of media. Recently, the use of group chat platforms has been on the rise. These platforms are appealing targets “because of their growth as business communication platforms,” according to Galit Lubetzky Sharon, CEO at Wing Security. “Although email remains the most popular, many critical business conversations occur on platforms like Slack and Teams.”
Communications through these platforms often include sensitive business data, and connections between applications may provide a path for bad actors to infiltrate beyond the initial attack vector. Users are also likely not to expect malicious messages from professional channels. Targets have an innate trust in messages arriving through these channels, priming them to fall for a deceptive social engineering attack.
Examples of Multi-Channel Phishing Attacks
In recent years, a number of high-profile incidents have highlighted the need for measures and practices against multi-channel phishing attacks.
- The 0ktapus phishing campaign compromised over 130 organizations, stealing the login credentials of almost 10,000 individuals. Targets received text messages that redirected them to a spoofed version of single sign-on service Okta’s authentication page.
- Computer game publisher Activision experienced a security breach in 2022 as the result of a phishing attack launched via Slack. Attackers gained access to the Activision Slack channel and attempted to compromise multiple employees, with only one falling for the deception.
- In 2023, Russian state-sponsored threat group Midnight Blizzard launched an attack via Microsoft Teams, using previously compromised Microsoft 365 credentials.
- Threat actor Storm-0324 also sent out large numbers of phishing lures via Teams, targeting businesses with messages including links to malicious ransomware payloads.
Developing a Unified Communication Security Strategy
With the growth of cloud technology, remote and hybrid working environments, and multi-channel phishing attacks, it is more important than ever to build a unified communication security strategy. Organizations can no longer rely on email security alone to protect their vital resources against the pervasive, persistent threat of phishing.
Some steps that businesses can take to secure non-email communication platforms and achieve truly effective phishing protection include:
- Developing policies across the organization that apply security best practices to all professional communications.
- Investing in security awareness training for employees, including phishing awareness and prevention.
- Fostering a culture of cybersecurity with the understanding that security is everybody's responsibility within an organization and empowering employees to fulfill their role in identifying and preventing phishing attacks.
- Ensuring all workspaces within professional platforms like Slack and Teams are configured securely, including user permissions, channel access, and messaging settings.
- Implementing security measures like multi-factor authentication and Enterprise Key Management to bolster protections against fraud and phishing.
Using cybersecurity best practices and effective user training, organizations can protect against a wide range of phishing attacks. Phishing as a threat is daunting and diverse, with many forms, tactics, and goals. Securing only email communications is not an effective way to protect a business against the dangers associated with phishing attacks. Developing a unified approach to securing all communication channels is the most effective way to protect against phishing attacks, whether they are delivered by email or launched via Slack.
