We’re frequently warning our customers and readers about the risks of phishing scams and attacks, and it looks like we won’t be stopping anytime soon. A new report in Infosecurity Magazine reveals that the rate at which business users clicked on phishing links was up in 2024, nearly triple the rate from 2023.
That’s what we in the industry like to call, well, really bad news.
Before we get into why things are getting worse instead of better (and what you should do to limit risk), let’s quickly review how these scams are built.
The Anatomy of a Phishing Scam
A phishing scam starts with a message of some sort: traditionally it was an email, but it could also be a text message, online ad, or even a search result (though this is less common than other methods).
The message appears to come from a legitimate source (in recent business attacks, Microsoft 365 and Docusign were the top companies the scammers post as). And it always urges some kind of action, like securing an account or resetting a password or avoiding legal action (no, the IRS doesn’t have a warrant out for your arrest, we promise).
Most importantly, every phishing message includes a “handy” and oh-so-convenient link, which the message says is the key to fixing whatever’s so urgent.
The message seems convincing, the link looks pretty normal, and even the destination — the page you land on after clicking the link — looks pretty close to what you’d expect from whatever brand or entity is being spoofed.
And that’s the trick: these messages are actually from bad actors who want to steal your credentials. When you attempt to log into the fake landing page, that’s it— now the bad guys have your username and password.
Why Phishing Scam Success Rates Are Climbing
There are a few reasons why scammers are having so much success.
1. Attacks are more numerous
First up, they’re sending more attacks than ever, and these attacks are getting more sophisticated and harder to spot. These emails used to be poorly written, full of typos and weird characters. But new generative AI tools (ChatGPT and the like) make it far easier to sound polished and professional, and the bad guys have absolutely taken notice.
2. Attacks are coming from sources other than email
Another reason for the increase in successful attacks is that the bad guys are branching out. Most of us know that we should be careful with emails. But social media posts and comments (yes, even on LinkedIn), online display ads, and even search engine results (thanks to fraudulent ad placement and SEO poisoning) can all be sources of phishing scams, too.
This tactic is working: in 2024, more clicks came from web links of various types than from email.
3. Users are struggling with “scam fatigue”
Third and perhaps worst of all, more people are falling victim because users are just plain tired: with so many scams, spammy search results, fake posts, AI-generated social media slop, and other not-quite-based-in-reality problems, people are tired of having to separate fact from fiction and keep their guard up all the time.
Good News: Proven Solutions Still Work
The phishing news coming out of 2024 isn’t great, but there is good news: the same proven solutions we’ve been promoting for years still apply. Employee training — so they can spot the telltale signs of phishing schemes — is still a top tool. And multi-factor authentication (MFA) is still your #1 defense: with MFA enabled, stealing usernames and passwords isn’t enough. The scammers have to crack an entire other layer of authentication, something that most of them won’t be able to do.
Does your team need help with cybersecurity training, or do you want to learn more about stepping up your cybersecurity (starting with MFA)? Blue Ridge Technology, Inc. can help. Give us a call anytime.