Computer fraud is the most common form of social engineering attack. Scammers use fake emails (phishing), texts/SMS (smishing) and instant messages or phone calls (vishing) to request passwords, credit or account numbers, or other personal identifying information (PII) from users, direct them to a fake website, or trick them into downloading malware to gain access to systems and networks.
The FBI’s Internet Crime Report found that, “Over 298,000 complaints were filed about phishing schemes last year, which accounted for approximately 34% of all complaints reported,” making it the most common type of cybercrime reported to the FBI. These attacks accounted for $18.7 million in losses in 2023.
“Many individuals and organizations still lack adequate training and awareness about cybersecurity best practices, making them easier targets for phishing type scams,” according to Pragya Agarwal, Vice President, TaskUs Financial Crime and Risk.
Phishing, smishing and fishing
Sophisticated phishing attackers make their bogus emails look authentic — as if they’d come from a trusted sender, such as a bank, a government agency or even the recipient’s own boss.
In smishing, aka phishing through SMS, fraudsters send fake text messages to get people to click on bad links, scan a QR code or share their PII.
Another technique scammers use is vishing, or voice phishing, where they pretend to be a bank representative, for example, so the victim would reveal a financial account number. Advancements in technology, particularly GenAI and deepfake, are making this type of calls even more believable.
Pragya explains, “Attackers now impersonate executives or use AI-generated voices to dupe employees into transferring funds or divulging sensitive information. Language translation tools are also making it easier to create phishing emails at scale.”
Phishing attacks: Who’s at risk?
Phishing targets individuals as well as businesses, nonprofits and government organizations. According to SlashNext’s The State of Phishing Report, “Since the advent of ChatGPT in late 2022, the number of malicious emails has skyrocketed by 4151%” and “QR-based phishing now constitutes a substantial 11% of all email phishing threats.”
Spear phishing is one type of attack where fraudsters focus on a specific target, typically strategic companies or employees. It’s done in many ways. For example, a scammer might pose as a company’s HR representative asking for your personal information for a required employee database update.
Another tactic, called whaling, targets CEOs or senior executives with the goal of stealing sensitive data or tricking them into sending money.
Potential risk for businesses
A related type of attack, business email compromise (BEC), costs businesses over $2.9 billion across 21,489 complaints recorded by the FBI in 2023. BEC involves an attacker taking over an organization’s identity and using their email addresses to send messages to targets that look convincingly real — such as a request for payment or an email from the boss asking for a financial transfer.
While cybersecurity experts categorize BEC as a separate type of fraud, BEC attacks often involve phishing as part of their methodology. The Anti-Phishing Working Group, an industry group, reports that the average wire transfer amount requested in BEC attacks in Q1 2024 was $89,520, up from the prior quarter, and that Google Gmail accounts were used in 72.4 percent of all BEC scams.
In addition to these risks, attackers often use phishing to initiate ransomware attacks and corporate data breaches. An attacker gains initial entry into a business through a phishing message, which an unsuspecting recipient at the organization opens — and when they download a file or click on a malicious link, the attacker then gains entry into the victim’s computer or their online accounts, and from there is able to continue their attack on the organization in other ways.
In short, phishing is extremely common and, in combination with other types of attacks, can be incredibly costly and disruptive to business.
Fundamental ways to prevent phishing
To prevent phishing, organizations must take several steps:
Training: Arguably the most important defense against phishing is training employees to be more savvy about identifying suspicious emails and not clicking on links or downloading attachments from unknown senders. While technical safeguards are available, human error remains a large vulnerability. Regular anti-phishing training helps employees recognize and respond in safer ways.
Multi-factor authentication: MFA provides a crucial additional layer of security beyond the password. Even if attackers manage to gain access to a user’s password via their phishing attack, MFA can prevent them from logging into sensitive systems unless they can also crack the second factor (such as an authenticator app or SMS message).
Email authentication protocols: There are some technical controls available that will help organizations prevent email spoofing (which is when phishing attackers imitate a company by using its domain in the “From” field of their emails). The internet protocols SPF, DKIM and DMARC can all help ensure that incoming emails are from legitimate sources and that any emails sent from your domain are marked as authentic (and can’t easily be spoofed).
Early warning systems: More and more cybercriminals are selling tools on dark web forums and other hacker channels (also known as phishing-as-a-Service or PhaaS), making it easier for less experienced attackers to conduct phishing attempts. Organizations can stay ahead by constantly updating threat intelligence and leveraging proactive defenses, like early warning systems that identify phishing campaigns before they reach their targets.
Zero-Trust frameworks: Ensuring that every transaction and interaction is verified and authenticated can reduce the risk of phishing-related breaches. Fintechs and ecommerce platforms, in particular, must adopt a "never trust, always verify" stance, especially for internal systems and customer access points. Having advanced authentication measures, such as biometrics and behavioral analysis, can prevent more sophisticated social engineering techniques.
Other phishing prevention best practices include conducting regular security assessments, using anti-malware and anti-spam controls, keeping software (especially email programs and browsers) up to date, and monitoring your environment for any unusual or suspicious activity.
What our experts say about mitigation
While attackers use AI to enhance their phishing campaigns, Pragya points out that businesses can also use fraud prevention services and AI to detect and mitigate threats. Many AI-powered security solutions are available to analyze patterns and detect anomalies in real time.
“Fincrime experts can step in to verify flagged events,” she says.
Tools can also look for warning signals within emails, from metadata to the email content itself. For example, AI can detect forged senders, typosquatted [misspelled] domains and urgent language that may signify a phishing attempt. And if a cybercriminal attempts to impersonate a C-level executive of a company, for instance, AI can detect inconsistencies in the communication style and help block the attack before it causes harm.
It’s important to note that attackers are not only targeting businesses and employees. “Customers are also easy targets,” according to Pragya. “Tracking customer feedback and disputes related to scams, and educating customers about the latest trends can help in prevention and mitigation.”
She also urges organizations to create an incident response plan to quickly counter attacks.
- 3^Phishing Activity Trends Reports
