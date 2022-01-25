Positive Technologies Names Top 10 Phishing Topics of 2021

January 2022 by Positive Technologies

In a new study, Positive Technologies listed the ten most popular topics used in phishing attacks throughout 2021. According to the company, the share of attacks on individuals using social engineering in Q3 2021 increased to 83%, up from 67% in the same quarter of 2020. Although most attack vectors remain current from year to year, attackers are constantly refining their methods and adapting to pandemic conditions. Criminals increasingly exploit the greater public demand for vaccinations, delivery services, online dating, subscriptions to services, and even compensation for fraud victims.

According to Positive Technologies, the top 10 phishing topics of 2021 were:

COVID-19 – The main topic in this area in 2021 was vaccination: scammers offered fake QR codes and certificates, and held fake employee vaccination surveys to harvest data.

Corporate communications – The analysis showed that news related to changes in salary, social benefits and bank charges is fertile ground for phishers.

New TV shows and movies – Ahead of high-profile releases, scammers have more success stealing account data and bank cards through fake websites that imitate popular streaming services.

Sporting events – In 2021, attackers exploited the topics of the Tokyo Olympics and the UEFA European Championship, and phishing related to the 2022 FIFA World Cup appeared a year in advance.

Banking issues – Under the guise of well-known brands, cybercriminals lure victims with the promise of payouts, soft loans or compensation for fraud victims, and by notifying users about "problems" with mobile banking.

Mail services – Fraudsters steal money and data, asking customers of such services to "pay" for delivery and customs clearance, or "check" the status of their package.

Travel and vacation – Phishing emails and websites invite users to book vacations and tickets, tempting them with promotions and discounts.  Dating – Cybercriminals cynically exploit the craving for human contact during the mass transition to remote working, and steal from victims by creating fake profiles in dating apps.

Subscriptions to music, movie and cloud services – Scammers take advantage of the popularity of subscription-based services, sending emails to victims about renewing subscriptions to various platforms.

Investments in cryptocurrency and oil & gas – Against the backdrop of the rising popularity of investments among individuals, cybercriminals create fake websites imitating the sites of well-known companies, and even entire fake investment platforms.

“In 2022, we again expect to see a large number of phishing attacks related to major events, including mass emails on the topics of the FIFA World Cup and the Winter Olympics,” said Ekaterina Kilyusheva, head of the Information Security Analytics Research Group at Positive Technologies. “There is also a high probability of attacks on users in connection with the release of new movies and TV shows. 2022, for example, will see the release of a new series based on the works of J. R. R. Tolkien. And attackers may take advantage of the launch of the digital ruble prototype to create phishing sites and sell fake cryptocurrency. We can also expect the expansion of fraudulent schemes using social engineering in the field of investment. The victims here will be private investors persistently targeted by scammers under the guise of professional investors, authors of training courses, and fake investment platforms.”

In addition, Positive Technologies predicts the further development and expansion of the phishing-as-a-service model. This model is based on collaboration between cybercriminals and the buying and selling of off-the-shelf solutions, such as fake websites or malicious scripts.

To avoid the damaging consequences of phishing, experts recommend users always check a sender’s email address; never click suspicious links; and never enter credentials or payment data without making sure the website is real. Book hotels and tickets, and take out subscriptions only through trusted resources. To prevent malware infection, scan all received files. In a corporate environment, use sandboxes for this.