The fight to secure your organization grows more complex daily and the attack surfaces continue to expand. It is well known that email, and specifically phishing, remains among the most effective methods for attackers. As a result, threat actors continually develop innovative phishing strategies and tactics.

To fight back, we must look ahead. For this reason, here are seven phishing themes to watch for in 2021.

1) Increased intensity of pandemic-related phishing

Threat actors will continue to leverage COVID-19 as a key phishing campaign theme. Recent research from OpenText shows that over 25% of Americans have already received a COVID-19 related phishing email thus far this year. As significant news stories arrive, such as outbreaks, surges or vaccine research breakthroughs, we can expect targeted phishing attacks that take advantage of the timelines of these developments.

2) Emotionally-targeted political phishing

Within the United States especially, threat actors will capitalize on an increasingly polarized political climate to target victims using emotionally-charged messages. These threats will be designed more to inflame emotion than to fool the intellect. Attackers will seek direct donations by spoofing causes they have validated their victims support. They will also impersonate political figures whom their victims are inclined to trust and advocate for. According to the AARP, threat actors are “eager to take advantage of your civic engagement by tricking you into contributing to a bogus political action committee.”

3) The rise of ransomware

According to ZDnet, the number of ransomware attacks increased by >700% from 2019 to 2020. These attacks encrypt the victims files, restricting access and leaving behind a “ransom note” that must be paid to unlock a company’s own data. Because so few companies deploy preventative measures, ransomware attacks continue to increase in profitability. As a result, their frequency is expected to continue to increase in 2021.

4) Credential theft via fake login pages

Our own 2020 research identified over 50,000 fake login pages. These included spoofed pages for more than 200 of the world’s most prominent brands. We found nearly 10,000 pages for both PayPal and Microsoft sites. What’s more, thousands of these pages were polymorphic, with multiple permutations to frustrate security worker efforts to protect their team members for related attacks. The success of these pages will only increase threat actor efforts in 2021, until counter measures are appropriately deployed.

5) Increased financial fraud through Business Email Compromise

Business email compromise (BEC) is a sophisticated attack that targets by gaining access to a legitimate internal email account. The attacker then quickly moves to defraud colleagues and partners into sending money or disclosing additional sensitive data. According to TechRepublic, BEC campaigns increasingly targeted finance employees in 2020, with attacks leveraging payment or invoice fraud increasing by over 150%. We expect this trend to continue in 2021.

6) Geo-calibrated time-targeted phishing

Threat actors will continue to target phishing victims at times they are most likely to receive the message on a mobile device, rather than on their desktop or laptop. This means phishing attacks will be geo-calibrated and scheduled to go out after hours on weeknights or during the day on weekends. Statistically, employees are less vigilant during these times and more likely to engage with the attack.

7) Organizations fight back using innovative technology

In order to remediate increasingly advanced email security threats, organizations will deploy solutions that transcend the search for malicious content and move toward more sophisticated analysis. In particular, email security solutions which leverage API-based mailbox level protection, AI-powered anomaly detection and personalized simulation and training will increasingly be deployed within vigilant and proactive organizations.

Attackers are continually and cleverly evolving. We must work together to proactively fight phishing, so we can spend 2021 safer together.

Eyal Benishti
Post by Eyal Benishti
December 14, 2020