Cyberattacks hit Canada hard in 2023. In fact, the average cost of a data breach was a staggering $5.13 million USD, making Canada the third-hardest-hit country worldwide. Incidentally, the United States held the top spot, incurring $9.48 million USD in damages.

According to IBM’s 2023 cost of a data breach report, phishing is the most common initial attack vector, representing 16% of breaches experienced by organizations. This shouldn’t be surprising; after all, phishing attacks are one of the least expensive attacks to launch, yet they generate huge payouts.

Law enforcement has indicated that there’s been an increase in smishing (SMS phishing), impacting shipping companies and many other industries. In June 2023, United Parcel Service (UPS) fell victim to a phishing attack in which Canadian package recipients received text messages demanding payment before their packages could be delivered. Then in November, the Canadian Anti-Fraud Centre reported phishing text messages claiming to offer the Climate Action Incentive Benefit, including links to fake provincial websites.

Why phishing thrives today

The most common initial attack vector today, phishing helps bad actors access a network and search for sensitive data in order to conduct a ransomware attack at a later stage. It’s popular, at least in part, because it’s cheap to conduct. An entire phishing campaign, including a phishing kit and hosting, can cost as low as $50. Also, phishing is easily scalable, because every employee is a target. In an organization with thousands of employees, one oversight by an individual can bring the entire organization down. Remember, an organization’s security is only as strong as its weakest link.

Novel phishing attack types have emerged

Canada and the US are reeling from Truebot malware attacks, also known as Silence.Downloader, that have hit the countries. The CISA and the Canadian Centre for Cyber Security (CCCS) released a joint advisory in July 2023 warning users about the malware’s botnet and loader and injector capabilities that can add victims’ devices to a botnet to cause a chain of infections. The infamous CL0P Ransomware Gang is known to have used Truebot. Such threat actors are leveraging phishing campaigns with malicious redirect hyperlinks to deliver new Truebot malware variants.

This year also saw the rise of QBot Trojan attacks. This type of attack comes in the form of an email with context-aware information. This email will contain an attachment or a link from a trusted source, prompting you to download, open, or enter a password. A single click triggers a malware download, and subsequently, your system or network will be hacked. If the file contains obfuscated data acting as a window dressing, it can go unnoticed by your organization’s security team. This attack is also conducted on reply-chain emails, which often lends to the credibility of the email.

Unfortunately, the novel forms of attacks keep coming. Domain impersonation and business email compromise attacks have also seen a spike. A small tweak to a familiar-looking domain of your organization, along with the display name of a current employee, can trick you into thinking that a malicious request is legitimate.

“What we’ve been seeing is an increase in the use of voicemail and text as part of two-pronged phishing and BEC [business email compromise] campaigns,” Jess Burn, senior analyst at Forrester Research, told CNBC in early 2023. “The attackers leave a voicemail or send a text about the email they sent, either lending credibility to the sender or increasing the urgency of the request.”

Phishers keep improvising. The unsubscribe malware scam is a new phishing tactic that you should be wary of. After someone clicks the unsubscribe button of a fraudulent email, the bad actor learns that the email address is active, making them the target of further phishing emails. The link might also lead to a website that downloads malware onto their system. By the way, the best way to deal with unsolicited emails is to mark them as spam, delete them, or block the sender.

How to prepare for tomorrow

While there are numerous ways to safeguard your digital enterprise, here are my top four tips.

1. Train employees to recognize phishing attempts. Have a red team in your organization to identify vulnerabilities, play the role of an attacker, and periodically simulate attacks. Awareness training can inculcate good habits, such as taking a step back and inspecting anything unusual received over email, SMS, or a phone call. If you receive an email from a legitimate source asking you to do something urgently, it is always best to reach out to the sender separately to confirm the message.

2. Deploy phishing-resistant MFA. Unauthorized access can be prevented by using phishing-resistant MFA. These apps require a passkey that can only be accessed with your face ID or fingerprint authentication.

3. Use UEBA and SOAR for proactive detection and response. A SIEM tool equipped with user behaviour profiling will help you spot anomalies. The user behaviour variables can be customizable; they can be based on time, event patterns, and number of events triggered. ML-driven security orchestration, automation, and response (SOAR) capabilities will automatically execute workflow profiles and assign tickets to security admins to quickly remediate a phishing attack.

4. Monitor privileged users. Privileged users are the most vulnerable to spear phishing because of their access to sensitive information. Have visibility into privileged user account activities, follow the principle of least privilege, and train privileged users to exercise caution.

Today, phishing thrives on social engineering, so it’s vital to stay vigilant, especially if you have privileged access to your network. If you do find anything out of the ordinary, always trust your gut instinct, take a step back, and analyze the situation. Don’t be the weakest link in this rapidly changing realm of cyberthreats. It is high time that Canadian organizations become more cyber-aware and take cybercriminals head-on.