As messaging apps continue to gain popularity, threat actors are exploiting a combination of trust, real-time communication and widespread adoption, making messaging apps an attractive vector for phishing attacks.

These were among the findings of Kaspersky’s annual spam and phishing report, which revealed the company’s anti-phishing system prevented 709 million attempts to access phishing and scam websites, a 40% rise from the previous year.

Phishing attacks surged throughout the year, peaking in May and June. Scammers commonly targeted users with travel-related scams.

The integration of generative AI technologies, including ChatGPT, provided new avenues for exploitation.

Kaspersky also observed a notable increase in phishing attacks on the popular messaging service Telegram, with Russia being the main target, followed by Brazil, Turkey, India, Germany, Italy and Mexico.

Monique Becenti, director of product at Zimperium, said cybercriminals exploit these characteristics to deceive users into disclosing sensitive information due to the personal connections made during one-on-one interactions.

“These platforms provide a convenient and effective channel for distributing malicious links and attachments,” she explained. “Most likely, these interactions start on social media and transition to a messaging app, so a sense of trust is already established.”

Mobile devices are particularly vulnerable to phishing attacks due to the limited built-in security measures, which struggle to combat the increasingly sophisticated nature of these persistent threats.

Becenti said it’s crucial for organizations to recognize the severity of mobile-based threats and integrate mobile security into their current endpoint solution.

Employing a mobile security solution can proactively address these threats by ensuring device integrity and preventing employees from accessing critical business resources on their mobile devices until any associated risks are resolved.

“We trace the escalation in phishing attack volume to its source by following the money,” said Mika Aalto, co-founder and CEO at Hoxhunt.

Cybercrime has become increasingly profitable and organized, and the financial and technical barriers to entry get lower every day.

“It’s a multi-billion-dollar business that keeps expanding with a prolonged state of geopolitical unrest and unemployment,” he said.

With the release of blackhat generative AI onto the dark web, increasingly sophisticated and affordable social engineering attacks are being devised at scale.

Becenti agreed that the proliferation of AI platforms has increased the sophistication of phishing campaigns, posing a significant challenge to cybersecurity.

By leveraging AI-powered tools, threat actors can automate various stages of the phishing process, enabling them to craft highly convincing messages and engage with potential victims on a large scale in a shorter time frame.

Short Life Cycle, Long-Term Impact

The Zimperium Labs team investigated phishing sites and found that the average website’s life cycle is ten days, highlighting the transient nature of these fraudulent platforms and the need for swift action against them.

“Moreover, emerging tactics are aimed at mobile devices, including malicious iOS shortcuts,” she said.

These shortcuts are often accessed through third-party stores and can execute malicious activities on the user’s device without them knowing.

“Malicious PDFs are another avenue for bypassing email security on mobile devices, frequently harboring malware,” Becenti said.

Aalto said by combining AI with open source intelligence, attackers can make targeted phishing campaigns at scale with roughly the same effort as the poorly composed bulk email attacks that get mostly picked up by email filters.

“They’ll also send more of these attacks in ways other than email, more and more often, and using techniques that evade filters more frequently,” he explained.

He noted that QR phishing attacks surged last year partly because filters weren’t yet trained to pick them up, and as the digital footprint grows, so will phishing tactics, techniques and procedures (TTPs).

Becenti said she also expects phishing TTPs to continue evolving in 2024 and beyond, adapting to technological advancements and changes in user behavior.

“Threat actors are likely to leverage more sophisticated social engineering techniques, such as AI-generated deepfake voice calls and videos, to manipulate victims and increase the credibility of their phishing attempts,” she said.