Mobile phishing attacks targeting energy industry employees have increased by 161 percent compared to last year’s (H2 2020) data, and the trend shows no indications of subsiding.
Although the risks of outdated and unprotected equipment affect all industries, according to a new analysis by cybersecurity firm Lookout, energy is the most targeted, followed by banking, pharma, government, and manufacturing.
Asia-Pacific is the most geographically targeted region, followed by Europe and then North America. However, phishing assaults targeting the global energy industry are on the rise all around the world.
Mobile phishing also escalated in the first half of 2021, with approximately 20% of all employees in the energy sector targeted in mobile phishing attempts, marking a 161% rise over the previous six months.
Impact of COVID-19
With so many constrained to remote working due to COVID-19, using VPNs to access corporate networks has increased in popularity.
Unfortunately, external access to a corporate network makes it an appealing target for threat actors who use phishing to gain VPN or domain credentials.
Threat actors steal credentials in 67 percent of all phishing incidents examined by Lookout researchers. The attackers can use email, SMS, phishing applications, and login pages at counterfeit corporate websites to carry out these attacks.
These credentials allow them to gain access to internal networks, which they can then exploit for further lateral movement and pivoting points.
From there, they can identify susceptible systems and begin attacks against industrial control systems, which carry undetected defects that have been present for years.
Malware Isn’t the Only Concern; Beware of Riskware
Apps that ask for dangerous permissions and access sensitive data on the device are now a bigger concern than “pure” malware because they are significantly easier to get past app store testing.
Many of these apps link to obscure servers and send data that is unrelated to their basic functioning but poses a significant risk to the user and their employing enterprise.
Spyware, keyloggers, trojans, and even ransomware droppers continue to be an issue, but they are more likely to be used in highly targeted attacks, therefore their distribution numbers are much lower
How Can You Defend Against Phishing Attempts?
Employee training is crucial in reducing security gaps, as the human component continues to be the greatest risk for installing riskware and clicking/tapping on suspicious links.
According to Lookout, a single session of anti-phishing training resulted in 50% fewer clicks on phishing URLs over the next 12 months. We offer in-house training courses for your employees to educate them on phishing avoidance, social engineering, and best practices in cyber security.
We summarise the most frequent ways of attack, present sample phishing emails, provide instances of the different types of cyber-attacks that your company may encounter, and provide tools and tactics to help prevent those attacks.