Imagine this scenario, highlighting the need for multi-channel phishing defense:
Your company’s Finance department employs thousands of employees in 100+ countries. Recently, 1000+ employees from this department received an email, purportedly from the CEO, asking them to transfer $100,000 of the company’s funds to an unfamiliar bank account. Almost 200 of these recipients didn’t suspect that the email was fake and transferred the funds because the “CEO” asked them to do so.
It was later discovered that they were all victims of a large-scale phishing scam targeting the company. By the time the fraud was discovered, the company had lost almost $2 million to the scammers.
If this hypothetical scenario of a business email compromise (BEC) attack sounds scary, imagine this new scenario:
About 1500 employees of your company’s Finance department receive phishing emails, again purportedly from the CEO, asking each one of them to transfer $50,000 to an unfamiliar bank account. This time, very few fell for the scam, thanks to the lessons they learned from the organization’s phishing awareness program. As a result, the financial damage to the organization is negligible.
Even so, there’s no reason to celebrate and here’s why. Another 300 employees from the Finance department receive a meeting invite from “Zoom”. The invite asks them to enter their email address and password. When a few of them do so, they are directed to a landing page where they enter their credentials. These credentials allow the scammer to access the organization’s bank account and siphon off almost $5 million with ease.
Scenario 1 is unfortunately all too commonplace and extremely concerning for organizations. The latter is unsurprising, considering that losses from BEC attacks have accumulated over $50 billion in just ten years (October 2013 to December 2022).
The second hypothetical example is a scary reality for organizations because it shows that even if businesses are able to withstand email-based phishing attacks, they can still experience huge losses from phishing. This is because modern cybercriminals now leverage multi-channel phishing attacks to expand the scope of a phishing attack and to increase its chances of success.
Per one recent survey, 89% of enterprise security decision-makers are worried about multi-channel phishing threats. Let’s dive deeper into why.
What is Multi-channel Phishing?
Multi-channel phishing is a phishing approach in which attackers leverage multiple channels in addition to – or instead of – email to exploit their targets.
For example, as we saw in our hypothetical scenario #2, they may send a malicious link to victims that appears to go to a Zoom page. When the victim clicks on the link, they are directed to a landing page where they enter their credentials. When they do this, the attacker can steal the credentials and then use them to access the company’s sensitive data or systems (such as bank accounts).
Many attackers also take advantage of other popular cloud-based collaboration tools like Slack, Microsoft Teams, or Google Meet. WhatsApp, SMS, LinkedIn, and voicemail are some other popular channels used in multi-channel phishing attacks. Sometimes, these scams are launched from legitimate and popular business services like AWS, Microsoft Azure, Outlook, and SharePoint.
Why Multi-channel Phishing is a Dangerous Threat to Organizations
Increasingly, organizations are implementing strong measures to prevent email-based phishing attacks. However, the other channels are not as well-protected, so scammers are able to trick users in order to install malware, exfiltrate enterprise data, and steal credentials and funds. This is one reason why multi-channel phishing attacks are so dangerous.
Surpassing email security systems
It must be noted that even with fairly strong email security, organizations are not completely protected from email-based phishing attacks or multi-channel phishing attacks with an email element. This is because many email-based attacks start with a “benign” link that threat detection systems don’t detect when the email is first sent.
It’s only after the email has been delivered that the link becomes malicious. Attackers weaponize the malicious page by adding fields designed to harvest victims’ login credentials. A single click by a clueless or careless employee is all it takes for the attack to succeed.
Another cause for concern is that multi-channel attacks often successfully bypass many kinds of security tools. This is especially true of attacks where the malicious URLs are hosted on legitimate public cloud infrastructure like AWS. Many phishing detection tools don’t realize that the links are malicious and therefore don’t detect or block them. This blind spot increases the probability that the attack will succeed.
Strategies to Protect Your Organization from Multi-channel Phishing Attacks
Multi-channel phishing attacks are a serious problem for all kinds of organizations. Fortunately, you can protect your organization and avoid the catastrophic consequences of such attacks by following these strategies:
Awareness
Start with awareness. Everyone in the company should be aware of the risks and potential impact of multi-channel phishing scams. Your phishing awareness program should include simulations and real-world examples of multi-channel phishing. The program should be aimed at increasing employee awareness and preparedness, and empowering them to withstand future attacks.
Have a multi-channel phishing defense plan
A comprehensive cyber-readiness plan is also crucial to effectively deal with phishing incidents and minimize damage. Some other anti-phishing practices you must implement in your organization are alerts for suspicious and potentially malicious activities, strong MFA mechanisms, lockout rules for multiple failed login attempts, and a zero-trust approach to cybersecurity.
Automated AI-defense against multi-channel phishing
Finally, an effective way to strengthen multi-channel phishing defenses is to implement an AI security platform like Bolster. Bolster leverages powerful deep learning, LLM models to detect threats across multiple external attack vectors. We can identify everything from phishing sites, spoofed URLs, and typosquat domains, to social media scams, fake apps, web phishing, and executive impersonations to provide comprehensive and proactive threat detection.
Bolster also automates threat remediation, ensuring that your organization is continuously protected from phishing attacks, no matter which channel they originate from, or what time of day they go live. Moreover, our threat detection, monitoring, and remediation capabilities are all available from a single platform to provide seamless, uninterrupted protection for your brand.
Moving Ahead Protected Against Multi-Channel Phishing Attacks
It’s critical now more than ever to ensure your business is protected on all fronts against evolving attacks. As we’ve outlined above, hackers are utilizing multi-channel phishing attack avenues to target businesses at various levels, meaning some of the traditional or more common cybersecurity defense practices aren’t enough.
With AI tools like Bolster, you can protect your business efficiently, and more effectively than manual cyber security detection and defense.
To see how Bolster can safeguard your company from multi-channel phishing attacks, request a free demo.