top of page
  • Writer's pictureRoy Urrico

Netskope Report: Phishing No Longer Chumming Solely in Email Waters

By Roy Urrico

Source: Netskope’s Cloud and Threat Report.

Finopotamus continues to highlight white papers, research, surveys and reports that provide a glimpse as to what is taking place and/or impacting credit unions and other organizations in the financial services industry.

In the third quarter of 2022, financial institutions, including credit unions, did a better job thwarting phishing attacks, but are still susceptible. In addition, fraudsters adjusted to enable other means to try and steal personal credentials. That is among the details shared in Netskope’s Cloud and Threat Report: Phishing From Fake Websites to Impersonated Cloud Apps.

The latest report from Santa Clara, Calif.-based Netskope found that email no longer persists as the top phishing tactic. Although email is still a primary mechanism for delivering phishing links, the report revealed users are more frequently clicking phishing links arriving through other channels, including personal websites and blogs, social media, and search engine results. The report also detailed the rise in fake third-party cloud apps designed to trick users into authorizing access to their cloud data and resources.

This report contains information about phishing detections raised by Netskope’s Next Generation Secure Web Gateway (Next Gen SWG). Stats in this report are based on the three-month period from July 1, 2022 through September 30, 2022.

Ray Canzanese, Netskope.

“Business employees have been trained to spot phishing messages in email and text messages, so threat actors have adjusted their methods and are luring users into clicking on phishing links in other, less expected places,” Ray Canzanese, threat research director at Netskope explained. He added, “While we might not be thinking about the possibility of a phishing attack while surfing the internet or favorite search engine, we all must use the same level of vigilance and skepticism as we do with inbound email, and never enter credentials or sensitive information into any page after clicking a link. Always browse directly to login pages.”

Financial Services Stands Out

Traditionally considered the top phishing threat, 11% of the phishing alerts were referred from webmail services, such as Gmail, Microsoft Live, and Yahoo. Personal websites and blogs, particularly those hosted on free hosting services, were the most common referrers to phishing content, claiming the top spot at 26%. The report identified two primary phishing referral methods: the use of malicious links through spam on legitimate websites and blogs, and the use of websites and blogs created specifically to promote phishing content.

Search engine referrals to phishing pages have also become common, as attackers are weaponizing data voids by creating pages centered around uncommon search terms where they can readily establish themselves as one of the top results for those terms. Examples identified by Netskope Threat Labs include how to use specific features in popular software, quiz answers for online courses, and user manuals for a variety of business and personal products.

Among industry verticals, financial services had the lowest percentage of users accessing phishing content, per the Netskope study. At five out of 1,000, the phishing rate in financial services is less than two-thirds the average. Contributing to this lower-than-average phishing rate in financial services is the use of stricter policies and controls, including more restrictive URL filtering policies and use of technologies like remote browser isolation (RBI).

The Rise of Fake Third-Party Cloud Apps

Netskope’s report reveals another key phishing scheme: tricking users into granting access to their cloud data and resources through fake third-party cloud applications. This early trend is particularly concerning, noted the report, because access to third-party applications is ubiquitous and poses a large attack surface.

On average, end-users in organizations granted more than 440 third-party applications access to their Google data and applications, with one organization having as many as 12,300 different plugins accessing data – an average of 16 plugins per user. Equally alarming, over 44% of all third-party applications accessing Google Drive had access to either sensitive data or all data on a user’s Google Drive.

“The next generation of phishing attacks is upon us. With the prevalence of cloud applications and the changing nature of how they are used, from Chrome extensions or app add-ons, users are being asked to authorize access in what has become an overlooked attack vector,” said Canzanese.

He added, “This new trend of fake third-party apps is something we are closely monitoring and tracking for our customers. We expect these types of attacks to increase over time, so organizations need to ensure that new attack paths such as OAuth (Open Authorization) are restricted or locked down.”

Actionable Prevention Steps

Within the report, Netskope Threat Labs Canzanese included actionable steps organizations can take to identify and control access to phishing sites or applications, such as deploying a security service edge (SSE) cloud platform with a secure web gateway (SWG), enabling zero trust principles for least privilege access to data and continuous monitoring, and using Remote Browser Isolation (RBI) to reduce browsing risk for newly-registered domains.

Netskope provides threat and data protection to millions of users worldwide. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. Statistics in this report are based on the three-month period from July 1, 2022 through September 30, 2022.

Deeper Dive

Canzanese did a deeper dive into the findings with Finopotamus.

Why is email no longer the top phishing tactic?

Email phishing is still an incredibly popular tactic. At the same time, we have spent a lot of time investing in email security to detect and block phishing emails, warn users of emails that might potentially be phishing, and train users to be skeptical of phishing emails. We are reporting on what users are actually clicking on, and what our research shows is that while email is still one of the sources of phishing links that users click on, they are also encountering and clicking on phishing links in other places, like social media, search engines, and personal blogs.

What is the top phishing threat today?

The most common tactic is still setting up fake login websites to steal credentials, primarily for social media, cloud apps, and financial sites.

What types of controls are finservs using that are thwarting fraudsters?

They often have stricter controls, including URL filtering controls that block some of the sites that refer users to phishing pages and more aggressive email controls. Remote browser isolation is also a popular tool for allowing users to safely browse risky or unknown sites.

Are financial institutions, such as credit unions, doing a better job of sniffing out phishers?

Their employees tend to click on phishing links less frequently than other industries, indicating that they are doing a better job of training their employees to avoid phishing, and putting controls in place that prevent their users from clicking on phishing links.

Why are employees so susceptible to phishing?

Most of the phishing that we see is very good. Just this week, I received a phishing email that stated my account had been accessed from an unknown device and that I should click the link to see more details. Attackers are very good at using social engineering techniques like this to target their victims. They tend to prey on fear, uncertainty, and doubt (FUD). They like to create a false sense of urgency: “Have I been hacked? I better click on that and figure out what happened ASAP!”

What can (FIs/consumers) do better?

As an individual, just never login to anything important or enter any sensitive information into something after clicking a link. Need to do some online banking or log into your email? Go directly to your bank’s website by typing the URL in the address bar. Also, enable multi-factor authentication (MFA) on anything important. MFA will not solve everything, but it will make attackers have to work a lot harder to phish you.

Any other insights to share?

The newest targeted attacks that we see use fake apps to get access to your email and documents stored in Google Workspaces or Microsoft 365. The fake apps have names that make them sound like real apps, but they were created by attackers as a form of phishing. We encourage admins to audit and lock down their user’s ability to authorize such apps, and encourage users to be cautious of what they authorize to access their data.


bottom of page