Phishing is not a new threat to the enterprise, but it is becoming subtler and more complex as threat actors adopt new strategies to trick their chosen victims.
"Phishing attacks are much more focused, more targeted," explains Mark Risher, director of product management for Google Sign-In, Abuse, and API. "It's no longer about broad-based, opportunistic attacks … now, the phisher is doing his or her homework."
Today's attackers know their victims and learn enough about their circumstances to add credible details to their attacks. Everyone in the consumer space is a potential target, says Risher, who says phishers cast a "fairly wide net" to achieve their goals.
"We have definitely seen a rise in sophistication of phishing attacks over the past few years and a shift toward 'quality' over 'quantity,'" says Amy Baker, vice president of marketing at Wombat Security. Broad-based attacks are still happening, but spearphishing and BEC are on the rise.
"Cybercriminals are increasingly using social media channels to mine for data and lay the groundwork for high-value attacks," Baker continues. "In these situations, we see multi-faceted approaches that incorporate social engineering techniques outside of email that ultimately make an email communication more believable."
Hackers want to take advantage of users' familiarity with Gmail, and other products from high-visibility organizations like Amazon and Facebook. If they can't get a phishing email through corporate safeguards, they know users have fewer barriers on their personal accounts.
"If an employee makes a personal mistake while on a corporate network, that's a win for an attacker," says Baker.
Aaron Higbee, cofounder and CTO at PhishMe, says many pieces of traditional phishing advice still hold true: watch for misleading URLs and don't click on suspicious documents.
However, Gmail users can take precautions by adjusting permissions - one of the tips Google shares in a blog post on the subject.
Here are ways to reduce the risk of phishing attacks specific to Gmail users.