STS Phishing Attack Trends


In 2020, 75% of companies around the world experienced a phishing attack.  

One phishing email can be responsible for a company succumbing to ransomware and having to face costly downtime, making it one of the biggest dangers to your business’s health and wellbeing. Phishing can lead a user to unknowingly hand over the credentials to a company email account, allowing the hacker to then send targeted attacks to customers. 

It is the most common type of cyberattack. 

Phishing takes advantage of human error, and many phishing emails use sophisticated tactics to fool the recipient into divulging information or infecting a network with malware. 

Mobile phishing threats skyrocketed by 161% in 2021. 

Your best safeguards against the continuous onslaught of phishing include: 

  • Email filtering 
  • DNS filtering 
  • Next-gen antivirus/anti-malware 
  • Ongoing employee cybersecurity awareness training 

To properly train your employees and ensure your IT security is always ready to snuff out the newest cyberthreats to your business, you need to know what new phishing dangers are headed your way. 

Here are some of the latest phishing trends that you need to watch out for in 2022. 


Most phishing training focuses on email phishing because it’s always been the most prevalent but make no mistake – it can happen over text messaging.  

People tend to be less suspicious of random text messages than they are of unexpected email messages because of how often we get them. We receive more texts now than we ever have because retailers and service providers use text updates to communicate info such as delivery notices and tracking information.  

However, cybercrime entities are now taking advantage of how publicly available mobile phone numbers are by using text messages to deploy phishing attacks. Text message phishing (often referred to as “smishing”) is becoming increasingly common, so it’s important to be aware of the danger it imposes.  

As an example of smishing, a cybercriminal could send a fake tracking number or shipment info with a shortened URL to someone expecting a delivery. If they click the URL, they’re led to a malware-infested website, where they’re prompted to put in their account info to “log in”. The cybercriminal now has access to the victim’s personal information. 


Ransomware has been a growing threat over the last few years largely because it’s been a big money-maker for cybercriminal groups. One of the easiest ways to infect someone with ransomware is via email, and for businesses, the biggest email cyberthreat you’ll face is business email compromise (BEC). This up-and-coming type of cyberattack is becoming lucrative at breakneck speed and can have the most financial impact on your business. 

BEC is on the rise and being exploited by attackers to make money off things like gift card scams and fake wire transfer requests. What makes BEC so dangerous is when a criminal gains access to a business email account, they can send very convincing phishing messages to employees, customers, and vendors of that company. The recipients will unknowingly trust the familiar email address, making it much easier to deceive them. 

BECs are effective weapons for cybercriminals because it means they already have access to a highly sensitive account and have bypassed credentials. Being prepared early on with an effective IT Security program can prevent the likelihood of a BEC targeting your business.  


Spear phishing is a more dangerous form of phishing because it’s targeted and not generic. It’s the type deployed in an attack using BEC. 

There is no such thing as being too small to be attacked by a hacker. Small businesses are targeted frequently in cyberattacks because they tend to have less IT security than larger companies. In fact, 43% of all data breaches target small and mid-sized companies, and 40% of small businesses that become victims of a cyberattack experience at least eight hours of downtime as a result. 

Spear-phishing was previously used for larger companies because it takes more time to set up a targeted and tailored attack. However, as large criminal groups and state-sponsored hackers make their attacks more efficient, they’re able to easily target anyone they want.  

Present day, more small businesses commonly receive tailored phishing attacks that are harder for their users to identify as a scam. 


Earlier, we covered how large criminal groups are continually optimizing their attacks to make them more effective. Although falling victim to a cyberattack is detrimental to anyone or any entity, to cybercriminals it’s just business. It makes them a lot of money, which is why it’s been fine tuned to deceive an unsuspecting target. 

Recently, they’ve optimized another type of cyberattack by using outside specialists, referred to as Initial Access Brokers. They are specialized hackers that only focus on getting the first breach into a network or company account, nothing more. The criminals who hired them take it from there without having to do the initial legwork and logistics. 

Using an anonymous party like an Initial Access Broker makes phishing attacks even more dangerous because it’s hard to pin them down and figure out where the first breach came from. There’s no paper trail to them, or the cybercriminals who hired them. 


As users have gotten savvier about watching for emails from unknown senders, phishing attackers have transitioned into business impersonation. This is where a phishing email will come in looking like a legitimate email from a company that the user may know or even do business with, complete with the same graphics and typeface their emails typically have.  

Super giants like Amazon or PayPal are commonly impersonated when trying to phish their customers but make no mistake—it happens with smaller companies just as often.  

As an example, website hosting companies have had client lists breached and a cybercriminal group sent emails to that list, impersonating the hosting company and prompting the users to log in and resolve an urgent problem with their account status. They’re then able to collect the input information and have free reign over the unsuspecting user’s account.  

As more criminals drift towards business impersonation in their phishing attacks, ordinary users and businesses alike must be suspicious of all emails, not just those from unknown senders. 


It’s important to use a multi-layered strategy when it comes to defending against one of the biggest dangers to your business’s wellbeing. 

Want to invest in your business’s protection? 

Get started with a cybersecurity audit to review your current security posture and identify ways to improve. 

Ready to leverage technology to increase your productivity, protection and profitability?