- Phishing emails with malicious URLs are used four times more than ones with attachments, Proofpoint survey claims
- ClickFix attacks also spiked 400% year-on-year
- A layered approach to security is the best way to defend
Phishing scams and malicious URLs continue being the bane of the business world, increasing year-on-year, and getting more dangerous by the minute, new research has warned.
A new paper from Proofpoint, based on data from the company’s threat intelligence platform, argues phishing emails with URLs, rather than attachments, are rising in popularity; that ClickFix is currently the number one method of tricking victims into getting infected; and that most criminals are interested in stealing login credentials.
Phishing emails have always been the number one initial attack vector, for their simplicity, low cost, and omni prevalence. However, delivering malware via attachments is not that straightforward any more, with different email security solutions getting rather good at scanning and filtering malicious content.
ClickFix, QR codes, and SMS messages
The cybercriminal community responded by pivoting to URLs - these days, they are used four times more than attachments. This is because they are easier to disguise, and more likely to evade detection, Proofpoint argues. The miscreants would embed them in messages, buttons, even inside benign attachments such as PDFs or Word documents.
In many cases, the URLs lead to sites with a ClickFix popup. ClickFix is a phishing technique where the victims are shown a fake error, and are given the means to “fix” the problem immediately. These attacks, too, increased by nearly four times year-over-year.
Proofpoint also said that most threat actors are interested in stealing logins, as it spotted 3.7 billion URL-based attacks aimed at stealing such secrets. This is mostly because infostealing-malware such as CoGUI or Darcula are low-skill phishing kits that can be easily obtained and deployed.
Other notable methods include QR code phishing threats (quishing), and SMS phishing (smishing), with the latter spiking 2,534% year-on-year.
“The most damaging cyber threats today don’t target machines or systems. They target people. In addition, URL-based phishing threats are no longer confined to the inbox, they can be carried out anywhere and are often extremely difficult for people to identify,” said Selena Larson, senior threat intelligence analyst at Proofpoint.
“From QR codes in emails and fake CAPTCHA pages to mobile-first smishing scams, attackers are weaponizing trusted platforms and familiar experiences to exploit human psychology. Defending against these threats requires multilayered, AI-powered detection and a human-centric security strategy.”
How to defend against phishing
The best defense against phishing emails with malicious URLs is layered protection.
Businesses can start with an email security gateway that blocks suspicious links even before they can reach the inbox. Then, with browser isolation, or link writing, systems can “detonate” (trigger, basically), URLs in a safe environment.
Finally, every business should train their employees on how to spot phishing emails, how to hover over links to double-check where they lead to, how to verify senders, and avoid clicking unexpected messages. Finally, enforcing multi-factor authentication (MFA) is always recommended, as is keeping endpoint protection updated to catch malware if someone does click.
Finally, businesses should implement strict access controls and monitoring so that even if a link slips through, the damage remains contained.
You might also like
- How to spot a phishing email
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
English (US) ·