COMMENTARY: After years of attempting to swindle email users using far-fetched scenarios and outlandish requests, cybercriminals have learned that sometimes a low profile serves them best.
Using file-sharing phishing attacks, threat actors design their messages to blend with everyday communications, which lets them strike without the targets even realizing they’ve been compromised. These threats hide inconspicuously — disguised as yet another unremarkable invitation to view a file among a flurry of similar-looking legitimate requests.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Recently, this stealthy tactic has skyrocketed, with file-sharing phishing attacks up 350% year-over-year. And while every industry faces the risk, the financial sector has become the most popular target. In fact, 1 in 10 advanced attacks on financial institutions involves file-sharing phishing.
How file-sharing phishing attacks work
Most people wouldn’t open their front door to someone in a ski mask or a skittish salesperson with a briefcase of snake oil. But many of us wouldn’t think twice about letting in a stranger dressed in a pest control services uniform. And that’s why file-sharing phishing attacks are so successful: they’re alarmingly innocuous.
Like all phishing, this tactic works by exploiting recipients’ trust. Attackers impersonate commonly used file-hosting services, like Google Drive, Dropbox, or Docusign, and trick targets into sharing their credentials via realistic-looking login pages — or downloading malware camouflaged as an important file. In some cases, cybercriminals even exploit real file-sharing services by creating genuine accounts and sending emails with legitimate embedded links before exposing recipients to malicious files.
Also, to boost the chances of email recipients taking the bait, threat actors often use subject lines and file names that are enticing enough to click without arousing suspicion. (Like, for example, “Department Bonuses” or “New PTO Policy”) Plus, since many attackers now use Generative AI to craft their communications, phishing messages are more polished, professional, and targeted than ever.
In other words, file-sharing attacks are practically impossible to distinguish from the real messages sent by file-hosting services.
Why attackers target the financial sector
Nearly every type of organization has been targeted by file-sharing phishing attacks, from healthcare and hospitality to tech and education — but the lion’s share of attacks are happening in the financial sector.
There are three likely explanations:
- High online usage: Financial institutions frequently use file-sharing and e-signature platforms to exchange documents with partners and clients, and have only increased their adoption of these products with the rise of remote and hybrid work. Because employees regularly receive a flood of legitimate notifications from these services, they’re less likely to spot a fraudulent notification in the mix.
- Speedy decision-making: The financial industry is known for high-pressure, fast-moving transactions where success depends on rapid decision-making. Emails requesting urgent action are the norm, so it’s unlikely to ring any alarm bells.
- Regulatory pressures: Financial services organizations are under incredible regulatory scrutiny. This pressure, and the desire to avoid penalties and legal consequences, often forces them to follow regulators’ expectations that often don’t keep pace with the speed of attackers. Financial institutions often prioritize meeting compliance standards that prescribe specific procedures and controls, which regulatory bodies don’t necessarily adjust in response to new cybersecurity threats. This rigidity can limit an organization’s ability to keep pace with the rapidly evolving attack landscape.
The second and third most frequently targeted industries — construction/engineering and real estate/property management — also experience some of the same trends. Like finance, these sectors also rely heavily on file-sharing platforms and tend to involve time-sensitive projects with extensive communication among multiple parties. Attackers can exploit the urgency, complexity, and volume of these exchanges by sending file-sharing phishing attacks that appear time-sensitive and blend in seamlessly with legitimate emails.
How to mitigate the risks
Without the telltale spelling and grammatical errors, out-of-left-field executive requests (like an HR leader asking for $500 in gift cards), or dubious-looking links we’ve come to associate with phishing, file-sharing phishing threats are extremely difficult to spot.
Because these attacks appear to come from trusted senders and contain benign-looking content, there’s virtually no malicious content to flag, leading even the most security conscious employees to fall for these schemes.
File-sharing phishing operates as part of a larger trend toward highly sophisticated, hard-to-detect threats that easily slip past legacy security tools and security-aware workforces. And as cybercriminals become even more adept at using Generative AI and hijacking legitimate products to launch costly attacks, it will only become more challenging for security awareness training, secure email gateways, or signature-based security solutions to keep up.
While education and awareness training are an important component of any cybersecurity strategy, they aren’t a silver bullet. Layering advanced threat detection promises to quickly identify and remediate even the most sophisticated undercover threats – well before they reach an employee’s inbox.
Mike Britton, chief information security officer, Abnormal Security
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
