How instant messaging platforms became a venue for phishing attacks

Phishing is one of the most common forms of cyberattacks because the methods are simple and highly effective. As cybercriminals evolve, they look for other platforms to exploit where people may not yet have their guards raised. 

In recent years collaboration platforms have been increasingly targeted in the form of instant messaging. It’s no surprise; since the onset of the pandemic, the use of messaging tools, such as Slack or Microsoft Teams, has skyrocketed. In 2021, nearly 80% of workers reported using collaboration tools for work, up 44% since the pandemic. Coupled with the general migration to the cloud, instant messaging software has since become the norm for the hybrid office, making them an attractive avenue for threat actors and phishing campaigns. 

Here is what users of tools such as Slack or Microsoft Teams need to know about phishing attacks on instant messaging platforms and steps to take to prevent a successful invasion. 

A weak security front and a false sense of trust

Despite its widespread use, the security of most instant messaging platforms is lacking. Organizations may have some form of basic security in place, but that protection is generally a generic layer of security supported by email providers. Even if some companies have a few extra layers of security, many have yet to deploy robust cybersecurity solutions to protect their messaging platforms. 

To make matters worse, most companies now rely on these instant messaging platforms for internal communications, instilling false confidence in trust and security in many end-users. Employees assume that since the communications are internal and controlled, they are less likely to be exposed to potential threats. Moreover, these platforms are often used for less formal and urgent messages. The combination of a false sense of trust and the desire to make the hybrid workplace successful can lead to people letting their guard down — creating the perfect opportunity for hackers to strike. 

Casting a wide net and leveraging social engineering

Threat actors are taking advantage of new technologies to blast large volumes of automated phishing messages simultaneously, maximizing impact and creating the most chaos possible. In the past, attackers were typically sophisticated in their investment and phishing attack customization, and their focus was on the “big fish” victims. Now, customization is done automatically and used on even less obvious or lucrative targets, like smaller businesses lacking proper security measures. Phishing kits are also available on the dark web, making it easy for even the most unsophisticated hackers to execute a successful phishing campaign. 

In these cases, hackers rely on social engineering to gain access to victims. Messages that elicit fear or immediate response from a user play well here. This can be where a threat actor will pose as a trusted source and send a message to an account user who alerts them of a business or system violation, or an update requiring immediate action on their part, such as a password or account change.

A practical example of this is when Slack introduced the “open communities” feature on their platform, allowing users to add contacts from outside their organization if they already had a Slack account. Many assumed this was still safe as it was done through the Slack platform, but this was not the case.

In 2017, hackers emulated a “Slackbot” account to send phishing messages to users and collect their financial information. Users need to be on alert for social engineering attempts and question the legitimacy of messages before responding.

So, what can instant messaging users do?

As always, awareness is the first step to combating a phishing attack. Organizations must be aware that phishing attempts are more frequent on these platforms and make security a top priority. It’s up to business leaders to make security education and training available and mandatory for employees. The training should educate users on recognizing a phishing attempt and the best course of action if they do. Just as employees know to be suspicious of phishing attempts when reading an email, they should be just as cautious about a message on Slack or Microsoft Teams. The more employees know about a phishing attempt, the better prepared they will be to identify and prevent it.

Fortunately, security solutions are now available to protect instant-messaging tools. These are the same security solutions that organizations can — and should — use for their email protection in numerous instances. Usually available via APIs, these security tools are easy to deploy and can help protect an instant messaging platform both internally and when communicating with outside parties. 

Finally, users should never provide credentials, financial details, or other sensitive information on a chat platform. Employees should always question strange requests coming through on chat, even if it looks like it’s coming from someone they know. They should be on the lookout for any links coming into the instant messaging platform, especially if it asks for sensitive details like passwords or other information. 

Rotem Shemesh is the lead product marketing manager of security solutions at Datto.