Do not click, security experts warn.gettyUpdate, Jan. 8, 2025: This story, originally published Jan. 7, now includes details of the new PhishWP WordPress malicious phishing plugin threat and more advice for Gmail users.A newly published analysis has revealed that, across the whole of 2024, click-attacks all but tripled compared to the year before. Forget the recent warning for Chrome, Edge and Safari browsers not to double-click; all email users should now consider not clicking at all. Heres what Gmail, Outlook and Apple Mail users need to know.The Ongoing Gmail, Outlook And Apple Mail Click-Attack ThreatA new analysis of phishing attacks published Jan. 07 by Netskope Threat Labs, has revealed that, across 2024, the number of dangerous clicks has increased nearly threefold compared to 2023. Blaming the increase on cognitive fatigue with users being bombarded by so many phishing emails that they become oblivious to the threat, coupled with the evolution of click-attack threats by increasingly confident attackers, Netskope warned that more than 8 out of every 1,000 users were now clicking on the malicious links. This is a massive increase, the researchers said, and represents a significantly bigger threat posed by phishing to people and organizations. Blaming the increase on cognitive fatigue, Ray Canzanese, head of the Netskope Threat Labs, said that the number of people clicking on links is increasing because people are being bombarded with phishing links from all directions: email, social media, ads in search engine results, and all over the web. The use of personal apps, including webmail apps, was also quoted as a significant risk to organizations as well as consumers.Google itself recently warned users of a second wave of cyberattacks, mostly phishing-related, that was hitting email users. Andy Wen, Gmails senior director of product management, said that the attackers are very persistent.MORE FOR YOUPhishWP Threat Moves Phishing Danger Beyond Gmail, Outlook And Apple MailA dangerous development in the phishing attack methodology scenario has now emerged as confirmed in a newly published report from researchers at SlashNext. A WordPress plugin created by malicious actors, PhishWP, does pretty much what it says on the tin: its a phishing kit in a plugin. PhishWP creates fake payment pages that look just like trusted services, such as Stripe, the report said, and even connects with Telegram, sending stolen data to attackers as soon as a victim hits enter, making the attacks faster and more efficient.Consumers and administrators alike are familiar with the WordPress interface, which makes plugins such as PhishWP a higher risk, Mr. Mayuresh Dani, manager of security research at the Qualys Threat Research Unit, said, to make sure that the attackers have time to use the stolen information, the plugin also includes functionality that sends a confirmation email to victims with their order details.PhishWP taps into a legitimate transaction flow by mirroring recognizable checkout sequences and quietly siphoning off sensitive data in real time, Jason Soroko, a senior fellow at Sectigo, said, the immediate forwarding of information equips cybercriminals with the necessary credentials to make fraudulent purchases or resell the stolen datasometimes within minutes of capturing it.Consumer Advice To Mitigate The Click-Attack Threat To Gmail, Outlook And Apple Mail UsersMicrosoft and Apple have tailored advice for their users when it comes to litigating phishing attacks, and Google is no different when it comes to the billions of people using Gmail for their email fix. I would also advise readers, regardless of the email platform they use, to read the excellent advice pages from the U.K. National Cyber Security Centre.The core advice from everyone is the same: dont click on unsolicited links from strangers or untrustworthy sources. Many security experts would say not to click on any links in an email at all, at least not verifying the authenticity if its from someone you know or checking out the destination (beware of link hovering attacks, though) if you dont. Entering the address manually in your browser, or searching Google for the legitimate address, is also an option. Things are more clear-cut with documents and attachments: just say no. Thanks, but no. Unless you are expecting the item and it is from a highly trusted source.