Email scams aimed at business users are becoming increasingly sophisticated and increasingly tough to detect. Threat actors are now using artificial intelligence to research their targets in advance of an attack, a process known as ‘social engineering.’
Phishing attacks and email scams that appear to come from a trusted source make up 35.5% of all socially engineered threats, according to a report from cybersecurity firm Barracuda: Top Email Threats and Trends. Although these types of attacks have been around for some time, cybercriminals have recently devised ingenious new methods to avoid detection and being blocked by email-scanning technologies.
“Cybercriminals are increasingly using popular commercial URL shortening services to embed malicious links in phishing emails. URL shorteners condense the link, so the actual link of the site becomes obscured with random letters or numbers. Using this tactic can disguise the true nature and destination of the link,” says Barracuda.
The legitimate URL-shortening service bit.ly is used in almost 40% of socially engineered attacks that include a shortened URL. In 2023, Gmail was the most popular free webmail service used in social engineering attacks, accounting for 22% of the domains used for social engineering in the data analyzed by Barracuda, which comprised 69 million attacks across 4.5 million mailboxes over 12 months.
Phishing attacks account for 86% of socially-engineered threats
Scamming and phishing account for 86% of social engineering attacks and 35.5% of all socially engineered threats in 2023; almost all attacks that fall into this category include a malicious link. Business email compromise (BEC) attacks, which involve a cybercriminal impersonating an individual inside or outside an organization, made up over one in 10 of all social engineering attacks, also showing a steady year-on-year increase.
Attackers increasingly use phishing attacks to steal login credentials and compromise business accounts. They then spend time reading through emails and compromised accounts to understand business operations and to learn about deals in progress, payment procedures, and other details. Criminals increasingly leverage this information, including internal and external conversations between employees, partners, and customers, to craft authentic-looking and convincing messages and send them from impersonated domains to trick their victims into wiring money or updating payment information. This threat is called ‘conversation hacking’, and while it made up only 0.5% of social engineered attacks in 2023. This represents an increase of almost 70% over 2022.
