Top Phishing Trends in 2022

top phishing trends

Written by Jackie Bilodeau

I am the Communications Director for CGNET, having returned to CGNET in 2018 after a 10-year stint in the 1990's. I enjoy hiking, music, dance, photography, writing and travel. Read more about my work at CGNET here.

December 22, 2022

Our partners at cybersecurity firm INKY just came out with their “Email Security Annual Report” for 2022-2023, chock full of statistics, predictions and trends. With phishing attacks growing by a whopping 1,179% in just the past 5 years – meaning that the number of reported phishing attacks in 2021 was nearly 13 times higher than 5 year ago – it is more important than ever to take a look at the data and prepare for what’s to come. While those statistics comes from the FBI, INKY themselves have witnessed an “equally egregious level of activity from bad actors”.  They’ve seen alarming increases in dangerous emails that include malicious HTML attachments, cryptocurrency scams and CEO impersonation attempts.

New and trickier tricks

We all know that cybercrime is a fluid, progressive game: Once the bad guys realize we’ve got them figured out, they just get more creative to keep their game going. They have two main audiences to fool. First, they have to trick any security platform that’s in place (email filters, Secure Email Gateways). Next, they’re ready to fool the human reading the email. Toward that effort, INKY saw “several new phish entering the pool” in 2022.  These new species included things like emails with no text at all (don’t worry, I’ll make sense of that later) and the exploitation of cloud-based forms.

Top trends in phishing

Here’s a look at some of the trends INKY has noticed over the past year:

A decrease in visual clues

Knowing that both email filters/scanners and humans have been trained to look out for strange looking URLs in the “From:” line and potentially malicious links within email, scammers pulled way back on those more obvious methods this year. In other words, they are resorting to more complex trickery.

Sharp increase in malicious HTML and PDF attachments

Attackers have started installing simple JavaScript tags inside HTML attachments, which take the victim’s browser to a malicious site. This tactic works because most legacy email protection systems don’t scan HTML attachments the way they do the body of the email itself – and even if they do, they do not remove JavaScript. By moving the malicious tag to an HTML attachment, the scammer bypasses the automated protections and now just needs to get the end user to open that attachment. (Kudos to INKY, however, who have been able to catch this new type of phish. They do, in fact, strip JavaScript from HTML attachments and analyze it.)

Multi-step misdirection

The fundamental tactic of any decent magician is to misdirect the audience’s attention with methods (like slight-of-hand) that distract them from what’s really happening right in front of them. So too with cybercriminals; by adding multiple steps to their instructions within an email, the message feels more authentic, and the end user gets thrown off the scent of anything suspicious. For example, INKY has seen a large number of malicious emails this year that ask users to fill out a quick, simple survey. Not only are the messages well-written (yes, they’re finally using editing tools to improve grammar and spelling), but the survey itself looks legitimate, because…it kind of is. Using Microsoft Dynamics 365 Customer Voice, phishers are able to create custom surveys which bypass most security checkpoints. And since this step actually sends the end user to a legitimate survey site, it’s easy to see how people fall victim.

Personalized phishing

By now we’ve all heard about those creepy deepfakes of people’s images.  Well, this phishing tactic essentially creates a deepfake of the recipient’s individual and company identity. By copying (usually from LinkedIn) the look and feel of someone’s domain, the bad guy can craft a phishing message with HTML that truly looks like it is coming from within the person’s own company.

Fake voicemail alerts

Most of us use a voicemail notification and transcription service at our work. When we miss a voicemail, we get an email not only telling us so, but also providing an icon we can click on to either hear the voicemail or get a transcription.  Yes, they’ve figured out how to spoof that as well. The process is complicated (at least to us non-techies), but it involves being taken to a fake login page hosted inside the user’s own machine via encoded JavaScript hidden inside the HTML attachment.  (Please don’t ask for a diagram.)  The good news is that INKY is able to catch this – what they call – “simple encoding”.  The bad news is that I have to follow that statement with the words “for now”. Expect attackers to use even more elaborate ways to hide their work in the future.

The no-text email

This one is clever indeed. Phishers know that any text they send through email will likely have to make it through security gateways to get delivered to the recipient. The solution?  Screenshot the message and send it as an image inside the email body! So what looks like a regular message is in fact just a picture of one. Obviously this doesn’t work if the attacker needs you to click a link; instead they’ll ask you to call a phone number (hello, vishing) in order to complete the scam.  Shout out to INKY again for using optical character recognition (OCR) combined with AI algorithms to spot these types of phony messages.

Using the cloud to obscure the scam

INKY’s report details a couple of ways attackers have used the cloud as a way to give an appearance of legitimacy to their phishing messages. In one case, phishers hacked into a cloud-based customer communications platform called SendGrid. From there, they were able to send out threatening messages, purportedly from the Supreme Court of the United States, to an entire mailing list they had hijacked. The message took the common threatening phishing format:  Click this link to do xyz or we’re coming for your first born!  In a different scenario involving the cloud, the readily available Google Forms was used to give an air of legitimacy to a fake US Small Business Administration application.  And of course, if the recipient clicked to “Apply Now”, they were taken to a credential harvesting site.

All hope is not lost!

INKY, winner of various awards and “Best of” rankings in 2022 for their cutting-edge innovations in email security, is on top of these latest phishing trends.  With their patented Advanced Attachment Analysis and insightful INKY Email Assistant, a dynamic banner that provides warnings to email recipients after this analysis, they’re doing their part. We use it here at CGNET and it’s pretty darn cool, as well as very helpful. And you should still be doing your part with regular, repeated cybersecurity training that stays on top of these latest creative email shenanigans.  Working together, we can all stay safe in 2023!

Written by Jackie Bilodeau

I am the Communications Director for CGNET, having returned to CGNET in 2018 after a 10-year stint in the 1990's. I enjoy hiking, music, dance, photography, writing and travel. Read more about my work at CGNET here.

You May Also Like…

You May Also Like…


Submit a Comment

Your email address will not be published. Required fields are marked *

Translate »
Share This