Our partners at cybersecurity firm INKY just came out with their “Email Security Annual Report” for 2022-2023, chock full of statistics, predictions and trends. With phishing attacks growing by a whopping 1,179% in just the past 5 years – meaning that the number of reported phishing attacks in 2021 was nearly 13 times higher than 5 year ago – it is more important than ever to take a look at the data and prepare for what’s to come. While those statistics comes from the FBI, INKY themselves have witnessed an “equally egregious level of activity from bad actors”. They’ve seen alarming increases in dangerous emails that include malicious HTML attachments, cryptocurrency scams and CEO impersonation attempts.
New and trickier tricks
We all know that cybercrime is a fluid, progressive game: Once the bad guys realize we’ve got them figured out, they just get more creative to keep their game going. They have two main audiences to fool. First, they have to trick any security platform that’s in place (email filters, Secure Email Gateways). Next, they’re ready to fool the human reading the email. Toward that effort, INKY saw “several new phish entering the pool” in 2022. These new species included things like emails with no text at all (don’t worry, I’ll make sense of that later) and the exploitation of cloud-based forms.
Top trends in phishing
Here’s a look at some of the trends INKY has noticed over the past year:
A decrease in visual clues
Knowing that both email filters/scanners and humans have been trained to look out for strange looking URLs in the “From:” line and potentially malicious links within email, scammers pulled way back on those more obvious methods this year. In other words, they are resorting to more complex trickery.
Sharp increase in malicious HTML and PDF attachments
The fundamental tactic of any decent magician is to misdirect the audience’s attention with methods (like slight-of-hand) that distract them from what’s really happening right in front of them. So too with cybercriminals; by adding multiple steps to their instructions within an email, the message feels more authentic, and the end user gets thrown off the scent of anything suspicious. For example, INKY has seen a large number of malicious emails this year that ask users to fill out a quick, simple survey. Not only are the messages well-written (yes, they’re finally using editing tools to improve grammar and spelling), but the survey itself looks legitimate, because…it kind of is. Using Microsoft Dynamics 365 Customer Voice, phishers are able to create custom surveys which bypass most security checkpoints. And since this step actually sends the end user to a legitimate survey site, it’s easy to see how people fall victim.
By now we’ve all heard about those creepy deepfakes of people’s images. Well, this phishing tactic essentially creates a deepfake of the recipient’s individual and company identity. By copying (usually from LinkedIn) the look and feel of someone’s domain, the bad guy can craft a phishing message with HTML that truly looks like it is coming from within the person’s own company.
Fake voicemail alerts
The no-text email
This one is clever indeed. Phishers know that any text they send through email will likely have to make it through security gateways to get delivered to the recipient. The solution? Screenshot the message and send it as an image inside the email body! So what looks like a regular message is in fact just a picture of one. Obviously this doesn’t work if the attacker needs you to click a link; instead they’ll ask you to call a phone number (hello, vishing) in order to complete the scam. Shout out to INKY again for using optical character recognition (OCR) combined with AI algorithms to spot these types of phony messages.
Using the cloud to obscure the scam
INKY’s report details a couple of ways attackers have used the cloud as a way to give an appearance of legitimacy to their phishing messages. In one case, phishers hacked into a cloud-based customer communications platform called SendGrid. From there, they were able to send out threatening messages, purportedly from the Supreme Court of the United States, to an entire mailing list they had hijacked. The message took the common threatening phishing format: Click this link to do xyz or we’re coming for your first born! In a different scenario involving the cloud, the readily available Google Forms was used to give an air of legitimacy to a fake US Small Business Administration application. And of course, if the recipient clicked to “Apply Now”, they were taken to a credential harvesting site.
All hope is not lost!
INKY, winner of various awards and “Best of” rankings in 2022 for their cutting-edge innovations in email security, is on top of these latest phishing trends. With their patented Advanced Attachment Analysis and insightful INKY Email Assistant, a dynamic banner that provides warnings to email recipients after this analysis, they’re doing their part. We use it here at CGNET and it’s pretty darn cool, as well as very helpful. And you should still be doing your part with regular, repeated cybersecurity training that stays on top of these latest creative email shenanigans. Working together, we can all stay safe in 2023!