The phishing threat landscape evolves
Phishing is on the rise. Egress' latest Phishing Threat Trends Report shows a 28 percent surge in attacks in the second quarter of 2024 alone. But what’s behind the increase? There are a few factors in play. Like any other form of threat, phishing is becoming more sophisticated with hackers now having access to a variety of new AI-powered tools to generate email messages, payloads, and even deepfakes.
Further, these technologies and the cyberattacks they can create are now easier to access than ever. Especially as more hackers tap into the professional services on offer from a mature and diverse Crime as a Service (CaaS) ecosystem of providers selling everything from the mechanisms to create attacks to pre-packaged phishing toolkits that promise to evade native defenses and secure email gateways (SEGs).
For example, threat actors can use AI in every aspect of phishing -- from speeding up intelligence gathering on potential targets, to creating and automating the sending of highly personalized attacks. AI improves the speed and scale of attack creation, making it easier for even relatively inexperienced cybercriminals to launch sophisticated campaigns. As access to AI-powered tools open up, deepfakes are also becoming more common. Here, attackers are targeting multiple channels to bypass security measures, such as beginning with phishing emails containing a link to a video meeting featuring a deepfake.
Key trends from 2024
Between January 1 - August 31, 44 percent of attacks were sent from compromised accounts, enabling cybercriminals to bypass authentication protocols. Specifically, 8 percent of attacks originate from an account within an organization’s supply chain. Compromised accounts allow attackers to bypass security measures and gain access to the victim's existing relationships and target lists, making the attack more effective.
The most prevalent payloads were hyperlinks, found in 45 percent of cases, followed by attachments, which appeared in 23 percent. Following a sharp rise in the last 12 months, quishing is now firmly embedded in the threat landscape, with cybercriminals using these image-based attacks to elude detection by native security software and SEGs.
Commodity attacks
Attackers don’t only rely on new tools and payloads to increase their phishing success rates; they also rely on a range of tactics when targeting organizations. Commodity attacks are one such tactic that is currently rising in popularity. These are large-scale phishing campaigns where the hacker sends a significantly high volume of attacks in a single wave. Often sent to email addresses linked to a public data breach, the goal is to overwhelm the security team and the recipients, either so mistakes are made or so that one or two targeted and damaging spear phishing attacks are less likely to be spotted.
During a commodity campaign, on average organizations experience a staggering 2,700 percent increase in phishing attacks compared to their normal baseline. We also found that these attacks are primarily image-based, with 51.1 percent featuring a single image. Almost two-thirds include hyperlinks (72.3 percent) and randomize elements like links and display names to evade detection by traditional signature-based and reputation-based security.
Impersonation attacks
A staggering 89 percent of phishing emails now involve impersonation with Adobe being the most impersonated brand between January 1 - August 31 2024. It is also common to see emails impersonating phone or video conferencing providers, such as Zoom, and delivery services like UPS or DPD, which draw users in with ‘missed voicemail’ or ‘missed delivery’ campaigns.
The next most common impersonation attacks involve posing as the recipient’s company, accounting for 16 percent of these phishing emails. HR is the most frequently impersonated department for these types of attacks. Additionally, cybercriminals can use LinkedIn, company websites, and even news announcements to identify new hires at target organizations, which they then leverage to launch impersonation and social engineering attacks against them. New employees are the most targeted individuals for phishing emails impersonating VIPs, as part of CEO fraud attacks.
Protecting the organization from phishing attacks
There are measures that organizations must take to enhance their defenses against the evolving phishing threat landscape and better protect themselves and their employees.
There are some best practices to strengthen the human firewall. It’s important to understand and communicate what normal looks like for brands and suppliers as a first step to detecting impersonation. Organizations should also look to standardize and validate communication channels, especially for roles like HR and IT. Additionally, organizations should assess their vulnerability to supply chain and vendor-based compromises.
It’s key to empower employees to validate communications. Normalize employees saying, ‘let me call you back on the number I have for you on record’ to ensure the person with whom they are interacting with is genuine.
Cybercriminals are engineering their attacks to evade the detection used by email platforms and SEGs. So, it’s time for organizations to level up their technical defenses. While cybercriminals are deploying AI for malicious purposes, the technology can also be leveraged to understand normal communication patterns and behavior for individuals and organizations to better detect anomalies and prevent phishing.
Our latest Phishing Threat Trends Report offers a sobering glance into the multifaceted world of phishing strategies in 2024 which will only grow more complex in 2025 and beyond. It reveals a clear escalation in attack sophistication on a larger scale, leveraging more tools and innovative technologies, like AI, that make it more difficult for legacy technologies and people to spot an attack. Companies must adapt their security approach and implement a multi-layered strategy to evolve quicker than the attackers.
Image Credit: Karenr / Dreamstime.com
Jack Chapman is SVP of Threat Intelligence at Egress, a KnowBe4 company