When Cybercriminals Go Phishing, Emails Get the Most BitesDeveloping a Multilayered Defense Strategy for the Most Common Attack Techniques
For cybercriminals looking to attack businesses, email continues to be the preferred attack vector. Despite a rapidly changing technology landscape with new innovations such as ChatGPT, cybercriminals are opting to adapt their email-based techniques to improve old tactics rather than create new methods altogether. This is largely because email provides cybercriminals with a direct line of communication to end users.
For its 2023 Cybersecurity Threat Report, OpenText Cybersecurity examined more than 13 billion emails sent in 2022 and found email threats were on the rise. Approximately 56% of them were unwanted emails, including spam, phishing, and email with attached malware - a 12.5% increase over 2021's numbers. Of the 7.3 billion unwanted emails, over 1 billion were classified as phishing.
Most Popular Phishing Tactics
Here are the most popular phishing tactics used by cybercriminals to scam businesses, according to the report.
Spear-Phishing and Business Email Compromise Attacks
Instead of sending a large batch of general emails and hoping someone takes the bait, cybercriminals rely on a tactic called spear-phishing, in which they make emails more personalized and complex to better trick recipients.
Cybercriminals opting for business email compromise, or BEC, attacks use spear-phishing tactics to deceive end users into believing they're involved in a real business transaction, with the end goal of getting users' account information to wire money. One of the more popular BEC techniques is when a cybercriminal registers a domain with a name that is very similar to a real and well-known company - a look-alike domain - or creates one or more email addresses similar to those of real employees. The cybercriminals hope email recipients won't notice the slight differences and will fall into their trap.
'Living Off the Land' Attacks
A growing number of phishing attacks leverage legitimate services to fool users. In these attacks, cybercriminals use known and trusted URLs that redirect users to a malicious site or host the phishing payload itself. Because these services are used for various legitimate reasons, they cannot be blocked outright. According to OpenText Cybersecurity's report, Google and Amazon Web Services were the top company names used in 2022 to further legitimize phishing emails.
Leveraging Current Events
Cybercriminals like to use current events to pressure recipients to comply with their demands. For example, a cybercriminal could send a malicious email posing as a company after a highly publicized cyberattack exposed that company's user data. Times of crisis often lead users to make bad decisions due to panic, worry or confusion.
Incorporating Technology That Users Find Reassuring
By now, most internet users are very familiar with CAPTCHA technologies and have become experts at choosing small squares that contain photos of buses, stop signs, or bikes. Cybercriminals now regularly integrate CAPTCHA technologies into their phishing attacks. Because security products such as web scanners are not able to solve CAPTCHAs, they are unable to access and scan the next page, which attackers can then use to host threats.
Using a CAPTCHA tool also tricks users into thinking they are safe from any threats. For example, when cybercriminals targeted financial corporation Truist, they launched a campaign disguised as suspicious activity alerts. Victims were sent an email that included a hyperlink labeled "Finish To-Do List." When they clicked on the link, users were redirected to a page with a Truist-branded CAPTCHA and a box for a phone number - likely another way to add credibility and to record the number to use in future mobile attacks. After the user entered the CAPTCHA code and phone number, they were taken to a Truist-branded credential-harvesting page where the cybercriminals stole valuable information.
Defending Against Email Attacks
Since email attacks target employees on the front lines, the first step every organization should take is implementing a robust cybersecurity training program. An effective program should offer security awareness trainings at least a few times a year as well as phishing attack simulations to keep employees informed and to improve their cybersecurity hygiene. This can teach employees not to automatically trust any email they receive; educate them about verifying email addresses, attachments and links and reporting hacked accounts; and inform them of the latest methods cybercriminals use to deceive end users. Short, three- to five-minute trainings are recommended. If the training sessions are too long, employees will opt out.
The best defense against today's cybercrime landscape is a multilayered security strategy. Using multiple layers of protection provides more robust security and better defense against varying types of attacks.
To learn more about email security, including how to prevent phishing attacks, ransomware and other advanced threats, visit Business Email Security.