Email phishing is still the main avenue used by hackers. With new techniques, they outwit both classic defense systems and humans.

A malicious link is quickly clicked. Before you know it, important company data has been stolen or encrypted. Unpatched systems or unprecedented zero-day vulnerabilities are useful for hackers to break into corporate IT infrastructure, but the main attack vector remains far less spectacular: phishing.

Extended due to continued success

Phishing campaigns continue to thrive as attackers develop better and better techniques. However, they must defeat two key layers of defense: the technical security solutions that protect email, and the critical worker themselves who must be persuaded to click.

Complementary studies by security firms Cloudflare and Barracuda show how successful criminals are and remain, despite the seriousness of the email threat having been known for years.

First of all, it is noticeable that classic links in an e-mail are the attackers’ preferred tactic. Cloudflare examined 13 billion emails sent between May 2022 and May 2023 and found that 35.6 percent of the attacks consisted of an email with a link in it.

Email security has been outsmarted

In 89 percent of cases, classic mail authentication does not stop such emails. They outsmart SPF, DKIM, and DMARC checks. These abbreviations stand for methods that are theoretically used to check emails and their senders. In practice, they seem insufficient.

In 89 percent of cases, classic mail authentication does not stop malicious e-mails.

It’s harder to hide a malicious link in an email. Such a link will always detect and block a security solution. Hackers solve this problem by sending an email on Sunday evenings when no one is working. At this point, the link in the email points to a domain that is not yet showing any malicious activity. The e-mail thus passes through the existing filters.

The hackers only change the content of the page to which the link refers on Monday morning. When employees actually read the email, they can click on a page that is suddenly dangerous.

We have already written that not only links are popular, but also files containing malicious code. Since Office blocks macros by default, classic Office documents lose their once immense importance for such attacks. Unfortunately, attackers have many other options. A popular newcomer is the OneNote notebook. Such notebooks allow you to add various things, including malicious code in disguise.

Everyone Microsoft

If an email is in the digital mailbox, the second phase of the attack can begin. Now hackers have to convince an employee to take the email seriously. They have two methods of doing this: mimicking a trusted source and, increasingly, AI.

Attackers very often try to impersonate a trusted company. Over the past year, criminals have designed their emails to look like copies of more than a thousand different legitimate organizations. However, with the vast majority of phishing emails, hackers don’t go too far. One of twenty popular companies is impersonated in 52 percent of attacks.

The loyal reader knows who the most popular victim is: Cloudflare, like Check Point, noted earlier this month that attackers prefer to impersonate Microsoft. Additionally, the top 20 differs a bit, but it won’t surprise you that Google, Salesforce, Apple, MasterCard, Facebook, and Instagram also do well.

Specifically in the SaaS world, Cloudflare is noting that in addition to Salesforce, Box, Zoom, 1Password, Workday, ServiceNow, and Netsuite are also popular dress-up themes for phishing campaigns. It will come as no surprise to anyone that almost the entire portfolio of popular and not so popular social media services is being abused.

Fool with AI

Barracuda Networks, meanwhile, is finding that criminals are using AI to add a more personal touch to more generic phishing campaigns. ChatGPT, for example, is a handy tool for sending emails in Dutch (or any other language) without typos or strange sentence constructions.

According to the security specialist, attackers also use AI to scan their targets’ social media channels and compile relevant emails from them. This approach is not new either: data that is publicly available on the Internet is a worthwhile source for hackers who want to compose a targeted phishing e-mail. AI makes it easier to carry out such attacks on a larger scale. These SaaS brands are most commonly impersonated:

• Foreclosure
• idea.so
• Crate
• 1password
• zoom
• Rapid7
• Marketo
• service now
• NetSuite
• working day

bec

In more targeted but also more dangerous attacks, hackers don’t pretend to be companies, but rather people. In doing so, they educate themselves and attempt to engage in legitimate conversations to get something done. This is possible, for example, if a hacker has previously gained access to a colleague’s or business partner’s mailbox.

so called Business Email Compromise (BEC) attacks are very simple in concept, but very dangerous. Imagine an attacker has gained access to a supplier’s email address. Your accounting department will now receive an email from this legitimate domain that looks very reliable and contains references to previous conversations. It also contains the question to change an account number for future payments. If the recipient falls for it, a lot of money can end up in a fraudulent account before the alarm goes off.

The danger should not be underestimated. According to Cloudflare, ransomware caused $34.3 million in damage from 2,385 complaints last year. For BEC, 21,832 complaints resulted in $2.7 billion in losses.

can you do something

Attackers can therefore easily outwit classic e-mail defenses, process malicious links and documents in e-mails, impersonate a recognizable company via professional-looking e-mails and even take over the mailboxes of colleagues or business partners. Phishing is ubiquitous and has little to do with Nigerian princes. are you a bird to the cat

That’s not so bad, although it’s not enough to just buy a new security tech and mark the problem as solved.

First and foremost, ensure modern security in your company. A firewall on the outside with a fully trusted environment on the inside no longer works. Sooner or later an attacker will intrude. Therefore, follow a modern security strategy. Zero trust is a good idea, multi-factor authentication (MFA) is a must.

You should also think carefully about guidelines and rights: the fewer people have access to the large server folder with all trade secrets, the less likely it is that it will end up on the street.

There are some things you can do specifically against phishing to keep malicious emails out. Make sure employees can’t just open all links and monitor mailboxes for suspicious behavior. We are seeing more and more solutions where attachments and links from emails are opened in isolation from the operating system. This reduces the chance that a malware attack will be successful. Don’t blindly trust your email security.

A question of culture

One of the most important things you can do is bet on culture. Awareness should help the whole organization get a little paranoid about email, while also creating an environment where nobody points fingers and people feel comfortable asking questions. Simulated phishing campaigns help create such awareness and culture, but training also helps.

An accounting department full of talented accountants might not know that criminals nowadays like to break into other companies to steal money. It’s up to you to make that clear. Phishing is here to stay, so think about a protection strategy.