Email threats never stop evolving – these are the latest trends to know about
The 2024 Data Breach Investigations Report carries the stark statistic that it take less than a minute for someone to fall for a phishing scam. This includes 21 seconds for the recipient to click on a malicious link after opening the email and another 28 seconds to enter the requested data.
Email-based attacks are not just fast — they are widespread and successful. This is because they are relatively low-cost, easy to implement, and can be scaled and adapted as new tools and capabilities become available.
In the last few months, we've released several research papers on email threats and how they're evolving based on our detection data and threat intelligence. Taken together, they show a threat that is forever adapting to a changing digital landscape by leveraging new tools and techniques to bypass detection and boost the chances of success.
Among other things, we found that:
- The proportion of more advanced and targeted email-based threats is increasing steadily year on year: Business email compromise (BEC) now accounts for more than one in 10 social engineering attacks; while conversation hijacking has risen by 70% since 2022.
- Attackers are leveraging QR codes, popular webmail services, and URL shorteners to conceal their intentions and trick more victims. Most recently, we reported on the abuse of legitimate and trusted URL protection services to conceal malicious links in phishing emails.
- We also discovered that company size is a significant variable when it comes to the email threat types that you are most likely to face.
Company size as a variable
All companies, regardless of their size, are vulnerable to email threats, but they are vulnerable in different ways.
An analysis of our detection data shows that 42% of targeted email attacks against larger companies involve lateral phishing, where attacks are sent to mailboxes across the organization from an already compromised internal account. Just 2% of attacks against companies with up to 100 employees fall into this category.
Smaller companies are the most likely to be hit with external phishing attacks. These account for 71% of targeted email threats in 12 months, compared to 41% for the largest companies.
Smaller companies also experience around three times as many extortion attacks as their larger counterparts. Extortion attacks comprise 7% of targeted incidents for the smallest businesses, compared to 2% for those with 2,000 employees or more.
The prevalence of BEC and conversation hijacking remained relatively consistent regardless of company size.
These variations are likely influenced by a range of organizational, cultural and technological factors. For example, larger companies, with many mailboxes and employees, offer attackers more potential entry points, multiple communication channels to disseminate malicious messages across the business, and employees who are likely to trust email messages that appear to come from within the organization, even if the sender is unfamiliar to them. Smaller companies, on the other hand, are less likely to have layered security in place and more likely to have misconfigured email filters due to a lack of in-house skills and resources.
Using novel tactics to trick targets
Our research also found that around 1 in 20 mailboxes were targeted with QR code attacks in the last quarter of 2023. QR code attacks are difficult to detect using traditional email filtering methods. They also take victims away from corporate machines and force them to use a personal device, such as a phone or iPad, which isn't protected by corporate security software.
We noted that Gmail accounted for just under a quarter of the domains used for social engineering attacks in 2023, according to our data, and that bit.ly was used in nearly 40% of social engineering attacks that include a shortened URL. URL shorteners condense the link, so the actual link of the site becomes obscured with random letters or numbers. Using this tactic can disguise the true nature and destination of the link.
Most recently, we saw attackers exploit trusted URL protection services to conceal malicious links in phishing attacks. Attackers were taking advantage of different URL protection services provided by reputable brands to mask their phishing URLs. They likely gained access to the protection service after compromising the accounts of legitimate users. This inventive tactic helps attackers to evade security detection, and the abuse of trusted, legitimate security brands means that recipients are more likely to feel reassured and click on the malicious link.
How to stay safe
IT and security professionals need to stay focused on the evolution of email threats and what this means for security measures and incident response. This involves understanding how attackers can leverage generative AI to advance and scale their activities and the latest tactics they're using to make it past security controls.
The best defence is AI-powered email security technology that can adapt quickly to a changing landscape and which doesn't solely rely on looking for malicious links or attachments, complemented by active and regular security awareness training for employees on the latest threats and how to spot and report them.
Smaller companies may also wish to consider turning to a managed service provider for additional expertise and support in hardening their security environment against all threats.