Email security and threat detection vendor Vade has found that phishing emails in the third quarter this year increased by more than 31 per cent quarter on quarter, with the number of emails containing malware in the first three quarters surpassing 2021 levels by 55.8 million.
Malware emails in the third quarter of 2022 alone increased by 217 per cent compared to same period in 2021. Malware email volume peaked in July, reaching 19.2 million, before month-over-month declines in August and September, with numbers dropping to 16.8 million and 16.5 million respectively.
According to the report, email is the preferred attack vector for phishing and malware, as it gives hackers a direct channel to users, the weakest link in an organisation’s attack surface. The report analyses phishing and malware data captured by Vade, which does business internationally.
As attacks become more sophisticated, Vade said, they also become increasingly capable of evading the basic security offered by email providers, which almost eight in 10 businesses still rely on, according to Vade’s research.
While the activity of threat actors fluctuates, Vade’s research found that impersonating trusted and established brands remains the most popular strategy for hackers. In the third quarter of 2022, Facebook was the most impersonated brand for the second consecutive quarter, followed by Google, MTB, PayPal, and Microsoft.
The financial services sector remains the most impersonated industry, representing 32 per cent of phishing emails detected by Vade, followed by cloud at 25 per cent, social media at 22 per cent, and internet/telco at 13 per cent.
Phishing attacks are becoming more targeted
As phishing attacks increase, the techniques used by threat actors continue to evolve. While phishing campaigns were traditionally large scale and random, more recent campaigns seen by Vade suggest that hackers have pivoted to using more targeted campaigns.
For example, in the report, Vade highlights an attack it observed in July 2022 where a phishing email impersonated Instagram in order to exploit the social media platform’s verification program. The campaign targets victims with emails that display their actual usernames, showing that the hackers spent time researching their targets before each attack.
Another concerning campaign style outlined in the report takes the form of hackers weaponising legitimate services to transmit and conceal their phishing attacks. For example, Vade said that in September it detected a campaign that exploited Pôle Emploi, a French career website, using it to distribute phishing links to companies looking for job candidates.
"In the attack, hackers apply to job postings and upload a PDF resume containing malicious links," Vade said. "Once submitted, the platform generates an email containing the malicious PDF, which it auto-sends to the recruiting company for review."
According to Vade, this is a new attack strategy that is likely to become more common in the future as it saves hackers the time and effort to design an email that impersonates an organisation. It also increases the likelihood of a successful attack by lowering victims’ suspicions of nefarious activity.
Training employees to spot phishing attacks
While providing training to employees about the dangers of phishing is undoubtedly beneficial, earlier this month the UK’s National Cyber Security Centre (NCSC) warned businesses not to become "seduced" by the attractiveness of issuing phishing tests to staff, claiming that most implementations rarely offer “an objective measure” of an organisation's defences and can “just end up wasting time and effort.”
A blog post on the NCSC’s website explained that responding to emails and clicking on links is an integral part of work, therefore attempting to stop the habit of clicking is extremely difficult.
“Asking users to stop and consider every email in depth isn't going to leave enough hours in the day to do work,” the post read.
Duane Nicol, senior product manager awareness training at Mimecast, agreed with this approach, stating that holistic awareness training is far more suitable for keeping users engaged, as it provides more context as to why employees are having to do this and how it contributes their organisation’s overall resilience to cyberattacks.
“With a multi-layered training approach, users are more likely to be engaged in training which would breed a culture of it becoming a norm to report suspicious emails within the workplace and to be more vigilant outside of it too, for example on social media and in their daily lives,” he said.