Industry Insights with Troy Gill

When Cybercriminals Go Phishing, Emails Get the Most Bites

Developing a Multilayered Defense Strategy for the Most Common Attack Techniques
When Cybercriminals Go Phishing, Emails Get the Most Bites

For cybercriminals looking to attack businesses, email continues to be the preferred attack vector. Despite a rapidly changing technology landscape with new innovations such as ChatGPT, cybercriminals are opting to adapt their email-based techniques to improve old tactics rather than create new methods altogether. This is largely because email provides cybercriminals with a direct line of communication to end users.

See Also: New OnDemand | Reacting with Split-Second Agility to Prevent Software Supply Chain Breaches

For its 2023 Cybersecurity Threat Report, OpenText Cybersecurity examined more than 13 billion emails sent in 2022 and found email threats were on the rise. Approximately 56% of them were unwanted emails, including spam, phishing, and email with attached malware - a 12.5% increase over 2021's numbers. Of the 7.3 billion unwanted emails, over 1 billion were classified as phishing.

Most Popular Phishing Tactics

Here are the most popular phishing tactics used by cybercriminals to scam businesses, according to the report.

Spear-Phishing and Business Email Compromise Attacks

Instead of sending a large batch of general emails and hoping someone takes the bait, cybercriminals rely on a tactic called spear-phishing, in which they make emails more personalized and complex to better trick recipients.

Cybercriminals opting for business email compromise, or BEC, attacks use spear-phishing tactics to deceive end users into believing they're involved in a real business transaction, with the end goal of getting users' account information to wire money. One of the more popular BEC techniques is when a cybercriminal registers a domain with a name that is very similar to a real and well-known company - a look-alike domain - or creates one or more email addresses similar to those of real employees. The cybercriminals hope email recipients won't notice the slight differences and will fall into their trap.

'Living Off the Land' Attacks

A growing number of phishing attacks leverage legitimate services to fool users. In these attacks, cybercriminals use known and trusted URLs that redirect users to a malicious site or host the phishing payload itself. Because these services are used for various legitimate reasons, they cannot be blocked outright. According to OpenText Cybersecurity's report, Google and Amazon Web Services were the top company names used in 2022 to further legitimize phishing emails.

Leveraging Current Events

Cybercriminals like to use current events to pressure recipients to comply with their demands. For example, a cybercriminal could send a malicious email posing as a company after a highly publicized cyberattack exposed that company's user data. Times of crisis often lead users to make bad decisions due to panic, worry or confusion.

Incorporating Technology That Users Find Reassuring

By now, most internet users are very familiar with CAPTCHA technologies and have become experts at choosing small squares that contain photos of buses, stop signs, or bikes. Cybercriminals now regularly integrate CAPTCHA technologies into their phishing attacks. Because security products such as web scanners are not able to solve CAPTCHAs, they are unable to access and scan the next page, which attackers can then use to host threats.

Using a CAPTCHA tool also tricks users into thinking they are safe from any threats. For example, when cybercriminals targeted financial corporation Truist, they launched a campaign disguised as suspicious activity alerts. Victims were sent an email that included a hyperlink labeled "Finish To-Do List." When they clicked on the link, users were redirected to a page with a Truist-branded CAPTCHA and a box for a phone number - likely another way to add credibility and to record the number to use in future mobile attacks. After the user entered the CAPTCHA code and phone number, they were taken to a Truist-branded credential-harvesting page where the cybercriminals stole valuable information.

Defending Against Email Attacks

Since email attacks target employees on the front lines, the first step every organization should take is implementing a robust cybersecurity training program. An effective program should offer security awareness trainings at least a few times a year as well as phishing attack simulations to keep employees informed and to improve their cybersecurity hygiene. This can teach employees not to automatically trust any email they receive; educate them about verifying email addresses, attachments and links and reporting hacked accounts; and inform them of the latest methods cybercriminals use to deceive end users. Short, three- to five-minute trainings are recommended. If the training sessions are too long, employees will opt out.

The best defense against today's cybercrime landscape is a multilayered security strategy. Using multiple layers of protection provides more robust security and better defense against varying types of attacks.

To learn more about email security, including how to prevent phishing attacks, ransomware and other advanced threats, visit Business Email Security.

About the Author

Troy Gill

Troy Gill

Senior Manager of Threat Research at OpenText Cybersecurity

Troy Gill is a Senior Manager of Threat Research at OpenText Cybersecurity, a division of OpenText. Gill's 16 years of cybersecurity experience has focused primarily email threat mitigation and malware analysis. He has also completed numerous professional certifications including GIAC’s –(GPEN)GIAC Penetration Tester. In his current role, Gill is responsible for analyzing data and identifying cyber threat tactics, methodologies and vulnerabilities that present threats to IT operations. This real-time analysis helps Gill apply immediate improvements to the company’s cyber-analytical tools and disseminate incident reports, threat trends and situational analysis which are essential to keeping customers safe. Gill came to OpenText through the company’s acquisition of Zix/AppRiver where he was instrumental in protecting customer safety by monitoring inbound messaging threats and identifying methods for blocking them. As part of OpenText Cybersecurity, he helps to keep more than 60,000 corporate customers safe from today’s ever evolving IT threats.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.