Phishing campaigns by nefarious groups and individuals typically work by getting someone to open an attachment or click the wrong link. Cybercriminals employ such phishing efforts to obtain sensitive information and login credentials by disguising as a trustworthy organization or reputable person.

These have long been used in email communication, where “spoofing” is commonly employed – making it look like someone received an email from a legitimate company, such as PayPal, eBay, a bank or other common institution. Just this past summer, Microsoft warned that roughly 10,000 businesses were attacked in a months-long adversary-in-the-middle (AiTM) campaign that began as early as September 2021.

What was especially worrisome with that attack was that it often bypassed multi-factor authentication (MFA), and in the process stole passwords, and even hijacked a user’s sign-in session. The attackers subsequently used the stolen credentials and session cookies to access users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets.

The New Normal with Phishing Emails

Such a brazen attack shouldn’t be seen as a one-off. Phishing campaigns have increasingly been shifting from personal to business-related subjects including internal request and updates from human resources (HR), information technology (IT), and managers.

According to the newly published Q3 2022 global phishing report from security awareness training and simulated phishing platform KnowB4, nearly 19% of phishing emails were bypassed by the commonly employed anti-malware app Microsoft Defender. Experts have warned such technology, including email filters, shouldn’t be relied on as the sole method of protection against malicious email.

“Unfortunately, email phishing will continue to be a thorn in our side for the foreseeable future, and although the top email subjects may change a bit, rarely is it a drastic change. One of the most important steps people can use to help stay safe from these attacks is to stay alert for emotional manipulation,” Erich Kron, security awareness advocate at KnowBe4, told ClearanceJobs.

“Any time a person receives an email, a text message, or even a phone call that causes a strong emotional response, they should take a deep breath and think hard about the message,” Kron added.

Break the Routine

The recent report further warned that business phishing emails have always been effective and continue to be successful because of their potential to affect a user’s workday and routine.

It is important to note this is actually a considerably “low tech” threat vector, and it relies not on “hacking” of a computer system with code or software, but rather by social engineering. This is certainly the case, as the phishing test results revealed that 40% of email subjects were HR-related, which created a sense of urgency for users to act quickly, sometimes before thinking logically and taking the time to question the email’s legitimacy.

Moreover, the phishing test also revealed the top vector for this quarter to be phishing links in the body of an email. Those combined tactics can have destructive outcomes for organizations and lead to a multitude of cyberattacks such as ransomware and business email compromise.

“Most of these attacks that people fall for are because they cause the strong response,” explained Kron. “Whether the response is due to fear that the IT department sending a spooky sounding message about an internet report, or if it’s the HR department changing the dress code, the way these work is the same, they tug on emotions.”

About the only silver lining was that this shift in phishing efforts has shown fewer such campaigns involved personal-related emails, including those from social media. In fact, the Q3 phishing report’s findings were the first of this year that didn’t attribute social networking or social media sites as a top email subject category.

 

Related News

Peter Suciu is a freelance writer who covers business technology and cyber security. He currently lives in Michigan and can be reached at petersuciu@gmail.com. You can follow him on Twitter: @PeterSuciu.