New Surge in Risky Business Email Compromise Phishing Attacks

By Stephen Kowski, Field CTO, SlashNext [ Join Cybersecurity Insiders ]

As we approach the 2024 mid-year mark, it’s clear that businesses have been bombarded by a surge in dangerous advanced phishing schemes over the last six months. In fact, organizations of all types and sizes saw a 341% increase in sophisticated Business Email Compromise (BEC) attacks, according to the recent “The State of Phishing Mid-Year 2024” report by SlashNext.

Some of the most prevalent types of BEC threats included gift card scams (21%), social engineering investment scams (16%), purchase renewal scams (14%), social engineering beneficiary scams (12%), and social engineering donation scams (10%).

The latest spike in phishing attacks stem from 3D phishing attacks. Immersive multi-channel phishing attacks, these attacks are made up of phony attachment-based emails, bad web links, newer CAPTCHA-based attacks, and even imposter QR codes. In addition, clever attackers continued to prey on user trust by spoofing legitimate log-ins for Microsoft SharePoint, AWS, and Salesforce to launch phishing malware for credential stealing.

Credential phishing across all messaging makes up the largest category of phishing attacks today, as such threats regularly appear across the full range of email, mobile, social, and collaboration channels. The credential phishing risk is highest when the attack is hosted on legitimate, trusted infrastructure like Dropbox or Google Drive. In fact, SlashNext found a 217% increase in credential harvesting phishing attacks over the last six months. The bad actors usually attempt to harvest user credentials to launch ransomware attacks or data exfiltration attacks.

CAPTCHA-based attacks, particularly using CloudFlare, are also on the rise to mask credential harvesting forms. Attackers use generative AI tools to generate thousands of fake domains and implement CloudFlare’s CAPTCHAs to hide credential phishing forms from security protocols that are unable to bypass the CAPTCHAs.

Beyond newer CAPTCHA-based attacks, QR code-based attacks are also growing in popularity. QR code scams now make up 11% of all malicious emails, and they are often redirecting to attacks hosted on trusted infrastructure. In addition, SMS-based “smishing” attacks have steadily increased, making up 45% of all mobile threats over the last six months.

The threat from BEC phishing attacks continues to gain momentum, especially as ChatGPT and other generative AI chatbots have come into wider usage. The rapidity and heightened complexity of these AI attacks makes it almost impossible for employees to distinguish authentic emails and real messages from fake phishing attempts. Thankfully, new AI-based defense systems can automatically predict malicious phishing messages through a combination of generative AI tools, natural language processing, computer vision, relationship graphs, and contextual analysis.

These latest findings highlight the fast-growing security threats to organizations from BEC and advanced phishing attacks. Attackers are ramping up the use of generative AI, QR Codes, and CAPTCHAs as part of their sophisticated, multi-channel 3D phishing strategies.

Human users can no longer avoid or identify such sophisticated attacks, especially when relying on training and traditional cybersecurity tools that have been proven ineffective. The only solution to fight back against AI-based attacks is to implement AI-powered email and messaging security tools that can anticipate and intercept malicious messages, thereby preventing user inboxes from receiving them altogether.


No posts to display