A new study from security firm Tessian highlights the sophisticated techniques employed by threat actors to evade detection and trick employees. Between July 2020-July 2021, two million malicious emails bypassed traditional email defenses, like secure email gateways, placing many employers at risk of data breach and cyber fraud.
According to the study, retail industry was targeted far more than any other industry, with the average employee in this sector receiving 49 malicious emails a year. This is significantly higher than the overall average of 14 emails per user, per year. Employees in the manufacturing industry were also identified as major targets, with the average worker receiving 31 malicious emails a year.
The most common technique employed by the attackers was display name spoofing (19%), where the hacker modifies the sender’s name and disguises themselves as someone the victim recognizes. Domain impersonation, where the attacker sets up an email address that looks like a legitimate one, was used in 11% of threats discovered. The brands most likely to be impersonated were Microsoft, ADP, Amazon, Adobe Sign, and Zoom.
Threat actors also targeted employees in the legal and financial services industries through account takeover attacks. In this method, the malicious emails come from a trusted vendor or supplier’s legitimate email address. They likely won’t be flagged by a secure email gateway as suspicious and to the person receiving the email, it would look like the real deal.
Interestingly, less than one quarter (24%) of the emails examined in the study contained an attachment, while 12% contained neither a URL nor file — the typical indicators of a phishing attack. Links, however, do still prove to be a popular and effective payload, with 44% of malicious emails containing a URL.
Interestingly, threat actors deliver malicious emails around 2 p.m. and 6 p.m. in the hopes that a phishing email, sent during the late afternoon, will slip past a tired or distracted employee.
“Gone are the days of the bulk spam and phishing attacks, and here to stay is the highly targeted spear phishing email. Why? Because they reap the biggest rewards. The problem is that these types of attacks are evolving every day. Cybercriminals are always finding ways to bypass detection and reach employees’ inboxes, leaving people as organizations’ last line of defense. It’s completely unreasonable to expect every employee to identify every sophisticated phishing attack and not fall for them. Even with training, people will make mistakes or be tricked,” said Josh Yavor, Tessian’s CISO.
“Businesses need a more advanced approach to email security to stop the threats that are getting through – the attacks that are causing the most damage – because it’s not enough to rely on your people 100% of the time,” he added.