A staggering 92% of organizations experienced an average of six credential compromises caused by email-based social engineering attacks in 2023, according to a new report by cybersecurity firm Barracuda. These insidious tactics, which prey on human vulnerabilities, continued dominating the threat landscape, with scamming and phishing accounting for 86% of all social engineering attacks last year.
Emerging Trends in Social Engineering Techniques
While conversation hijacking, a technique where attackers compromise business accounts through phishing and monitor communications to craft convincing messages, accounted for only 0.5% of social engineering attacks in 2023, it represents a staggering 70% increase compared to the previous year. This sophisticated tactic allows cybercriminals to gather sensitive information about deals, payment procedures, and other operational details, impersonating trusted entities and tricking victims into authorizing fraudulent transactions or updating payment information.
Business Email Compromise (BEC): A Persistent Threat
Business email compromise (BEC) attacks, where hackers impersonate executives to trick employees into transferring funds or sensitive data, remained a prominent threat in 2023. These attacks accounted for 10.6% of all social engineering incidents, up from 8% in 2022, highlighting the persistent allure of this lucrative technique for cybercriminals.
Extortion: Holding Data Hostage for Ransom
Another alarming trend involved extortion attacks, where cybercriminals threaten to expose sensitive or embarrassing content to their victims’ contacts unless a ransom is paid. These attacks accounted for 2.7% of the total social engineering attacks in 2023, underscoring the growing prevalence of this nefarious tactic.
Exploiting Legitimate Services for Malicious Gain
The report also sheds light on the evolving use of legitimate services by attackers to target employees through social engineering techniques. Gmail emerged as the most commonly abused email domain, accounting for a staggering 22% of all attacks last year. Other popular free webmail services exploited by hackers included Outlook (2%), Hotmail (1%), iCloud (1%), and Mail.com (1%), while all other domains accounted for 73% of attacks.
Notably, attacks originating from Gmail domains were heavily skewed towards BEC, with over 50% of such attacks falling into this category, followed by scamming at 43%.
Malicious URL Obfuscation through Shortening Services
Cybercriminals also demonstrated a growing reliance on popular commercial URL shortening services to embed malicious links in phishing emails, effectively disguising the true nature and destination of these links. The most widely used shortening service in 2023 was bit.ly, leveraged in nearly 40% of attacks involving shortened URLs. X’s (formerly Twitter) shortening service came in second, utilized in 16% of such attacks, marking a significant shift from 2020 when it accounted for around two-thirds (64%) of these attacks.
The Rise of QR Code Phishing Attacks
Another notable development in the realm of social engineering was the significant rise in QR code phishing attacks towards the end of 2023. Approximately 5% of mailboxes were targeted with these attacks in the final quarter of the year, a concerning trend highlighting cybercriminals’ ever-evolving tactics.
In these attacks, cybercriminals embed QR codes in phishing emails, prompting unsuspecting users to scan the code and visit a fake page masquerading as a trusted service or application. These pages are designed to trick users into downloading malware or entering their login credentials, effectively compromising their accounts and data.
Evading Traditional Security Measures
QR code attacks pose a unique challenge as they circumvent traditional email filtering methods, which rely on detecting embedded links or malicious attachments. Furthermore, these attacks leverage personal devices, such as phones or tablets, which are often not protected by corporate security software, providing cybercriminals with a potential entry point into organizational networks and systems.
