Business email compromise (BEC) attacks have surged over the past year-and-a-half, while scams designed to part users with their money remain a persistent phishing threat, according to Barracuda Networks.
Volume 5 of the security vendor’s Spear Phishing: Top Threats and Trends report details the activity of targeted email threats during the period August-October 2020, distilled from 2.3 million attacks during the period.
Barracuda Networks has created 13 classes of email threat, which are not mutually exclusive: spam, malware, BEC, data exfiltration, URL phishing, scamming, spear-phishing, domain impersonation, brand impersonation, extortion, conversation hijacking, lateral phishing and account takeover.
Of the spear-phishing attacks it recorded during the period, BEC detections grew by 5% from the period December 2018-February 2019 to reach 12% of the total.
The largest number of attacks (50%) were simply labelled “phishing,” meaning they involved some form of brand impersonation.
However, “scamming” attacks comprised over a third (36%). These typically try to trick the recipient into sending money or handing over their financial details. Examples include tech support scams, or fake exhortations from charities or political organizations requesting funds to support various causes.
COVID-19 attacks have not grown much since March, when Barracuda claimed to have recorded a 667% spike. Between June and October this year they represented around 2% of all spear-phishing attacks, with scams (72%) comprising the vast majority, followed by regular phishing (18%), extortion (6%) and BEC (3%).
Interestingly, 13% of all spear-phishing attacks were said to come from internally compromised accounts during the August-October 2020 time period.
“These internal messages do not pass through email gateways, leaving organizations exposed to threats they may deliver. Messages that originate from these compromised accounts, especially if they are coming from a colleague, can potentially have a higher success rate compared to other attacks because people trust messages sent from someone they know,” the report explained.
“Organizations need to invest in protection against account takeover, by scanning messages sent internally within the organization and training users to recognize signs of a compromised account and email messages that come from compromised accounts.”