More than nine in 10 (92%) organizations experienced an average of six credential compromises caused by email-based social engineering attacks in 2023, according to a new report by Barracuda.
Scamming and phishing continued to make up the vast majority (86%) of social engineering attacks last year.
There were some notable trends in how attackers are targeting users via social engineering techniques:
- Conversation hijacking: This is where attackers compromise business accounts through phishing attacks, and then monitor the compromised account to understand business operations and to learn about deals in progress, payment procedures and other details. This information is leveraged to craft authentic-looking and convincing messages from the impersonated domains to trick victims into wiring money or updating payment information. Conversation hijacking only made up 0.5% of social engineering attacks in 2023, but this represents a nearly 70% rise compared to 2022.
- Business email compromise (BEC): These attacks, in which the hacker typically impersonates an execute to trick employees to transfer money, often via gift cards and wire transfers, made up 10.6% of social engineering attacks last year, up from 8% in 2022.
- Extortion: These attacks involve hackers threaten to expose sensitive or embarrassing content to their victims’ contacts unless a ransom is paid out. Extortion attacks made up 2.7% of the total social engineering attacks in 2023.
Attackers Evolving Use of Legitimate Services
The Barracuda report highlighted the evolving use of legitimate services to target employees via these social engineering techniques.
Gmail was by far the most used email domain for social engineering attacks, making up 22% of attacks last year.
The next most commonly used free webmail services by hackers were Outlook (2%), Hotmail (1%), iCloud (1%) and Mail.com (1%). All other domains made up 73% of attacks.
Attacks that used Gmail were particularly skewed towards BEC, with more than 50% Gmail attacks used for this purpose.
Scamming accounted for 43% of attacks using Gmail in 2023.
The researchers also found that cybercriminals are increasingly leveraging popular commercial URL shortening services to embed malicious links in phishing emails.
This tactic can help disguise the true nature and destination of the link as they often appear to come from legitimate-looking sites.
The most widely used URL shortening service last year was bit.ly, which was leveraged in nearly 40% of attacks that included a shortened URL.
The next most commonly used of these services was from X (formerly Twitter), used in 16% of attacks that included a shortened URL.
This marks a major change compared to previous research in 2020, when X’s shortening service was used in around two-thirds of these attacks (64%), and bit.ly in just 3%.
Another notable trend highlighted in the report was a significant rise in QR code phishing attacks in late 2023. Around 5% of mailboxes were targeted with QR code attacks in the last quarter of the year.
In these attacks, cybercriminals embed the QR codes in phishing emails, prompting users to scan the code and visit a fake page that appears to be a trusted service or application. These pages are typically designed to trick users into downloading malware or enter their login credentials.
The researchers noted that QR code attacks are difficult to detect using traditional email filtering methods as there is no embedded link or malicious attachment to scan.
QR codes sent via email also take victims away from corporate machines and force them to use a personal device, such as a phone or iPad, which isn’t protected by corporate security software.