Detections of multi-stage phishing attacks known as “hybrid vishing” grew by over 600% from Q1 to Q2 2022, as fraudsters sought new ways to circumvent traditional security controls, according to Agari.
The security vendor’s Quarterly Threat Trends & Intelligence Report for the period was produced with PhishLabs and based on analysis of hundreds of thousands of phishing and social media attacks on enterprises, employees and brands.
“Hybrid vishing threats are multi-stage attacks that differ from traditional vishing by first interacting with the victim via email,” the report explained. “The actor includes a mobile number within the body of the email as a lure, which is designed to trick the victim into calling and submitting sensitive information to a fake representative.”
Vishing, or phone-based phishing, attacks comprised a quarter (25%) of the so-called “response-based” scams analyzed in the report. Other types in this category were 419 scams (54%), business email compromise (16%), and job scams (5%).
Together, these response-based attacks now represent two-fifths (41%) of email-borne threats, up 3.5% from the previous quarter and representing the highest share since 2020. Credential theft (55%) and malware delivery (5%) round out the other types of corporate email threats.
Interestingly, nearly three-quarters (73%) of BEC attacks in Q2 were launched using free webmail services, a 3% rise on Q1 figures. By contrast, those using spoofed or hijacked domains accounted for just a quarter (27%) of attack volume. Gmail (72%) was the most abused email service.
This would seem to suggest that simpler tactics still work, despite a great deal more user awareness around BEC than a year ago.
This chimes somewhat with data from Kaspersky in February which revealed a surge in detections of commodity “BEC-as-a-service” campaigns leveraging free email accounts and using vague payment requests.
The bottom line for organizations is that social engineering still represents one of their biggest security risks – one that will require continuous changes to awareness-raising programs and technical controls.