Mind your afternoon emails: it’s scammer time
Not only do scammers use spear-phishing attacks to target certain industries, but they do so at a specific time. Research shows that gone are the days of sketchy attachments, the age of shady links has come.
An analysis of over 2 million phishing emails by human layer security company Tessian shows that contrary to popular belief, scammers avoid marketing tactics.
Whereas advertisers use the 10 AM on Wednesday slot to bombard everyone’s email, most malicious emails are delivered between 2 PM and 6 PM, with very little fluctuation day-to-day, except for the weekend. The report claims that this is no accident.
Malicious actors bank on employees being stressed and tired, thus more likely to open a shady email or click an unsafe link.
After looking into millions of emails sent over 12 months from July 2020 to July 2021, researchers found that most phishing emails land at 2 PM when most employees are focused on afternoon coffee. The next peak in activity comes close to 6 PM, with scammers hoping that the last email of the day will not receive as much scrutiny as it should.
Unsurprisingly, October and November are months when scammers are most active, with the biggest spike observed just before the Black Friday sales.
While employees are told to beware of email attachments containing malware, the analysis shows that less than a quarter of phishing emails included any. In those cases, when scammers sent attachments, it was usually PDF, PNG, or JPG files.
The vast majority, 44%, of malicious emails were designed to lure employees into clicking shady URLs. Interestingly, however, 12% of emails analyzed contained neither attachments nor links. According to Tessian, this is a sign that scammers innovate, exploring new attack vectors.
To evade detection, attackers usually use impersonation techniques. The most popular was name spoofing, with 19% of analyzed emails were made changing the sender‘s name to disguise a scammer as someone a victim might know.
Domain impersonation was the second most popular (11%) way to trick employees. Malicious actors set up an email address that looks legitimate, hoping subtle differences in domains will go unnoticed.
Microsoft, ADP, Amazon, Adobe, and Zoom were the most frequently impersonated brands. Some differences exist between industries, however. While legal and professional service businesses usually get malicious emails disguised as something Microsoft would send, the tech industry is targeted via Codefresh.
No industry is spared from scammers, yet some are more popular than others. Over the period analyzed, the retail industry was a clear favorite among malicious actors.
On average, a retail employee received 49 malicious emails, a lot more than runner-up manufacturing with 31 emails per employee. Tech employees received 14 emails, while public services were targeted the least with only six emails.
The report claims that bad actors do not care about the company size since they will take whatever they can. Targeting smaller businesses can be even more profitable as they generally have fewer resources to ensure adequate cyber security practices.
Moreover, a targeted attack against a small but vital part of a supply chain may allow infiltrating larger companies for various reasons, extortion being among the many.
What worries them most is the growth of targeted phishing attacks, also known as spear-phishing attacks. According to Tessian, targeted attacks involve a great deal of preparation and background analysis.
Attackers will first learn as much as they can with a thorough OSINT research, relying on publicly available information, for example, in social media.
The effort is meant to give means to craft personalized messages, tricking victims into wiring money or giving away company secrets. One example is when scammers create a fake email chain with names and emails a victim will trust.
“Cybercriminals are always finding ways to bypass detection and reach employees’ inboxes, leaving people as organizations’ last line of defense. It’s completely unreasonable to expect every employee to identify every sophisticated phishing attack and not fall for them,” Josh Yavor, Tessian’s Chief information security officer, is quoted in a press release.
Phishing attacks saw a staggering 34.4% increase in activity in 2020 compared to the previous year. Between January and February 2020, the proportion of phishing attacks rose 510% alone.
Throughout 2020, the top five targets for phishing attacks were eBay, Apple, Microsoft, Facebook, and Google – household names to users and therefore most likely to garner the attention of potential victims.
The European Union Agency for Cybersecurity (ENISA) reported that malicious business email compromises (BEC) cost businesses over €26 billion last year. The FBI said that complaints on BEC and other email compromises cost $1.8 billion in 2020.
More from CyberNews:
Subscribe to our newsletter