Latest Attack Technique Trends

Email-based social engineering threats are currently thriving as attackers continue to adapt and evolve their tactics to increase their chances of success.

The latest analysis of email detection data conducted by Barracuda researchers reveals that although the landscape is still dominated by mass phishing and general scamming attacks, there is a growing number of more targeted and potentially more damaging threats such as business email compromise (BEC) and conversation hijacking.

The researchers analyzed 69 million email attacks across 4.5 million mailboxes over a year. The results are summarized in the new “Email Threats and Trends Report vol. 1,” which shows that attackers are leveraging the capabilities of generative AI to scale and tailor their attacks and are implementing QR codes, link shortening, and webmail to disguise their true nature and intent.

Among other things, the report shows that:

• BEC attacks accounted for 10.6%, or more than 1 in 10, of social engineering attacks in 2023, with these numbers showing a steady increase over time. BEC attacks accounted for 8% of attacks in 2022 and 9% in 2021.
• Conversation hijacking made up 0.5% of social engineering attacks last year, an increase of nearly 70% compared to 0.3% in 2022. Conversation hijacking attacks require a lot of effort to execute, but the payouts can be significant.
• Phishing accounted for one-third (35.5%) of social engineering attacks last year. These generally untargeted, mass attacks try to trick victims into clicking on a phishing link. Phishing emails have been used by attackers for years and remain worryingly successful. The “Data Breach Investigation Report, 2024” found that it took on average less than 60 seconds for someone to fall for a phishing scam.
• Around 1 in 20 mailboxes were targeted with QR code attacks in the last quarter of 2023. QR code attacks are difficult to detect using traditional email filtering methods. They also take victims away from corporate machines and force them to use a personal device, such as a phone or iPad, which isn’t protected by corporate security software.
• Gmail was the most popular free webmail service used for social engineering. In 2023, Gmail accounted for 22% of the domains used for social engineering attacks, according to Barracuda’s data. Just over half of the detected Gmail attacks were used for BEC attacks.
• Bit.ly was used in nearly 40% of social engineering attacks that included a shortened URL. URL shorteners condense the link, so the actual link of the site becomes obscured with random letters or numbers. Using this tactic can disguise the true nature and destination of the link.
• People are vulnerable targets for social engineering. Last year, just over two-thirds (68%) of data breaches involved a “non-malicious” human element — in other words, an ordinary employee just trying to get on with their job who was caught unawares.