A Barracuda report reveals that 92% of organizations faced an average of six credential compromises due to email-based social engineering attacks in 2023. The majority of these attacks were scams and phishing, accounting for 86% of incidents. There was also a notable rise in conversation hijacking, where attackers compromise business accounts to monitor and craft authentic-looking messages, as well as an increase in business email compromise (BEC) attacks, which jumped from 8% in 2022 to 10.6% in 2023.
The report highlights that Gmail was the most commonly used domain for these attacks, involved in 22% of the incidents. Attackers also utilized other free webmail services like Outlook, Hotmail, iCloud, and Mail.com. A significant tactic used was embedding malicious links through URL shortening services, with bit.ly being the most widely used, featuring in nearly 40% of attacks with shortened URLs. The use of these services helps disguise the malicious nature of the links, making it harder for users to detect the threat.
QR code phishing attacks saw a notable rise in late 2023, targeting around 5% of mailboxes in the last quarter. Cybercriminals embed QR codes in phishing emails, directing users to fake pages designed to steal credentials or deliver malware. These attacks are challenging to detect using traditional email filtering methods because they lack embedded links or malicious attachments. Additionally, QR codes often lead users to access these fake pages via personal devices, which may not be protected by corporate security measures.
The evolving tactics of social engineering attacks underscore the need for enhanced cybersecurity measures and user awareness. Organizations must stay vigilant against these threats by implementing robust security protocols and educating employees about the latest phishing and social engineering techniques. The rise in sophisticated attack methods, such as the use of legitimate services and QR codes, highlights the importance of continuous monitoring and adaptation to emerging cyber threats.
