99% of phishing emails that reached inboxes last year did not contain malware, according to a new report from Fortra.
Attackers were much more successful using malicious links or purely response-based social engineering.
Fortra explains, “Anti-malware scanning, sandboxing, and other pre-delivery security processes are increasingly common and make it more difficult for emails containing malware payloads to reach user inboxes. However, these methods are ineffective for detecting social engineering and credential theft attacks, which lack payloads.”
The researchers also observed an increase in phishing messages that contained personal information about the targeted individual, making the attack much more persuasive.
“Fortra observed a growing trend of phishing attacks that incorporate personal information about the targeted user,” the report says. “In these attacks, personal information pulled from public sources or leaked data is used to lend credibility to the scam. One example of this tactic is using a victim’s leaked home address from a data breach to include images of their home, sourced from services like Google Street View. This is done to create a sense of fear and make the scam feel more convincing, rather than relying on a generic email.”
Fortra predicts that attackers will continue to improve these types of personalized phishing attacks, especially as AI tools help streamline the process.
“The volume of personal information available on open sources and the dark web is immense, with more than 1 billion records breached in 2024 alone,” the researchers write. “Cybercriminal data brokers aggregate and organize stolen data into bulk packages to anyone willing to pay the price. Email addresses are associated with a wide range of stolen information such as government identification numbers, employers, and service providers.
Fortra expects cybercriminals to use this data to personalize attacks even further, utilizing information about individuals, their families, their co-workers, etc. Cybercriminals who specialize in whaling will use the data to profile high value victims and find weaknesses to exploit. Email threats of all kinds will become more personalized, making them harder to ignore and more convincing.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Fortra has the story.
Here's how it works:
