Email-based social engineering attacks have risen by 464% this year compared to the first half of 2022, according to a report by Acronis. Business email compromise (BEC) attacks have also increased significantly.
“One out of 76, or 1.3%, of the received emails were malicious,” the researchers write. “Phishing remains the number one threat, with these attacks making up 73% of the total. However, the business email compromise (BEC)/social engineering category has increased by 7.5 times compared to the same period of time last year, and now takes second place, moving malware — which has dropped in percentage twice — into third.”
The report summarizes several phishing campaigns that have targeted users this year, including one that posed as the IRS in order to distribute the Emotet banking Trojan.
“We observed a new phishing campaign that targets U.S. taxpayers by impersonating W-9 tax forms allegedly sent by the Internal Revenue Service and companies you work with,” the researchers write. “This campaign spreads Emotet, a malware threat that was previously distributed via malicious macros embedded in Microsoft Word and Excel documents, but now is delivered primarily via Microsoft OneNote files. Tax forms are usually sent as PDF documents. If the victim clicks the ‘View’ button in the received One Note file and continues, despite a system warning that the file might be malicious, a VBScript will be launched to download the Emotet DLL. The subsequently installed malware is capable of stealing emails and contacts, and downloading further payloads to the device.”
Another campaign is impersonating the cryptocurrency wallet provider Trezor.
“A new phishing campaign has been targeting users of the cryptocurrency hardware wallet firm Trezor,” the researchers write. “The campaign starts with an SMS message to the Trezor user, warning that Trezor has suffered a data breach and urging them to visit a hyperlink to secure their devices. Upon clicking the link, the user will be directed to a fake version of the Trezor website, notifying them that their assets might be at risk and displaying a field for the user can enter their recovery seed to ‘secure’ them. Entering the recovery seed on this phishing page provides cybercriminals with full access to the victim’s wallet.”
New-school security awareness training can give your organization an essential layer of defense by enabling your employees to thwart phishing and other social engineering attacks.
Acronis has the story.