New Report Shows Social Engineering and Business Email Compromise Attacks Have Drastically Increased in 2023

Social Engineering and BEC Email AttacksEmail-based social engineering attacks have risen by 464% this year compared to the first half of 2022, according to a report by Acronis. Business email compromise (BEC) attacks have also increased significantly.

“One out of 76, or 1.3%, of the received emails were malicious,” the researchers write. “Phishing remains the number one threat, with these attacks making up 73% of the total. However, the business email compromise (BEC)/social engineering category has increased by 7.5 times compared to the same period of time last year, and now takes second place, moving malware — which has dropped in percentage twice — into third.”

The report summarizes several phishing campaigns that have targeted users this year, including one that posed as the IRS in order to distribute the Emotet banking Trojan.

“We observed a new phishing campaign that targets U.S. taxpayers by impersonating W-9 tax forms allegedly sent by the Internal Revenue Service and companies you work with,” the researchers write. “This campaign spreads Emotet, a malware threat that was previously distributed via malicious macros embedded in Microsoft Word and Excel documents, but now is delivered primarily via Microsoft OneNote files. Tax forms are usually sent as PDF documents. If the victim clicks the ‘View’ button in the received One Note file and continues, despite a system warning that the file might be malicious, a VBScript will be launched to download the Emotet DLL. The subsequently installed malware is capable of stealing emails and contacts, and downloading further payloads to the device.”

Another campaign is impersonating the cryptocurrency wallet provider Trezor.

“A new phishing campaign has been targeting users of the cryptocurrency hardware wallet firm Trezor,” the researchers write. “The campaign starts with an SMS message to the Trezor user, warning that Trezor has suffered a data breach and urging them to visit a hyperlink to secure their devices. Upon clicking the link, the user will be directed to a fake version of the Trezor website, notifying them that their assets might be at risk and displaying a field for the user can enter their recovery seed to ‘secure’ them. Entering the recovery seed on this phishing page provides cybercriminals with full access to the victim’s wallet.”

New-school security awareness training can give your organization an essential layer of defense by enabling your employees to thwart phishing and other social engineering attacks.

Acronis has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews