Email Phishing Trends In 2020


So far in 2020, we're seeing phishing attacks continue to increase at an alarming rate while the success of these attacks grow larger in the corporate and enterprise space.

According to statistics website statista, more than 50% of all emails sent in 2019 were spam, many of which are unsolicited or phishing emails, or a malware delivery vehicles. These numbers have grown by over 50% year after year and will continue to get worst as attackers leverage bigger data sets and use AI to automate attacks and generate more targeted email content.

Phishing emails can lead to compromised or stolen data that cost organizations hundreds of thousands and into the tens of millions annually. This ever increasing number of spam continue to overwhelm most IT organizations and businesses around the world, often taking a lot of valuable time away from your helpdesk teams.

After studying hundreds of spam and malicious emails, we found that there were some common tactics used across many number of these emails that can help to easily recognize some of these bad emails.

Abusing Reputable Websites

One popular tactic we've seen, for example, is attackers send often sent emails encouraging users "download" an attachment using a link to a Microsoft OneDrive, OneNote, Sharepoint or Dropbox type site.. Once you get to these destinations, you're faced with a link which then directs you to a malicious or replica site that wants you to "sign in", when in facts it only steals the username and password you provide, or download a malicious file and infect your computer.

These types of emails using get by most spam filters because the link point to one of these highly reputable sites, and there is no real danger until the users click and head to the bad site.

The best defense is to be careful of who you open attachments from. If someone sends you an email with a link to "download" the attachment on the internet, ask them to attach it directly to the email instead.

Using Fake Attachment

Sometimes, to make things more convincing, we see attackers build on the previously mention tactic, sending some users emails with what appears to be an attachment, but is in fact a picture. When click on what looks like an attachment, the user may be directed to one of the compromised locations mentioned above or similar sites.

The best defense for this is to pay attention to the attachment before you actually click it. If on computer, you can hover you mouse over the attachment to see if it goes to a website. If it does, don't trust it! Who would really go through the trouble of making a picture look like an attachment?

Using Newly Register Sites

The trick helps attackers bypass some email security programs and services. In previous examples, the attacker abused reputable sites, so the links themselves are not flagged as dangerous or suspicious. If the site is a known "bad" site, most modern email security tools will flag and block these emails containing them.

Alternatively, attackers sometimes may decide to create a brand new site just for the sake of carrying out these phishing campaigns, because only some of the higher tier security tools will flag these as "newly created domains." This caveat is the main reason many prefer abusing reputable sites instead.

But even though not the preferred method, just two years ago webroot did a study and said nearly 1.5m new phishing sites are created each month. Each month! Attackers may also use these sites to set up fake online stores that steal your credit card information or charge for products or services you will not receive.

The best defense for this is to pay attention to whats in the address bar when you visit a website. If you're unsure what a company's real website is, do a google search for the company before you trust the link in the email, or give them a call to confirm.

Using Targeted Email Campaigns

Regardless of what method an attacker choose to deliver the malicious link or payload to you, attackers often utilize data made available in data breaches to target individuals and build "profiles" on them and deliver more targeted emails.

For example, Mary doing inside sales may receive and email with a link telling she can use it to download a quote or purchase order. Since its they type of thing Mary may do, dealing with Purchase Orders or Invoices that is, Mary may inadvertently click this link, get to the destination she may be familiar with, like a Sharepoint site, and click on a link hosted there that's waiting to finish the attack.

The fact that the attacker knows Mary is in sales and would be likely to click on a link pointing to something relative to that job role, shows that it was very targeted. The best defense in this example to would be to ask yourself two questions:

  1. Have I talked to Mary before and is this something she would send this way?
  2. Can she attach it to the email instead of on some random website? Ask her!

Abusing Existing Trust

Another common tactic is to abuse trust you might have already established with your existing contacts. For example, after an email account is compromised, attackers often use your account to blast all your contacts with a malicious email similar to what you may have felt for.

The hope here is that your contacts will receive the email from you, and because they know you and they've dealt with you in the past, they may blindly act and fall for the phish attack. This process is repeated over and over again and really has no real end.

Again, ask yourself, have I talked to Mary before and is this something she would send this way?

Creating False Sense of Urgency

One common tactic attackers like use is creating a false sense of urgency. They often sent emails appearing to be extremely urgent, often times with requests you often need to reconsider.

"Hey Bob, I'm stuck in a meeting and forgot to get the gifts for the client, can you buy two $100 gift cards and send me the barcodes. Need it immediately! Your CEO."

Again, always stop and ask yourself, is this really something this person would ask me of all people? If not, call them or text them to confirm. Chances are if they can send and email, they can reply with a quick text, especially if they're expecting action on your part.

Another thing you may want to do is consider whether there is a process in place for a particular type of request. If may be company policy that all request for wiring funds any type and any amount include phone call between the two parties.

Attempt to Extort You

Hackers sometime try to take advantage of your victims and their want to protect their private information at all cost. Due to this, it is not uncommon to see spam emails in form of threats or extortion, threatening to reveal some type of sexually explicit content of you to your personal friends and coworkers unless you make a bitcoin deposit of various amounts.

From what we can tell, the sender often doesn't have what they say they do, though I'm sure there is an extremely small percentage of time where they probably might in larger scale.


Fighting Back

The unfortunate, realistic, truth, is that bringing an end to phishing attacks is not something we see in the the foreseeable future. Therefore, your best hope is to have multiple layers of defense to make sure you don't become victim due to only one technology failing.

In additional to some kind of email and spam protection, you may want to also have something that does web traffic analysis to block connection to malicious destinations while to browse the web. This way, if you 'accidentally' click that phishing link, this might detect the danger and block the website for you. Make sure if you look at one of these services, they do ssl packet inspection, since even most of the bad sites show the trustworthy "secure" lock in the browser's address bar nowadays.

Antivirus software has always been a staple in web security, and will continue to do so. While not as effective as they once were, the fact is that if both email security and web protection failed to block the bad site, at least if you have that may hopefully step in if something malicious is downloaded to your pc.

Lastly, paying attention to email security trends will help you know what to look out. In order to keep the upper hand make sure you don't fall victim to one of these tactics, you will need to educate yourself and sharpen your security awareness.




Exploited Windows zero-day won't be patched for weeks!

Two known vulnerabilities in Windows has fixes in the works, but here's how to protected yourself in the mean time.


AMD to add new security chip from Microsoft

Lenovo to debut new AMD powered laptop with a security chip by Microsoft


Best Free Ticketing System for IT

Try Vertask free ticketing system today, no credit card required.