Trends in phishing attacks on organizations in 2022–2023

Phishing is one of the main tools attackers use to gain unauthorized entry into organizations. In 2023, almost half (43%) of all successful attacks on organizations used social engineering, with 79% of these attacks carried out through email, SMS messages, social networks, and messaging apps. This indicates the effectiveness of phishing attacks, which not only entail reputational risks but can also cause significant financial damage.

This study is dedicated to the analysis of phishing messages worldwide, focusing exclusively on phishing attacks on organizations conducted through email, SMS messages, social networks, and messaging apps.

Summary

  • The primary goal of phishing attacks is data theft, accounting for 85% of incidents.
  • The top 3 most attacked industries using social engineering from Q3 2022 to Q3 2023 (inclusive) were government agencies (44%), military-industrial enterprises (19%), and organizations in the field of science and education (14%).
  • In phishing messages, attackers most often impersonate contractors (26%), technical support or IT specialists (15%), and government agencies (13%).
  • Email remains the most common channel for sending malicious messages (92% of cases). However, the popularity of messaging apps and social networks as channels for phishing attacks is increasing.
  • To deliver malicious payloads in attachments, archives (zip, 7z, rar, and so on) are most frequently used (37%), followed by text documents (such as doc, .odt, and .one) (30%).
  • Phishing links often lead to fake pages for data entry (50% of cases).
  • The widespread use of phishing kits and the phishing-as-a-service business model makes preparing and executing attacks much simpler.
  • Phishing is currently mainly evolving through the automation of attack preparation and execution using AI tools.

Goals of phishing attacks

The main objectives of phishing attacks are data theft (85%) and financial gain (26%). An example of a well-thought-out data theft attack is the incident involving the American hospitality and entertainment company MGM Resorts International in Q3 2023. This multistage campaign started with a hotel reservation; the attackers then sent an email in response to the booking confirmation. Subsequent emails were designed to evoke sympathy and a sense of urgency. Having established a rapport with the victim, the attackers typically send a malicious URL, supposedly containing important documents, which, when downloaded and opened, launch the malware. It infiltrates the victim's system and extracts confidential data. Stolen data can be monetized or used in subsequent attacks; in the example above, the criminals used the stolen hotel profiles to target their clients.

Attack goals (percentage of incidents)
Figure 1. Attack goals (percentage of incidents)

One place used for selling stolen confidential data is the darknet. In our research into shadow market activity concerning the Gulf countries, we found a high degree of interest in sensitive information such as personal data, employee and customer credentials, and more. These types of information are in demand in other countries as well.

Information can also be stolen for the purpose of spying on an organization or country. In such cases, attackers often try to remain unnoticed in the victim's network for as long as possible to accumulate plenty of data. Or they grab the maximum amount of information and get out as quickly as possible. For instance, in June 2023, a phishing campaign by the Red Wolf group targeted Russian industrial organizations. This group focuses on corporate espionage and prefers to move slowly through compromised infrastructure, sometimes remaining undetected for up to six months. Despite using common techniques, this APT group manages to evade security tools and achieve its objectives.

Attackers can make direct financial gains from phishing attacks using several methods. For example, the APT group OPERA1ER gains initial access through phishing emails with familiar subjects such as invoices and mail delivery notifications. These emails contain attachments that deliver malware. The attackers target employees who handle significant sums of money, and after successfully stealing credentials, conduct multistage transfers of funds to accounts under their control. Meanwhile, cash is often withdrawn on holidays or weekends to minimize the chances of swift detection. This group operates within victims' networks for three to twelve months, sometimes targeting the same company twice. Such attacks require not only knowledge of the victim organization's internal processes but also the ability to penetrate the network and remain there undetected.

Increasingly, attackers have been using the technique of "double extortion", a trend that we highlighted in our study of current cyberthreats for Q2 2023. Double extortion involves combining encryption and extortion by threatening to publish stolen data. For example, in mid-September 2023, Caesars Entertainment, one of the largest companies in the hospitality and entertainment industry, suffered serious financial losses due to a cyberattack using social engineering. The ransom for the stolen data alone amounted to $15 million USD, and the company agreed to pay it to prevent the publication of the stolen customer database. This trend is driven by criminals' desire to maximize gains from their attacks. After all, if the compromised organization can restore its systems from backups, it is much less likely to pay a ransom. Since attackers cannot know in advance whether the victim can recover data, it's in their interest to steal the data in addition to encrypting it. This trend may also be influenced by a decrease in the effectiveness of ransomware due to the release of various decryptors by security specialists. For example, White Phoenix can recover files that were encrypted using "intermittent encryption" (A partial encryption technique in which the ransomware encrypts only part of the target files, making the encryption process much faster.).

On a separate note, there has been a rise in hacktivism in recent years due to heightened geopolitical tensions. The primary goal of hacktivism is to harm the victim in any way possible. Such attacks are usually driven by political, ideological, or personal motives rather than financial gain. For example, in December 2023, 70% of Iran's gas stations were crippled in a cyberattack. Israeli media attributed the attack to the hacking group Gonjeshke Darande (Predatory Sparrow), which is supposedly associated with Israel. The attackers published screenshots of the gas station systems, and also indicated what they had gained access to:

  • Information about gas station systems
  • Payment system details
  • The central server system controlling each station

In light of the escalation of the Arab-Israeli conflict, Check Point Research found that the Gonjeshke Darande group uses phishing, among other penetration tools, to deliver malware.

Phishing distribution methods

The majority of phishing attacks are carried out through email (92%), but criminals can adapt to the particularities of the target company and employ alternative methods for delivering their malicious messages. Phishing attacks can come from various sources, which means that companies need to use security tools and educate employees on cyberhygiene. Only a comprehensive approach to defense can ensure a reliable level of security.

Distribution channels (percentage of incidents)
Figure 2. Distribution channels (percentage of incidents)

With the development of technology and the widespread adoption of remote work, organizations increasingly conduct corporate communication through messaging apps, social networks, or SMS messages. In February 2023, criminals targeted several Coinbase (A cryptocurrency exchange platform) engineers by sending SMS alerts, urging them to log in to their company accounts to read an important message. One employee fell for this trick and entered data into a phishing website. In the next stage, the attacker attempted to access Coinbase's internal systems using the stolen credentials but was unsuccessful due to multi-factor authentication (MFA). However, the criminal persisted by personally calling the victim, posing as a member of Coinbase's IT department, and requesting a series of compromising actions. A common attack scenario involves impersonating a company executive or employee through various communication channels other than email. To create a fake profile for sending malicious messages, an attacker only needs to have the name and photo of someone working in the target organization. In December 2023, a Russian IT company was attacked when an account supposedly belonging to the CEO was created on Telegram and used to send personal messages to employees. To counter the cyberthreat, the fake profile was promptly blocked, but the attackers quickly created new fake profiles and launched a second wave of attacks. In such situations, timely notification of employees about threats helps to minimize the risks.

To reduce the risk of falling victim to phishing through messaging apps, social networks, or SMS messages, education about these channels should be included in employee cybersecurity training; the standard recommendations for protecting oneself against email attacks will not cover these other communication methods. For example, many messaging apps and social networks limit the ability to easily preview hyperlinks or attachments to verify their legitimacy.

An unusual method of delivering phishing messages was used in an incident involving a job center in France. The first stage began when the target company posted a legitimate job vacancy announcement on a recruitment agency's website. The attackers sent back a PDF resume file that contained a malicious link. Acting as an intermediary between the "job seeker" and the potential employer, the recruitment agency generated an email on behalf of the supposedly unemployed individual and delivered it to the company that posted the vacancy. Clicking on the link took employees to a phishing site that resembled the agency's real website, prompting them to enter corporate credentials. This convoluted delivery chain and the use of a trusted sender (the recruitment agency) made it almost impossible to detect the attack in the early stages.

Attackers are continually modifying their phishing attack techniques, complicating defense efforts and necessitating a comprehensive approach. For example, the number of phishing scams carried out through legitimate services and resources is increasing: via Google Forms or Yandex Forms, or by injecting scripts into vulnerable WordPress or Bitrix-based websites. Additionally, despite various governmental efforts to combat phishing resources, this task is made significantly more challenging by the Content Delivery Network (CDN) services that allow attackers to conceal the real host, specialized providers offering so-called Bulletproof hosting, and other factors. Finally, phishing often involves the use of one-time links and more focused targeting of victims, preventing the collection of evidence necessary to swiftly block malicious resources.

Phishing attacks by industry

More than half (56%) of the phishing attacks examined in this study were targeted at a specific organization, industry, or country. Most often, attackers target government agencies (44% of incidents with industry-specific targeting) and military enterprises (19%). Rounding out the top 3 primary targets of phishing attacks are organizations in the field of science and education (14%).

Top 10 attack victims by industry in all countries, in Europe, in Asia (percentage of incidents)
Figure 3. Top 10 attack victims by industry in all countries, in Europe, in Asia (percentage of incidents)

Attacks on government agencies

Due to the complex geopolitical situation worldwide, phishing attacks on government organizations are occurring more frequently than in other industries. To add to the problem, government agencies are increasingly providing electronic services to citizens, and the level of digitization is rising annually. In Russia alone, government agencies use no fewer than 355 federal and over 2,000 regional information systems, and the main target indicators of digital transformation, as stipulated in Presidential Decree No. 474, were exceeded by the end of 2022. Countries in Asia and Europe have also chosen the path of widespread data digitization. The European Union's "Digital Decade" policy agenda includes the goal of having 100% of key government services and healthcare records online. In March 2023, China announced the creation of a national data bureau as part of its efforts to coordinate the country's data resources and realize the vision of a "digital China." Attackers are hungry for information processed in such services, particularly the personal data of citizens and other information of national importance.

Despite the burgeoning digital economy, the level of digitalization of public services in Asia is lower than in Europe. Political divisions and contrasts in democratic and economic progress remain barriers to the digital government transformation. That is why the percentage of attacks on government agencies in Europe is higher (83%) than in Asia (66%). Another factor is the tense geopolitical situation in Europe, which makes government secrets an attractive target. In April 2023, Mustang Panda and RedDelta (RedDelta and Mustang Panda somewhat overlap with each other and in some cases are used to describe the same group.) targeted European countries in attacks using documents baited with current news items (A document with the priorities of the Swedish presidency in the Council of the European Union, an invitation to a diplomatic conference from the Ministry of Foreign Affairs of Hungary, an article about two Chinese human rights lawyers, and a letter from the Embassy of Serbia.). Due to heightened attention to international politics, attackers are successfully exploiting such topics in phishing emails. For example, in December 2023, in the APT group Cloud Atlas's campaign against a Russian state-owned research company, the criminals posed as the "Association of Educational Centers" and used as bait the hot topic of changes in legislation regarding military registration and calling up of citizens in reserve.

The consequences of cyberattacks on government agencies harm not only the target institution but also ordinary citizens. For example, on October 12, 2023, due to a security incident, court information systems in the state of Kansas, U.S. were shut down. On October 16, the state's Supreme Court issued an administrative order, confirming that the appellate clerks and those of most district courts were disconnected from the network and unable to receive electronic documents or payments, and all documentation had to be filed on paper or via fax. As a result of these problems, users were left without access to:

  • Court electronic registration systems
  • Protection order portal
  • Portal for searching for case information
  • Appellate case inquiry system
  • Attorney registration system
  • Online marriage application service
  • Payment center
  • Judicial administration management
  • Kansas eCourt case management system

The systems taken offline due to the cyberattack on October 12 were gradually restored only on January 2, 2024, but the courts are still hard at work updating all of the information since the incident. This incident discredits the government agency and reduces public confidence in state authorities.

Attacks on military-industrial institutions

The second most popular industry affected by phishing campaigns (19% of incidents) was the defense industry, one of the most important sectors of the government economy. To successfully carry out attacks on these organizations, attackers are willing to implement highly complex scenarios and expend significant resources. Although a considerable initial investment, the data obtained during such campaigns brings a high return, covering all the implementation costs, and the damage resulting from information compromise in such cases is incalculably high.

Espionage campaigns are usually conducted by APT groups, which may not always attack the target company directly but infiltrate through less protected contractors. For example, since at least 2019, the Winnti APT group has been operating in Russia, employing sophisticated attack methods including phishing and supply chain attacks. In July of that year, we noticed this group targeting new types of victims, including organizations within the military-industrial complex. Over the years, the group's tactics have remained largely unchanged, but they have managed to expand the geographical scope of their attacks and the range of their interests, indicating the effectiveness of their chosen phishing tactics.

According to our data, these phishing attacks on Russian military enterprises involved the introduction of the MataDoor backdoor with a complex architecture. Maxim Andreev, a senior specialist of cyberthreat research at Positive Technologies, emphasizes: "Analysis of the code shows that serious resources were invested in the development of this tool. It's a well-crafted piece of malware, customized in terms of transport, stealth, and architecture. It can operate even in logically isolated networks, pulling and transmitting data from anywhere." The attack scenario was meticulously planned. For example, in the bait document, the attackers used a low-contrast font; in order to read the document text, the recipient was forced to activate editing mode in order to change it. And that's how malware was downloaded into the victim's device.

Military-industrial organizations worldwide are susceptible to phishing attacks. In an incident in Southeast Asia, the security of certain government and military agencies was compromised. The Saaiwc Group used well-crafted fake documents, supposedly from the Philippine army or the Ministry of Economy and Finance of Cambodia. Due to the nature of this industry, the bait worked, tricking employees into believing the phishing mail was legitimate.

Bait document: notification of training on the performance management of the Philippine army
Figure 4. Bait document: notification of training on the performance management of the Philippine army

Attacks on scientific and educational centers

Another important function of the state is the development of science and education. For example, in Russia, 70.1 billion rubles were allocated for the implementation of the state program Digital Educational Environment prior to 2024. The adoption of distance learning significantly increases the accessibility of education but also provides cybercriminals with greater opportunities for cyberattacks. Insufficient cybersecurity funding and the inability to maintain a full security team help attackers achieve their goals more quickly. Engaged in scientific research, innovation, and educational activities, we have identified two main motives of attackers: cyberespionage to obtain exclusive information, and financial gain. For instance, the APT group Transparent Tribe, which previously primarily targeted Indian military and government officials, has recently expanded its scope to include educational institutions on the Indian subcontinent. This campaign may be consistent with the goals of cybercriminals operating on behalf of the government to gain long-term access to the infrastructure of leading academic institutions affiliated with the Indian government and to carry out cyberespionage campaigns. The attack begins with a malicious document delivered as an attachment or link in spear phishing emails; as a result, the APT group establishes long-term access to the victims' networks using the CrimsonRAT malware.

In the first quarter of 2023, we already observed an increase in ransomware activity targeting scientific and educational institutions: a significant portion of attacks (19%) were directed towards this sector, with the most common consequences of successful cyberattacks being leaks of confidential information (51%) and disruption of core activities (44%). For phishing messages in such incidents, attackers often choose messages with current news topics or pose as contractors. Organizations must exercise caution in dealing with highly motivated adversaries who rapidly evolve their strategies and expand their target networks. Building protection based on risk analysis can yield the best results. However, this analysis should always be accompanied by a good incident response plan that has been tested and is regularly reviewed and refined after each attack.

Monitoring the results of research conducted in adversary countries is a strategic goal adopted by many APT groups observed worldwide. In our opinion, there will still be frequent attacks on educational and scientific organizations until information security reaches the required level of maturity.

What are the dangers of phishing messages?

Depending on the attackers' goals, phishing messages trick victims into performing one of two actions: entering corporate credentials or downloading a malicious file onto the work device. To achieve this, attackers send employees either malware or fake data input forms. In rare cases, a phishing email may not contain either of the above nor carry any malicious payload, instead forming just the first part of a multistage campaign.

Types of malicious load (percentage of incidents)
Figure 5. Types of malicious load (percentage of incidents)

Types of distributed malware

Concealing malware is done by loaders (Programs responsible for loading executable files and running malware). Often, after contact with a malicious resource, first a loader is installed on the device, followed by the targeted malware. This sequence is necessary to evade security measures and analyze the employee's device to detect and bypass sandboxes. The main type of targeted software, used in 35% of incidents, is Remote Administration Tools (RAT) (Malware for remote control).

Types of malware (percentage of incidents)
Figure 6. Types of malware (percentage of incidents)

These types of programs have a wide range of functions: data input/output, monitoring user actions, changing system parameters, and more. It is precisely because of this versatility that attackers use them the most.

By the term "dual-purpose software," we mean legitimate software that has been used by attackers as targeted malware. Typically, such programs include remote desktop applications, such as AnyDesk and TeamViewer. These tools are functionally similar to RATs but they are legal, so security systems don't detect them—which makes them attractive to attackers.

Phishing messages with attached files

To deliver malicious payloads and fake data input forms, attackers use attachments, links, and QR codes. Attachments remain the preferred choice of criminals (56% of incidents). They are used for both delivering malware and stealing credentials.

Types of payload (percentage of incidents)
Figure 7. Types of payload (percentage of incidents)

For delivering malicious payloads, archives (zip, 7z, rar, and so on) are most often used (37%), because not all security systems can thoroughly check their contents, making it easier to hide a malicious file disguised as a document or image; plus, employees are more likely to be familiar with archive file formats.

Types of attachments (percentage of messages)
Figure 8. Types of attachments (percentage of messages)

Static web pages are used in phishing emails more often than PDF documents. This can be explained by the popularity of attacks using HTML smuggling, which hides malicious code and links from detection tools. HTML smuggling allows the attacker to sneak encoded malicious script into a specially created HTML attachment or web page. When the target user opens the HTML file on their device, the browser decodes the malicious script, which, in turn, assembles the payload on the host device. This way, malware is created locally behind the firewall, and there is no need to transfer the executable file via the network.

For example, in July 2023, in an attack aimed at collecting credentials, attackers sent personalized malicious emails with HTML attachments to 615 employees. The malicious script was encoded so that email scanners could not analyze its code, and the bait looked like a salary payment notification from the victim's employer. HTML smuggling is used not only for stealing credentials but also for delivering malware, and its ability to evade detection significantly increases the likelihood of a phishing attack being successful.

The activity of attackers has prompted a trend among organizations to increase the level of information security for their systems. For example, Microsoft announced that it would block macros in office files from the internet by default. This increases the risk of malicious payload being detected while it is being delivered to the employee, so attackers increasingly use links to transfer malware.

Phishing messages with malicious links

Links in phishing messages are used in 43% of incidents, leading either to the download of malicious files (46%) or to a phishing page for entering credentials (50%).

Result of following a malicious link (percentage of incidents)
Figure 9. Result of following a malicious link (percentage of incidents)

Typically, links are used specifically for stealing corporate credentials (logins, passwords) for sale or use in further attacks. Such incidents are often on a mass scale and in most cases are disguised as messages from contractors or support/IT. Often, pages for entering data on the Microsoft website were replaced. However, in attacks on Russian organizations, as companies transition to domestic software, attackers may change addresses, adapting their tactics to Russian IT companies.

Current security tools are not always able to accurately determine the safety of a link, especially when the malicious to the malicious file involves multiple redirects. A typical example is the TOITOIN campaign, which has been attacking enterprises in Latin America since May 2023. The figure below shows a fraudulent email used in this campaign, created to lure a well-known investment banking organization into the trap. The email looks like an invoice from a supplier, prompting the recipient to click the "View Invoice" button. The urgent tone of voice compels the victim to check the contents of the message.

Phishing email sent to victims of the TOITOIN campaign
Figure 10. Phishing email sent to victims of the TOITOIN campaign

By clicking the button, the user initiates a chain of events: a URL opens that serves as an intermediate redirection, then the victim's browser is redirected again, this time to the final URL. Here, the malicious ZIP archive is discreetly downloaded to the victim's system. These methods of concealing malicious payloads are often successful, so we recommend paying attention to security system warnings and not clicking on suspicious links from unknown senders. This phishing method is especially dangerous when users receive messages on their mobile devices, where, to save screen space, the browser's URL line is usually not displayed, and the user cannot see the link they are clicking on.

Cybercriminals are always looking for new opportunities and methods, for example zip domains, recently opened up for purchase by all interested persons. This domain extension creates confusion, especially among non-technical users, providing attackers with a potentially effective attack tool. In phishing campaigns, criminals seek to create malicious websites that look as legitimate as possible. The zip domain can be an additional marker of a fraudulent site's authenticity. For example, domains like excelpatch[.]zip and outlook365update[.]zip look like legitimate identification pages.

Phishing domain excelpatch[.]zip
Figure 11. Phishing domain excelpatch[.]zip

Also, on May 15, 2023, the domain "42[.]zip" was registered, which automatically downloaded a zip file when visited. This domain is a malicious archive that, if read, causes the program or system being used to crash or fail. We believe this domain may have been used in phishing campaigns to gain initial access.

To protect your organization and minimize the impact of attackers using this attack vector, we recommend the following:

  • Block .zip domains at the firewall level using web filtering services. However, this approach may also block legitimate sites using the .zip TLD (The last segment of the domain name).
  • Use browser extensions or web filters that can analyze and assess the security of websites, as some of them can warn users of the potential danger of a website.
  • Inform employees about possible threats related to the zip domain and teach them how to check the URL before following a link.

Phishing messages with QR codes

Unfortunately, criminals are not limited to using only links and attachments to steal data and infect devices. In our study of current cyberthreats for Q3 2023, we noted a new trend: the use of malicious QR codes in phishing messages to more effectively bypass security measures.

QR codes help attackers conceal the malicious URL addresses from recipients and security systems. Often, they are used to replace malicious links with the aim of stealing credentials. In 2023, the company INKY intercepted hundreds of phishing emails with QR codes. While these emails came from various attackers, they were all aimed at collecting credentials and shared similar characteristics:

  • Attackers pretend to be Microsoft
  • They ask recipients to address a certain account issue, such as setting up 2FA (Two-factor authentication), verifying the account, or changing the password.
  • They attempt to evoke a sense of urgency in the victim.
  • The letters inform of dire consequences if the recipient fails to take the requested action.
  • They offer a QR code to scan in order to resolve the issue.
Phishing email to a Japanese retail store
Figure 12. Phishing email to a Japanese retail store
Phishing email from a hacked digital marketing service
Figure 13. Phishing email from a hacked digital marketing service

In these examples, phishing emails were sent to a large number of victims to collect credentials. Companies across various industries, including non-profit organizations, asset management firms, manufacturing companies, and more, fell victim to these attacks. Of the 545 emails recorded, the assumed victims were located in the U.S. and Australia. The company Cofense reports that the attack begins with a phishing email claiming the recipient must take action to update their Microsoft 365 account settings.

The emails come with attachments in PNG or PDF format with a QR code that the recipient is asked to scan to verify their account. To add a sense of urgency, the emails state that the target must complete this step within 2–3 days.

Examples of phishing emails (source: Cofense)
Figure 14. Examples of phishing emails (source: Cofense)

Methods such as hiding the URL using QR codes, using legitimate services as a cover, and using base64 encoding for phishing links are all ways to avoid detection and bypass email protection filters. To avoid falling victim to scams, we recommend disabling automatic actions when scanning a code (for example, connecting to Wi-Fi, visiting a website, downloading files, and so on) and to avoid scanning random QR codes when their authenticity cannot be verified.

The widespread use of QR codes in various attacks has led to the introduction of new legislation. For instance, authorities in Moscow, Russia have banned advertisers from using QR codes on billboards, transport stops, and other public places. It can be assumed that more steps will be taken in the future.

Methods for hiding malicious payloads

With the development of security tools, attackers need to carefully conceal malicious payloads in their campaigns. To do this, they redirect the victim from one resource to another multiple times, ultimately leading them to a malicious file or data entry page. Such multi-level infection chains significantly reduce the likelihood of an attack being detected by security tools in the early stages of penetration.

Another method of concealing malicious payloads is the MalDoc technique: embedding dangerous Word files into PDF files. These attachments have the .pdf extension but open in Word, triggering malicious macros.

INKY has observed attackers utilizing a technique called "image-based phishing." Its purpose is to prevent anti-spam scanners and email security tools from analyzing the email text. This technique involves embedding a text message into an image attached to the phishing email. Most email clients directly display the image file to the recipient rather than delivering a blank email with an image attached. The victim will not know that they are looking at a screenshot rather than HTML code with text, that is, a phishing letter, and since there are no links or attachments to open, the victim will be lulled into a false sense of security.

In October 2022, attackers posing as the service Geek Squad used this method to conceal malicious payloads. The phishing email claimed that their Geek Squad subscription had been extended for a year, and a significant amount of money would be debited within 24 hours.

Phishing email
Figure 15. Phishing email

Messages without a malicious payload

Payload-free messages constitute only 9% of all incidents, but they allow attackers to carry out highly targeted attacks that are harder to detect and prevent due to the sophisticated social engineering techniques involved. An example is the BazarCall phishing tactic, starting with an email urging the user to phone a call center under various pretexts. During the subsequent phone call, attackers provide the victim with step-by-step instructions on how to install malware on a device. This tactic is employed by APT groups such as Royal, Silent Ransom Group, and Quantum. The ransomware group Yanluowang managed to hack into Cisco's corporate (Cisco Systems is engaged in the production of network and telecoms equipment and the development of software for managing computer networks, as well as information security) network in 2022 using a combination of techniques, including "MFA fatigue" (A tactic where attackers send a constant stream of requests for multi-factor authentication to annoy the target in the hope that they will accept one of them) and BazarCall (A tactic where the victim is forced to call a phone number to communicate with the fraudsters), and, according to the attackers, stole 2.75 GB of data.

Sometimes phishing messages are so convincing that employees take compromising actions simply by believing the message text. For example, in February 2023, a criminal impersonated a supplier, convincing a financial employee of a US government agency to change the genuine contractor's banking details to fraudulent ones. As a result, $218,992 was transferred to the criminal's account.

The goal of phishing attacks is to prompt the victim to perform certain actions, such as entering credentials or downloading malicious attachments. The success of an attack largely depends on whether the recipient believes in the authenticity of the phishing email. To achieve this, attackers use topics of interest to victims, encouraging quick responses or threatening negative consequences if action is not taken. They also aim to evoke strong emotions in victims to reduce their vigilance. To increase the effectiveness of their campaigns even further, attackers adopt different topics for their phishing messages, taking into consideration factors such as the victim's industry and goals.

Topics of phishing bait in all countries, in Europe, in Asia (percentage of incidents)
Figure 16. Topics of phishing bait in all countries, in Europe, in Asia (percentage of incidents)

Messages from contractors

In 26% of attacks, attackers impersonate contractors, sending fake reconciliation statements, invoices, contract renewal documents, and other data related to interactions between contractors. This tactic is widespread because it is applicable to almost all organizations and legitimates the presence of links or attachments in the message. In 58% of attacks, such lures were sent without reference to a specific industry. However, this method is used more than any other in targeted attacks on medical, financial, industrial, and telecommunication organizations.

For example, in June 2023, Italian companies received messages requesting overdue payment.

Bait email
Figure 17. Bait email

The link in the phishing email leads to the download of a zip file containing spyware. The campaign targeted multiple organizations from different industries, demonstrating the versatility of attackers masquerading as contractors. Moreover, this method requires minimal additional information about the victim, making it easier to prepare an attack without compromising its effectiveness.

Messages from technical support/IT

Of all the incidents we reviewed, 15% of attacks were conducted using messages supposedly from technical support or the IT department. The success of such campaigns was mainly due to the fact that such emails looked familiar. In addition, this tactic is popular because it allows attackers to give specific instructions to employees encouraging them to perform the required actions without arousing suspicion. These messages often made use of issues such as account verification, software updates, security guidelines, email service disruptions, and password expiration notifications. The specificity of these emails makes it much more difficult for individuals with a basic level of digital literacy to independently verify the email's authenticity, while the risk of blocking access or deleting data creates a sense of urgency and encourages hasty actions.

For such phishing campaigns to be successful, detailed information about the victim is not required; attackers merely need to consider which information products are most commonly used by organizations in the victim's country.

In companies specializing in IT technologies, emails using this tactic were sent to employees in 35% of phishing attacks. These organizations typically have a high level of digitization, and most of their work processes take place in information systems that practically all their employees interact with. This is why such messages are more difficult to distinguish from the general flow.

This tactic is often used in phone calls, where attackers either target support specialists or impersonate them. For example, in December 2022, the Muddled Libra group sent bait messages directly to the mobile phones of target employees, claiming they needed to update account information or reauthenticate in the company's app. The messages contained a link to a fake corporate domain imitating the familiar login page. Once the attackers captured the credentials needed for initial access, they chose one of two following paths: continue the authentication from the computer they controlled and request a multifactor authentication code, or wait and start generating an endless stream of MFA requests until the user accepts one of them under the influence of so-called MFA fatigue. If the technique failed, the attacker would contact the organization's support posing as a victim and claiming that their phone was not working or lost and requesting registration of a new MFA device.

Defenders need to combine advanced technologies and comprehensive security hygiene, as well as carefully monitor external threats and internal events. The risk of losing internal and customer data should be a strong incentive to upgrade information security programs.

Messages from government agencies

In these types of decoys, victims are manipulated by respect for authority and fear of the consequences of leaving the letter unanswered. To prepare credible phishing messages in this way, general information about the target organization is needed, such as its location and scope of activity. Messages may contain an invitation to a meeting or to a collaborative work on documents, an urgent request, a request for information from a public body, information of national importance, or a recommendation from a ministry.

This tactic is mainly used for phishing attacks against the public sector and military-industrial enterprises (29% and 21% of incidents, respectively), because regular employees often receive such messages.

In February 2023, the Positive Technologies Expert Security Center identified a phishing campaign targeting Tajikistan's government agencies, using a bait document titled "Agenda for a high-level technical advisory meeting on the healthcare sector in Tajikistan."

The likelihood of the victim reacting to such a message is particularly high, as they blend in with regular emails, and the unified formal style and attention to detail of the document means it does not raise suspicion.

Messages with current news topics

The current news agenda serves as an effective tool for deceiving employees through phishing. In one in 10 attacks during the studied period, attackers addressed the hottest topics, including nuclear energy and weapons (due to news about Turkey, U.S. seaports, and Iran's relationship with the Taliban (Recognized in Russia as a terrorist organization and banned)), as well as protests in Latin America, mpox (in attacks on health care providers in the U.S.) and more.

In June 2023, the Positive Technologies Expert Security Center documented a cyberattack against Russian government agencies and companies in various sectors, including trade and services. The group we've identified as Cloud Atlas used a popular issue: partial mobilization.

Phishing email from the Cloud Atlas campaign
Figure 18. Phishing email from the Cloud Atlas campaign

The victim believes they have received a list of data that needs to be compressed before sending in an archive. However, upon opening it, the device becomes infected. Due to the victim's strong interest in the mobilization issue, both personally and in their official capacity, such emails are unlikely to be ignored.

Phishing messages with current news topics are more common in attacks on defense-industrial enterprises, educational institutions, and media outlets. For example, in a malicious campaign against Azerbaijani media, the bait was a self-extracting archive disguised as a PDF file containing an article about Alexander Lapshin (A Russian-Israeli travel blogger, journalist, and human rights activist). The European Court of Human Rights ruled in 2021 that Lapshin's right to life was violated by the Azerbaijani authorities, ordering Azerbaijan to pay €30,000 as compensation. This incident was most probably chosen as bait because of the widespread awareness of Lapshin's story in Azerbaijan.

In 2024, phishing messages are likely to exploit topics such as the March presidential elections in Russia, the summer Olympic Games in France, and the November U.S. presidential elections.

Messages from employers or well-known brands

These messages leverage the authority of the sender, whether an employer or a well-known brand. Topics include employees' summer vacations, various work guides and recommendations, expense reports and estimates, corporate discount offers, payslips, and Zoom message notifications. However, to create the most trustworthy message, the attacker needs additional information about the victim: internal company regulations, postal addresses, job titles, and employee names.

The effectiveness of attacks with messages supposedly from employers can be diminished by the victims verifying the legitimacy of received messages by asking colleagues or checking the sender's address in the employee directory.

When preparing attacks on behalf of well-known brands, attackers follow the best practices of the marketing departments of well-known companies. A thing of the past are mass emails playing on recipients' desire to purchase popular goods at a discount or inability to purchase them legally (for example, due to sanctions on many goods previously supplied to Russia). Modern criminals take into account the audience reach, conversion rates, interest in certain products, targeting, and personalization. For example, campaigns were noted in which victims received ads from popular brands and were then redirected through a chain of sites as detailed user data was collected, including browser information, device details, User Agent data, and IP addresses, all resulting in a unique page with a personalized offer that was difficult to refuse. All these parameters collected about the user formed a token for accessing the phishing resource, making it practically untraceable, as the link from the phishing message would not open for other users.

Messages from job applicants, clients, or messages with entertainment topics

Attackers rarely impersonate job applicants (6% of incidents) or clients (2%) since the recipients of such messages should be specialists in specific positions. Obstacles to achieving malicious goals also arise due to uncommon use of links and more careful examination of email content by employees. In an incident we discovered, the phishing email was imitating a job application, posing as a young girl who used to work as a model and is now looking for a secretarial job. Attached to the letter was a JGP photo of her and a PDF file of a supposed recommendation.

Messages from would-be job candidates are likely to be ignored, as most companies around the world hire employees through specialized agencies or services. However, in Asia, this bait is successfully used in 20% of all phishing attacks. For example, in February 2023, shipping companies and medical laboratories in Asia were hit by this type of CV-imitating, intelligence-gathering phishing campaign. The labor market in Asia is highly competitive, so applicants often contact companies directly for vacancies, which is why this campaign was so successful for the attackers.

Emails with entertainment content include various topics unrelated to work, such as photos of girls and invitations to events. These messages are highly likely to be overlooked by employees because of their apparent inaptness. In addition, cyberattacks are widely covered by the media, further increasing the vigilance of users.

Criminals use these tactics much less frequently, as creating convincing bait requires specific information about the victim, such as open job vacancies, lists of products or services, and sales channels. All of this increases attackers' labor costs, and such tailored phishing messages often cannot be used for attacks on other organizations.

Preparing a phishing message is one of the most important steps in an attack: if the bait is unconvincing, the effort and resources will be spent in vain. The choice of the bait topic depends on the attackers' goal, and it should blend into the general flow of emails to avoid arousing any suspicion.

This chapter lists the most common topics, but phishing emails use other topics as well. There are a number of signs that should raise doubts about the legitimacy of a message, such as an unfamiliar sender, inaccuracies in the spelling, syntax, and style of the text or brand name, as well as a general sense of urgency and a direct or indirect call to perform suspicious actions. Attackers carefully craft relevant bait, so messages should be assessed taking into account all of these factors, and caution should be exercised when working with all communication channels.

CheckSix emotions that attackers often exploit in phishing messages:

 

  1. Fear (for example, "Pay off your tax debt now").
  2. Irritation (for example, the «MFA fatigue» technique, where attackers send a constant stream of multi-factor authentication requests to annoy the target in the hope that they will accept one of them).
  3. Inattention (for example, using visually similar characters in links).
  4. Curiosity (for example, "Beautiful girls on OnlyFans").
  5. Greed (for example,"Discounts and coupons for marketplaces").
  6. A desire to help (for example, "Humanitarian aid to the victims of the earthquake in Turkey ").

Also, the sender's authority and the message's urgency enhance the effectiveness of phishing attacks!

Phishing as a service

In our report on trends and forecasts for 2019, we predicted the proliferation of cyberservices for sale. Today, this has become a common practice employed by both professional APT groups and individual attackers. Furthermore, the popularity of this business model lowers the barrier for entry into criminal activities for newcomers lacking specialized knowledge and skills. We analyzed 260 Telegram channels and forums on the darknet where social engineering was mentioned.

We sorted the offers and requests related to phishing into the following categories:

  1. Projects: ready-made phishing projects and schemes, phishing-as-a-service (PhaaS), sale of phishing email templates, sale or rental of phishing panels.
  2. Development: purchase or provision of services for developing phishing pages, projects, and bots.
  3. Tools: tools used by criminals to conduct phishing attacks.
  4. Partners: searches for partners, investors, and employees for phishing projects.
  5. Traffic redirection: sale of routes to phishing sites and hosts where malicious files can be downloaded.
  6. Data: bank accounts, bank card and cryptocurrency wallet data, and user credentials obtained through phishing attacks.

Among these posts, the most popular categories are projects, development, and tools.

Categories of offers and requests related to phishing
Figure 19. Categories of offers and requests related to phishing

CheckEvery third ad is related to the sale, purchase, or distribution of ready-made phishing projects, services, links, and schemes.

Cost of phishing attacks

Ready-made phishing projects start at $15 and can reach $5,000. With a budget of up to $100, you can purchase SMS phishing services or order phishing email templates. For costs ranging from $100 to $1,000, you can buy ready-made phishing pages, phishing projects imitating banks, or phishing-as-a-service. Unique phishing projects and the creation of reverse proxy systems (A reverse proxy is a type of proxy server that relays client requests from an external network to one or more servers located in the logical structure of the internal network) are valued at $1,000 and up.

Cost of messages in the
Figure 20. Cost of messages in the "Project" category
Post about the production of phishing email templates
Figure 21. Post about the production of phishing email templates
Post about the sale of a unique phishing project (in Russian)
Figure 22. Post about the sale of a unique phishing project (in Russian)

In the "Development" category, every third message is related to requests for the development of phishing pages and projects, indicating a high demand for these services. They cost from $50 to $1,000. The price of specific projects is calculated individually. For example, developing a phishing page ranges from $50 to $200, while a phishing project using a man-in-the-middle attacks can cost up to $1,000.

Post types for the
Figure 23. Post types for the "Development" category (percentage of messages)
Message offering services for developing phishing projects
Figure 24. Message offering services for developing phishing projects

Stolen data from phishing attacks, including bank account information, cryptocurrency wallets, credit card data, and user credentials obtained through phishing attacks, is subsequently sold on shadow platforms, starting at $5.

Message about purchasing stolen data
Figure 25. Message about purchasing stolen data

Supply and demand in the cyberservice market

42% of all phishing attack tools are distributed free of charge. These may include phishing kits such as Trape, AIOPhish, Cardesc, PyPhisher, as well as ready-made scripts that attackers use to prepare for phishing attacks.

Post types for the
Figure 26. Post types for the "Tools" category (percentage of messages)
Message about a freely distributed phishing tool (in Russian)
Figure 27. Message about a freely distributed phishing tool (in Russian)
Figure 28. Message offering a phishing script (in Russian)
Message providing hosting for phishing resources
Figure 29. Message providing hosting for phishing resources

There is a demand for investors, employees, and partners for phishing projects.

Message seeking specialists for a phishing project
Figure 30. Message seeking specialists for a phishing project

On the dark web, there is a service for setting up and maintaining the Evilginx2 3.0 tool, used for phishing to intercept user credentials. The cost of this service varies from $500 to $1,500 depending on the project's complexity.

Message offering the service for configuring and managing the phishing product
Figure 31. Message offering the service for configuring and managing the phishing product

There are ads from teams of "specialists" offering spear phishing services.

Message offering spear phishing services
Figure 32. Message offering spear phishing services

Thus, to conduct a successful phishing attack, attackers no longer need specialized skills, as almost any tool or service can be acquired for free or for a price. All of this makes preparing for an attack much simpler, posing serious risks to organizations worldwide.

Developments in phishing

Technology is constantly evolving, and so are threats. We anticipate a growth in the number of attacks using neural networks. Artificial intelligence tools, which are becoming increasingly popular, are used both by cybersecurity experts to counter cyberthreats and by criminals to prepare and execute phishing attacks. Cybercriminals use AI to maintain engaging and relevant dialogues with their targets, generate convincing phishing messages, and create deepfakes of voices, images, and videos. For instance, in June 2023, ThreatCloud AI, employing an embedded AI subsystem, blocked a large-scale phishing attack. Around the same time, in May 2023, an unidentified attacker carried out an attack for financial gain using a combination of synthetic audio, video, and text messages. After spoofing the voice of a company executive, the criminal contacted an employee of the organization via WhatsApp using a low quality audio call. The attacker then suggested holding a Microsoft Teams meeting, where the manager appeared on screen in his office. But the connection was very poor, so the attacker offered to switch to text messages and began persuading the victim to transfer money. At this point, the employee became suspicious and terminated the communication.

Besides trying to bypass restrictions in ChatGPT and trick it into generating malware, criminals also create their own toolkits. Alexey Lukatsky, a business consultant at Positive Technologies, conducted a review of existing malicious AI tools. For example, DarkGPT is a script that bypasses ChatGPT restrictions and costs $200 for a lifetime subscription. FraudGPT is another tool which can create phishing SMS messages, web pages, letters, and malicious code. Criminals can use FraudGPT to search for useful information such as leaks and vulnerabilities. This tool is offered on a subscription basis and initially cost $200 per month, but has since been discounted to $90.

FraudGPT
Figure 33. FraudGPT

The DarkBERT subscription is a South Korean AI tool trained on dark web forums and leaks that sells for $110 per month. Armed with such tools, even an attacker with very basic skills can automate the creation of convincing fake emails and sustain prolonged attacks that employ meaningful messaging in any language.

Conclusions about the effectiveness of using AI tools for phishing messages can be drawn from an experiment conducted by IBM, where AI competed against humans in creating phishing emails. Ultimately, the AI lost to the IBM team, but not by much. The neural network's phishing emails lacked humanity and conciseness, but they took only about 5 minutes to create, while the human team of specialists needed around 16 hours for the same task. Thus, attackers could save almost two days of work using generative AI models. The AI-generated phishing scams were so convincing that they nearly outperformed those created by experienced social engineers. The very fact that AI competed on an equal footing with humans is significant.

Due to the availability and diversity of malicious AI tools in the cyberservice market, according to Sumsub data, there was a significant surge in cases of attacks using deepfakes worldwide in the first half of 2023 compared to the second half of 2022. The number of deepfakes climbed by 84% in the UK, by 250% in the U.S., by more than 300% in Germany and Italy, and by 500% in France.

Directly related to voice fraud (A type of fraud involving the use of artificial intelligence to create convincing fake voice recordings), this problem was faced by 37% of businesses worldwide, 46% in the UAE, and 46% in the U.S.

Deepfake attacks target remote biometric identification and authentication, which are used in many European countries. The ETSI GR SAI 011 report warns that these procedures are highly susceptible to deepfake attacks. The combination of social engineering and deepfakes is actively used in Business Email Compromise (BEC) campaigns, where attackers impersonate official authorities or executives to request money transfers. The rapid growth of such attacks is driving companies to upgrade their security systems and develop new incident response strategies. Thus, the National Security Agency (NSA), together with the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), released a Cybersecurity Information Sheet (CSI), "Contextualizing Deepfake Threats to Organizations", to help organizations identify, defend against, and respond to deepfake threats.

Attackers are constantly adapting and innovating their attacks. Therefore, it is crucial to take network activity seriously and be aware of potential risks before they occur, as the consequences of an attack can be irreversible. Countermeasures include increasing employee training and awareness, as well as implementing AI systems trained to detect manipulated content.

Conclusions

Phishing is a widely used method of infiltrating a victim's infrastructure. With the increasing number of phishing kits on the shadow market, carrying out a successful attack has become much easier, as attackers no longer require special technical skills. However, phishing messages remain fundamentally the same as before; for example, emails are still the primary distribution channel. That's why the success of today's phishing scams largely depends on the relevance of the message topic. It should capture the employee's attention while still blending in with the general flow of work emails. This study identified the topics and tactics most frequently used by attackers, analyzed the use of attachments and links in phishing messages, and the specifics of phishing attacks regarding different industries.

Attackers are now using recent developments in their attacks, such as task automation, ready-to-use toolkits for preparation and execution (that they also sell), outsourced phishing-as-a-service, AI and generative language models for creating messages, deepfakes, and deepvoice (footnote: voice forgery using neural networks). All of these help reduce the costs of executing a cyberattack and accelerate the preparation and dissemination of phishing messages. As a result, the latest phishing attacks have reached a critical level of effectiveness, posing a new challenge to those on the receiving end.

While this study mainly describes the trends in phishing attacks, we felt it necessary to at least outline possible methods of protection against this threat, which continues to be one of the main ways of penetrating organizations. The kill chain of phishing attacks consists of five stages, with the following prevention, detection, and response methods for each stage:

  1. Data collection on future victims

1.1. Develop and implement policies for the use of email, messaging apps, and other communication tools, including restrictions on publishing corporate contact information on social media and other internet resources.

1.2. Conduct user education and phishing simulations.

1.3. Monitor leak services for user account and password information, as well as the darknet to detect proposals to attack the victim company.

  1. Preparation of infrastructure for phishing attacks.

2.1. Use reputation mechanisms based on security solutions such as SWG (Secure Web Gateway), NGFW (Next Generation Firewall), and SASE (Secure Access Service Edge).

2.2. Identify and block clone domains and autonomous systems from which a large number of attacks are recorded.

  1. Deception of users

3.1. Detect sender address spoofing and implement email protection mechanisms like DKIM, SPF, and DMARC.

3.2. Use feeds with continuously updated lists of phishing domains.

  1. Clicking a link or opening malicious attachments

4.1. Inspect emails.

4.2. Watch out for certain attachment types.

4.3. Use sandboxes for mail traffic.

4.4. Inspect URLs when clicking links using perimeter security tools such as SWG, NGFW, and SASE.

4.5. Enable anti-phishing protection built into popular browsers or through additional plugins.

  1. Action (the ultimate goal of phishing)

5.1. Use EDR (Endpoint Detection & Response) solutions.

5.2. Enforce digital hygiene on personal computers and mobile devices (install updates, apply the principle of least privilege, and so on) .

About the report

This report is based on global data pertaining to cybersecurity incidents, Positive Technologies analytics, the results of investigations, and authoritative sources.

We estimate that most cyberattacks are not made public due to reputational risks. As a consequence, even companies specializing in incident investigation and analysis of cybergroups are unable to calculate the precise number of incidents. Our research seeks to draw the attention of companies and ordinary individuals who care about the current state of information security to the latest phishing attack methods.

This study considers each mass attack (for example, phishing emails sent to multiple addresses) as one incident, not several. For explanations of terms used in this report, please refer to the Positive Technologies glossary.

Get in touch

Fill in the form and our specialists
will contact you shortly