Cyberattacks spread via email are still rising, and with generative artificial intelligence (AI), they have gotten even more dangerous, a new report from Barracuda Networks has claimed.
After analyzing 69 million attacks across 4.5 million mailboxes over the past 12 months, Barracuda said business email compromise (BEC), conversation hijacking, and QR code attacks were all growing.
In fact, BEC attacks now make up a tenth (10.6%) of all email-based social engineering attacks, up from 8% in 2022, and up from 9% in 2021. At the same time, conversation hijacking made up 0.5% of all social engineering attacks in the past year, which is an increase of some 70%, compared to the 0.3% back in 2022.
Gmail and bit.ly
This method’s overall share is relatively small since it requires a lot of effort to execute, but the payout can still be significant, Barracuda warns.
With conversation hijacking, a threat actor will compromise a person’s email account, and look for conversations with potential targets. They will then “hijack” the conversation, and reply to the latest email, continuing the chain of communication. That way, the victim has no reason not to trust the contents of the email, making distributing malware and stealing sensitive data that much easier.
Finally, around 1 in 20 mailboxes were targeted with QR code attacks, which are relatively successful since they mostly bypass traditional email filtering solutions. Furthermore, they make the victims use a personal device to scan the QR code, which is usually not protected by corporate security software.
The attackers will usually go for Gmail users, Barracuda added, since Gmail accounted for 22% of the domains used for social engineering. What’s more, bit.ly is the go-to tool for URL shortening, used in almost 40% of social engineering attacks.
“IT and security professionals need to stay focused on the evolution of email threats and what this means for security measures and incident response,” said Sheila Hara, Sr. Director of Product Management at Barracuda.
“This involves understanding how attackers can leverage generative AI to advance and scale their activities, and the latest tactics they’re using to make it past security controls. The best defense is AI-powered cloud email security technology that can adapt quickly to a changing landscape and doesn’t solely rely on looking for malicious links or attachments.”