Phishing is having a moment, with a massive spike in campaign volumes in the latter half of 2022. In fact, total phishing emails increased by 61% in the second half, according to an analysis this week. That could also be set to accelerate, as the rise of ChatGPT and other new tools are making their mark on the sector too.
That's according the "Q4 2022 Phishing and Malware Report" from email security firm Vade, published Feb. 9. Phishing volumes increased 36% between the third and fourth quarters, with researchers tracking 278.3 million unique phishing emails in the last three months of the year, according to the report.
Malware volumes overall also increased, 12% quarter for quarter, with Vade detecting 58.9 million emails in the fourth quarter of 2022 that included malware, the researchers found.
Email remains the top channel for distributing phishing and malware, giving hackers a convenient, scalable, and efficient vehicle for exploiting users and compromising accounts, Todd Stansfield, content marketing manager, noted in the report.
"Email threat activity continues to increase, creating the need for organizations of all sizes to fortify their cybersecurity," he wrote.
Breaking down the numbers by the month, phishing volumes remained relatively stable through the first half of the fourth quarter, with 62.3 million phishing emails tracked in October and 47 million in November, according to the report.
Then, as is typical during the annual holiday season — in which phishers use a range of year-end and holiday-themed lures to try to snare victims — December saw a big jump in phishing emails with 169 million, representing a 260% month-over-month increase, the researchers found. This pattern is similar to what happened in the fourth quarter of 2021, they said.
Reliable Targets & Tactics
In terms of who they target and how they do it, phishing threat actors aren't getting especially creative given the current way enterprise users work and collaborate.
Facebook remained the top brand in terms of impersonation for the second consecutive quarter, with researchers observing 6,700 unique phishing URLs impersonating the social networking giant in the fourth quarter of 2022, they reported. The company was followed by Microsoft, PayPal, Google, and Netflix in descending order as the brands that threat actors prefer to impersonate.
In terms of targets threat actors continued to find value in campaigns targeting productivity applications, for which they have a wide pool of corporate users and are most likely to find success, the researchers found. Microsoft 365, which has more than 345 million users, and Google Workspace, the second-most popular productivity suite, continued to be the top targets for phishers in the second half of 2022, according to Vade.
"With the growing popularity of productivity suites, users are increasingly using email to access and use productivity apps such as file sharing and instant messaging," Stansfield wrote, adding that threat actors have taken notice and are crafting phishing campaigns to target the specific behavior of corporate productivity-suite users.
AI & New Tools Bolster Phishing
While some things remained the same in terms of phishing campaigns, changes are afoot in other aspects of this type of threat, the researchers found. In particular, new tools have emerged that can make anyone, even with limited skills, a phishing threat actor thanks to more sophisticated phishing-as-a-service (PaaS) kits, and the meteoric rise in popularity of the AI platform ChatGPT.
"By purchasing a phishing kit, novice hackers can deploy highly convincing and effective schemes against their targets," Stansfield acknowledged.
One recent enhancement to these kits is the ability to automatically localize phishing pages based on a victim's native language, a handy tool that allows threat actors to target various regions quickly without being multilingual themselves, the researchers said.
The feature works by identifying the language settings of the targeted user's browser and leveraging it to update and display the phishing page accordingly. While improving the contextual accuracy of each phishing attack, the new feature also enables hackers to target users across multiple languages using a single kit, thus increasing the reach of their campaigns, according to Vade.
ChatGPT — the chatbot that can assist anyone in producing instantaneous, high-volume content that's already become notorious for its cybersecurity implications since its November release by OpenAI — also is becoming a phisher's best friend, according to Vade analysts.
Hackers can weaponize ChatGPT to produce sophisticated phishing kits efficiently by using commands that empower the AI tool to write phishing emails and malicious code in seconds, they said.
Protecting the Enterprise From Phishing
With phishing showing no sign of letting up despite being one of the oldest forms of cybercriminal activity, it's clear enterprises need to roll with the changes in the technology landscape just as attackers are.
"In the past year, nearly seven out of 10 businesses experienced a serious data breach that bypassed their email security," Stansfield noted, citing previous research from Vade.
Moreover, the problem with phishing is that it doesn't just end with an attacker giving up credentials, but ultimately, they can use these credentials as a way into corporate networks to steal data, distribute ransomware and other malware, and engage in other nefarious activity.
Enterprises need to move beyond traditional email security solutions and adopt ones that can respond to the more sophisticated tactics of attackers, the researchers said. Specifically, collaborative and AI-enhanced solutions that can provide "predictive defense against known and unknown threats using the latest threat intelligence and a core set of AI technologies," are the way forward, Stansfield said.
Indeed, just as AI is empowering attackers through technology like ChatGPT, it also can empower enterprises with new types of security, Adrien Gendre, co-founder and chief tech and product officer at Vade, tells Dark Reading.
"On the flip side, we use AI to detect anomalies in email, from the content itself to the behavior of files that might be included in those emails," he says. "There will be a battle between what you might call good and bad AI."
If phishing emails do slip through an organization's security protections, training employees to identify phishing emails before they click on them can also be a reliable way to prevent credential or malware compromise before it occurs, Scott Caveza, senior research manager at cyber exposure management firm Tenable, tells Dark Reading.
"Phishing attacks continue to be successful as they target our weakest link in security, humans," he says. "Regardless of the author of the email, be it AI or an actual human, organizations need to invest in and develop mature security programs where security awareness training, including specific training on spotting phishing attacks, are priorities for the organization."