British cybersecurity firm Darktrace identified 17.8 million phishing emails across its customer base in the first half of the year, with a majority bypassing stringent security protocols.
In May and June alone, Darktrace identified 540,000 attempts to impersonate brands as well as 240,000 emails posing as a VIP from an organization.
“This trend towards impersonation and deception under the guise of a trusted company, or even a company executive, suggests threat actors are curating more bespoke and targeted email campaigns intended to target select organizations, or even individuals, more efficiently than traditional mass phishing attacks,” the report said.
In fact, 40 percent of the phishing emails were identified as spear phishing attempts, i.e. targeting specific individuals or organizations. This is unlike mass phishing, in which emails are sent en masse in the hope of fooling a few.
Darktrace identified more than 1 million multistage payload emails—messages that launch a cyberattack in a series of steps.
In addition, the firm detected “550,000 malicious QR codes that, when scanned, would direct recipients to a malicious endpoint where attackers can infect a device with malware or steal a user’s login credentials.”
Darktrace pointed out that the threat landscape is evolving and that new threats are being built upon the foundations of older threats.
While new malware threats have come up, many attacks are still being carried out by the “usual suspects,” with these hacking groups continuing to use familiar malware variants and techniques.
Cyber Risk for Americans
The Darktrace report comes as the number of U.S. data breach victims jumped nearly five-fold in the first half of the year, according to the nonprofit Identity Theft Resource Center (ITRC).The group estimated more than a billion data breach victims for the January–June period. Data breach incidents jumped in 10 of the 16 industries tracked by ITRC. The most affected industry was financial services, followed by health care, professional services, and manufacturing and education sectors.
“The takeaway from this report is simple: Every person, business, institution, and government agency must view data and identity protection with a greater sense of urgency,” said Eva Velasquez, president and CEO of ITRC.
In 2023, the agency’s Internet Crime Complaint Center received a “record” 880,418 complaints from U.S. citizens, with potential losses in excess of $12.5 billion. The crime most frequently reported last year was phishing schemes, which not only include email scams but text messages and telephone calls.
“Over 298,000 complaints were filed about phishing schemes last year, which accounted for approximately 34 percent of all complaints reported,” the FBI said in its report.
Most complaints of phishing came from Santa Clara County. Alameda County registered the most losses at nearly half a million dollars.
This is especially true for certain messages that warn about negative consequences if the target of the scam does not respond immediately. Phishing emails tend to ask for the target’s financial and personal information.
“A common sign used to be poor grammar or misspellings although in the era of artificial intelligence (AI) some emails will now have perfect grammar and spellings, so look out for the other signs,” CISA said.
“If you suspect phishing, resist the temptation to click on links or attachments that seem too good to be true and may be trying to access your personal information. Instead, report the phish to protect yourself and others.”