Report: BEC Phishing Attacks Are Gaining Momentum

Many dangerous phishing trends accelerated over the past half-year, according to a new report from SlashNext.

The midyear update of SlashNext’s State of Phishing Report highlighted security threats to organizations from business email compromise (BEC) and advanced phishing attacks. These latest findings show how attackers are ramping up the use of generative AI, QR codes, and CAPTCHA tests as part of their sophisticated, multichannel phishing attacks.

According to the report, malicious emails spiked by 341%, and credential phishing attacks grew by 217% in the last six months. Overall, BEC attacks have increased by 29%. Some of the most prevalent types of BEC threats include gift card scams (21%), social engineering investment scams (16%), purchase renewal scams (14%), social engineering beneficiary scams (12%), and social engineering donation scams (10%).

Credential phishing makes up the largest category of phishing attacks today, as these threats regularly appear across the full range of email, mobile, social, and collaboration channels. The attackers attempt to harvest user credentials to launch ransomware attacks and data exfiltration attacks.

In addition, SMS-based “smishing” attacks have steadily increased and now make up nearly half of all mobile threats over the last six months (45%). QR code-based phishing attacks rose by 11% in that period.

Attackers are also increasingly adopting CAPTCHA-based attacks to mask their credential-harvesting tools. The bad actors can generate thousands of phony imposter domains to cover up their credential phishing forms from security systems that are incapable of bypassing CAPTCHA protections.

Based on these latest findings, the problem of BEC phishing attacks continues to gain momentum, especially since the launch of ChatGPT and other generative AI chatbots. The blazing speed and heightened complexity of these AI attacks make it almost impossible for human users to distinguish authentic emails and real messages from fake phishing attempts.

For this reason, businesses of all sizes may consider adopting AI-based cybersecurity defense systems to counteract highly sophisticated BEC attacks. AI-based systems can automatically predict and intercept malicious phishing messages through a combination of generative AI tools, natural language processing, computer vision, relationship graphs, and contextual analysis.

SlashNext researchers analyzed billions of link-based, malicious attachments and natural language threats scanned in email, mobile, and browser channels during six months from Q4 2023 to Q1 2024. The organizations affected by the threats detected with SlashNext security products ranged in size from 500 to 250,000 users, spanning a variety of industries.