Attackers have now increased their X-rated phishing lures in Business Email Compromise (BEC) attacks. A recent report by a security firm discovered a remarkable 974% spike in social-engineering scams using suggestive materials, normally aimed at male-sounding names within an organization.
Talking about the attacks
GreatHorn reported that suggestive emails are now targeting people at work for an extra shock factor.
Usually, attackers send such emails to lure or scare the recipient by using their name, imploring them to click on the advert. This is tactic is known as dynamite phishing.
Such emails do not always involve explicit material, however, their goal is to frighten the recipients or put them in an emotional state where they are unable to make any sensible decisions.
The malicious URLs primarily do three things: download malware, send users to a fake dating site to steal payment data, or track users for a follow-up attack.
Moreover, scammers use a tactic called email pass-through to track their victims. In this technique, once a user clicks on a link inside an email, their email address is passed to the linked site automatically.
How effective is phishing?
To show how insidious and effective phishing lures have become now, Agari Cyber Intelligence Division (ACID) put 8,000 account credentials under its management on various phishing sites and came up with an interesting report.
The firm found that a quarter of the account credentials were tested automatically as soon as they were posted. In addition, around three families of attacks were responsible for 85% of attacks.
Nearly 92% of the compromised accounts were manually breached by an attacker. About 20% were accessed within the first hour and 91% were accessed within a week of compromise.
Phishing has now become one of the biggest cybersecurity challenges faced by organizations around the world. As phishing attacks are growing at a rapid pace, organizations should rethink their IT operations and risk-management strategies to effectively manage the issue of phishing.