Egress Defend – what we can learn from 2022’s phishing trends

by Egress
Published on 10th Feb 2023

Egress is committed to helping organizations stay ahead of the curve when it comes to phishing threats. Our threat intelligence experts analyze hundreds of thousands of phishing emails every year to gain insights into the latest trends and tactics being used by attackers.

To help you achieve better insight into the ever-changing email threat landscape and understand how to protect your organization from harm, we've compiled a range of key phishing statistics and outline how you can utilize technology to keep your organization secure.

Most common types of email phishing attacks

Types of phishing attacks range from classic email phishing schemes to more inventive approaches such as brand impersonation and mail fraud. They all often have the same purpose, to steal personal or financial information or install malicious software.

The most common phish detected by Egress Defend in 2022 were technical. These are phishing emails designed to get through the signature-based detection used by Microsoft 365 and secure email gateways (SEGs).

For instance, these malicious emails could be routed through the dark web, incorporate hidden Unicode characters, or hold malicious HTML smuggling payloads.

Top brand impersonation attacks

Unfortunately for businesses, brand impersonation phishing attacks are rising, with Microsoft being the most imitated brand observed by Defend last year, with the top five listed below:  

  1. Microsoft
  2. Amazon
  3. Netflix
  4. Facebook
  5. Apple

In brand impersonation attacks, an email is designed to appear visually similar or even identical to a known legitimate brand, such as Microsoft or Amazon. Attackers then leverage the victim’s trust in the company’s name to trick potential victims into giving up account credentials or exposing them to malicious links.

Top mail fraud attacks

This frequent scam involves sending fake emails or texts claiming a person has missed a delivery and asking the recipient to click on a link to pay a fee or fill in details. The top five delivery impersonation attacks detected by Defend in 2022 were:

  1. DHL
  2. DPD
  3. Fedex
  4. Hermes
  5. Royal Mail

Recent research from Lloyds revealed that 26% of adults say they always or often click on links in messages that appear to come from a delivery company. It’s important to understand that even with training, people still fall for phishing emails. This is why organizations should augment their defenses with an integrated cloud email security solution (ICES) which use a variety of advanced detection techniques to prevent even sophisticated attacks.  

Most common phishing subject lines

The most common strategies attackers use to psychologically manipulate victims include creating a sense of urgency or fear, exploiting human curiosity, and offering rewards and incentives. Here are the top phishing subject lines we spotted last year:

  1. Remittance Advice
  2. Hi
  3. Change password immediately
  4. Good day
  5. Fax message received
  6. Available?
  7. Your personal data has leaked due to suspected harmful activities.
  8. Your parcel has been dispatched

Cybercriminals understand human psychology and fallibility, and they’re clever in the way they attempt to trick their victims. Many phishing attacks aim to move someone from rational thought processes into emotional reactions. Messages such as ‘change password’ or ‘missed parcel’ cause people to feel stressed or anxious when they are more likely to act quickly and fall for phishing scams.

Most common types of phishing payload

With email security tools able to filter out many phishing emails with known malicious attachments and links, attackers are looking for new ways to trick people. Cybercriminals are increasingly using psychological manipulation to trick people into giving away sensitive information. In fact, 21% of phishing emails detected by Defend last year employed this method.

Payloadless phishing emails can bypass security that relies on detecting known malicious payloads. They’re also likely spoofing the email address of a trusted contact, or they’ve managed to takeover a legitimate account.

This is where intelligent detection technologies come in. Defend uses natural language processing to understand the context of an email and evaluates the relationship between sender and recipient. This means it can identify a suspicious message, even if it's bypassed other email security measures.

Most common phishing sources

Last year, one-quarter of phishing emails detected by Defend came from a compromised account, when a hacker gains access to an online account by exploiting a vulnerability. The attacker can then use the account to execute phishing attempts on other accounts.

These types of attacks are increasingly common and can evade existing secure email gateways (SEGs) and the native security offered by Microsoft 365. To prevent compromised account attacks, organizations need to adopt zero-trust principles and invest in solutions with intelligent detection that pick up on anomalies in human behavior.

Stop sophisticated phishing attacks with Defend

At the end of the day, most cybercriminals are trained professionals: scamming is their career. It’s inevitable that people will fall victim to their cleverly engineered attacks unless they have the right cybersecurity technology to support them. We can’t expect people to detect every phishing attack on their own.

Moreover, traditional email security solutions like SEGs, spam filters, and antivirus scanners fall short in stopping brand impersonation and other payloadless attacks. Defend combines zero-trust models with advanced machine learning and natural language processing to detect and neutralize even brand impersonation attacks.

By providing actionable intelligence in real time without requiring administrators to configure rules manually, manage quarantines, or perform triage analysis, Defend frees up critical cybersecurity personnel and resources while stopping sophisticated phishing attacks in their tracks.