Insights from our 2023 Phishing Threat Trends Report

by Charlotte Rogers
Published on 18th Oct 2023

Cybercriminals never take a day off, and nor should your email protection. The online threat landscape is constantly evolving, and our Threat Intelligence team has unearthed some incredibly sophisticated threats over the last 10 months.

To help equip you in the fight against phishing attacks, such as business email compromise, we published the Phishing Threat Trends Report, which outlines and explains the most common threats we’ve seen so far in 2023.


Most phished topics of 2023

The most phished topic of the year: Missed voice mail notifications

So far this year, 18.4% of the phishing attempts we’ve seen have originated from missed voicemail messages. These attacks use HTML smuggling to hide their payload, aiming to trick individuals into opening an attachment that redirects them to a phishing website or builds malware behind their firewall. The use of HTML smuggling means these attacks cannot be detected by traditional perimeter defenses.

Some of the more sophisticated attempts will sometimes include text that is formatted to look like a hyperlink designed to frustrate the recipient of the email and who is then more likely to open the attachment without giving it proper consideration.

Most phished topic, by month

January: RingCentral impersonation

RingCentral is a communications platform like Teams or Slack. Cybercriminals would use stylized HTML email designs in attempts to get recipient to click a link by advising them that they had missed a particularly important message, which feeds into the most phished topic of the year. As RingCentral is a business-orientated platform, and one that many are so familiar with, cybercriminals leveraged their trusted brand to make their attacks appear more convincing to their targets. 

February: Alias impersonation 

Almost one-third (32.2%) of all the attacks in February were ‘alias impersonation’ attacks. These almost always use social engineering and aim to create a sense of urgency, which then puts the recipient under pressure to react with the desired action – clicking a link, opening an attachment, or sending a response at all. 

March: Fake HMRC/IRS notifications

Tax forms needed to be filed in the US by the start of April, and as a result, March saw a sharp increase in the number of emails impersonating the IRS. This coincided with the end of the global fiscal year, which meant the likes of HM Revenue and Customs in the UK were also impersonated, along with various other tax authorities from around the world. These phishing emails try to get people to act by leveraging the threat of fines and other penalties. 

April: Security software impersonations

In April, 15.2% of attacks impersonated security software companies, with Avast and Norton Security being the most leveraged brands. It’s likely that these security companies were impersonated due to the nature of their industry and as an attempt to lull recipients into a false sense of security. 

These emails encouraged recipients to open links and enter their credentials, which would be harvested by the cybercriminals.

May: ‘Life ruiners’

Things got a bit more personal in May as sextortion attacks increased to the most common type of phishing attack that we detected. These email senders would claim to have some form of life-altering information or image/video, threaten to use it to ruin the recipient’s life, and scare them into either paying, clicking on a nefarious link, or opening a questionable attachment.

June: Lottery winners

12.7% of attacks in June impersonated the National Lottery, or a similar organization, claiming that the recipient had won a certain sum of money and leveraged a time crunch to encourage them to follow a link and enter their banking details to ‘claim their prize.’

June: Salesforce and Meta advertising

Attacks using brand impersonation continued in June with Salesforce and Meta being the most impersonated brands. Many of these attacks were linked to a zero-day vulnerability in Salesforce’s email services, which cybercriminals used to launch a phishing campaign targeting Facebook accounts specifically. 

August: Geek Squad

Geek Squad is Best Buy’s in-house technology support team. Phishing emails impersonating Geek Squad have been around for years, but in 2023, they started to gain momentum again from May. These Geek Squad scams took many forms – auto-renewal notifications, troubleshooting software downloads, security support correspondence, and false discount offers. Cybercriminals deploy these types of attacks often, likely because they have proven rewarding in the past.

September: Credit card transactions

In September, 15.1% of phishing attacks came via cybercriminals pretending to be from a recipient’s bank and warning them of a recent failed credit card transaction. The intended actions would be that the recipient would then panic, follow the link that they thought would lead to their online banking provider, and enter their credentials, which would then be stolen and used by the cybercriminals to access to the victims’ accounts. 

Phishing threat trend predictions for the rest of 2023

As you can see, cybercriminals are showing no signs of slowing down. We wanted to take this discussion further and so, we asked our Threat Intelligence team to predict what they think the greatest threats will be in the final quarter of 2023. 

October: Fax impersonation

In October 2022, 30.8% of phishing attacks came from eFax notifications. Our TI team predicts that this is going to come back again in 2023. Fax is still used in certain industries due to the legislation on the transfer of sensitive data. In fax impersonation, the target will receive an email notification telling them that they have an unread eFax, and that they need to either click on a link or open an attachment to access the data in question. This is yet another form of the ‘missed message’ phishing technique.  

November: Black Friday/Crypto

Black Friday is an opportunity that cybercriminals never miss. In November, most people will receive more emails than normal offering Black Friday and Thanksgiving themed discounts for online stores and at major retailers. Individuals might also receive emails designed to convince the recipient to reveal their cryptocurrency keys. 

December: Christmas-related 

Cybercriminals will use any holiday to contextualize their attacks and Christmas represents the biggest seasonal opportunity in many countries. In December 2022, our team discovered that the most common brands being impersonated were Amazon, Walmart, and PayPal. These household names are likely to appear again in 2023.

Get your copy

Threat Report Sidebar Image

Get your copy

Phishing Threat Trends Report

Download report