Amid the numerous instruments that have augmented our digital communication and commerce experiences over time, email remains a staple for everything, from confirming purchases to life-changing events like the authorization of financial aid.
It comes as no surprise that email scams have been a mainstay of cyberattacks since the earliest days of online correspondence. Worse yet, their scope and sophistication have kept pace with and taken liberal advantage of general digital developments.
Today's phishing attempts and other scams are more thought-out, cunning, and effective than ever. This article sheds light on the newest frauds, the developments you should be aware of, and the ways to combat the escalating threat.
Email Scams, Evolved
A surface-level examination of the latest email scam attempts reveals how their end goals have remained unchanged. Such emails still seek to either introduce malicious payloads via attachments, lure recipients to sophisticated copies of legitimate websites to steal credentials or install malware, or issue orders that appear legitimate, hoping that the recipient will follow through.
However, a lot has changed regarding how such scams are orchestrated, which victims are the likely targets, and how and even who the attackers are.
Public Adoption of Artificial Intelligence
AI had been the glue of email scammers' toolkits long before the advent of ChatGPT. They used it to circumvent spam filters by cracking associated detection algorithms. Another tangible trend was to automate credential stuffing campaigns and get access to poorly protected email accounts along with the contacts and systems they interacted with.
However, the availability of Large Language Models (LLMs) like ChatGPT opened the floodgates. One sobering statistic that puts things into perspective is that the number of phishing emails sent since the public debut of ChatGPT has seen a staggering 4,151% increase.
Most of these aren't your easily spotted run-of-the-mill emails. With so much publicly available data, scammers are developing offshoots, like WormGPT and FraudGPT, designed to learn from public interactions and mimic the sender's tone of voice, writing style, and other characteristics. Such emails are becoming harder to distinguish from legitimate communications, demanding even more vigilance and awareness from everyone.
BEC 2.0
Some phishers still cast the broadest possible nets by impersonating giants like Microsoft, Amazon, or FedEx. After all, many people expect packages at any given time, so this is a potent attack method. From a scammer's perspective, setting sights on specific targets is proving to be more effective and lucrative.
Business Email Compromise (BEC) focuses on the impersonation and/or takeover of legitimate, often high-profile business accounts. A compromised email account of such a caliber is almost impossible to detect. Plus, it projects the authority needed for recipients to make potentially disastrous financial decisions, as was the case with a government official in Puerto Rico who wired $2.6 million by following instructions to change a target account issued from a compromised email.
BEC 2.0 signifies the more sophisticated methods and preparation that scammers employ today. They spend months gathering data about the target, monitoring their communications, and hijacking legitimate email accounts. They may also slip into existing conversations and mention old correspondence, gradually establishing trust and inserting subtle suggestions that seem innocuous individually but condition the recipient to execute the eventual fatal order without a second thought.
Spoofing
Vigilant users will remember to check details like the sender's address or the domain name of a site the email links to, but what if these are obfuscated? Scammers may set up an SMTP server and create email addresses that look almost identical to the real deal. They'll make imperceptible tweaks, like substituting the lowercase "l" for an uppercase "I" when pretending to send an email from PayPal, for example. This is hard to distinguish in the standard "Calibri" font used for internet URLs.
The email's body and language are carbon copies of the original. The spoofed sites you're urged to visit look authentic and even use HTTPS to feign extra legitimacy. A notorious example was the attack that impersonated the US Department of Labor, which managed to get past Office 365 safeguards and trick applicants into parting with their email account credentials that scammers may use to orchestrate further attacks.
Email Scam Democratization
Email scams aren't just a top cybersecurity concern. They're becoming a lucrative business with ever-lower barriers of entry. On the one hand, LLMs remove the language barrier, potentially allowing anyone with internet access to deploy a flawlessly worded, convincing email. On the other hand, one doesn't even need an interest in or inclination towards cybercrime. Tech skills became redundant with the emergence of an entire dark web industry offering Phishing-as-a-Service. Malicious actors in charge sell phishing kits and even offer customer support for anyone willing to dabble in such foul play.
Meeting the Challenge Head-On
Since human error and exploiting human nature are at the heart of this evolving threat, successful mitigations of sophisticated new email scams hinge on the cooperation between cybersecurity professionals and those whom they are employed to protect.
Cybersecurity professionals can do much to limit the exposure to scam emails by reducing the chances of a harmful interaction in the first place. They need to implement proper email filters, use next-generation firewalls and URL sandboxing to block harmful links, and leverage emerging AI-driven cybersecurity solutions to identify peculiar behaviors and patterns indicative of scam activity that humans might fail to spot.
Since compromised email addresses are crucial for gaining unauthorized system access and establishing credibility in targeted attacks, their protection is paramount. Passwords associated with each need to be unique and resistant to brute-force attacks. Enterprise-level password managers are instrumental in implementing and enforcing such policies since they streamline password creation and usage not just for email but for any account that needs reliable safeguards. They also provide MFA, which is invaluable for threat neutralization and recovery of compromised credentials.
Companies must coordinate security awareness training efforts, bringing their employees up to date and running exercises to test their awareness. Good training will also extend interest to individuals, helping them to become curious about keeping up with email scam developments and heightened vigilance when interacting with potentially suspicious emails.
Conclusion
Like the humble yet indispensable electronic messages that litter our digital inboxes, scams associated with them are here to stay; if anything, they're thriving and evolving in ways few would have predicted a mere five years ago. Staying in the know and proactively employing appropriate countermeasures, whether in your workplace or home, is the most judicious risk mitigation strategy you can and should adopt.
About the Author:
David Balaban is a cybersecurity analyst with two decades of track record in malware research and antivirus software evaluation. David runs Privacy-PC.com and MacSecurity.net projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a solid malware troubleshooting background, with a recent focus on ransomware countermeasures.
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.