A new report reveals that nearly three-quarters (71%) of AI detectors are unable to tell if a phishing email has been written by a chatbot. Egress, a cybersecurity company providing intelligent email security, has released its second Phishing Threat Trends Report.
The report reveals the changing tactics that are employed by cybercriminals in their attempts to get through traditional perimeter security, including secure email gateways. It investigates significant trends in phishing, focusing on the most frequently targeted subjects, scrutinises the prevalent techniques used to obscure their activities and evade perimeter defences, and evaluates the impact of chatbots on the landscape of cyberattacks.
The phishing threat data and examples presented in this report were sourced from Egress Defend, an Integrated Cloud Email Security solution equipped with advanced technology designed to identify and safeguard against the most intricate phishing attacks.
- 18.4% of phishing attacks were missed voice messages, making them the most phished topic
- 55.2% of phishing emails contain obfuscation techniques to help avoid detection
- 34% of mail flow is ‘graymail’ and there is a direct correlation between the amount of graymail and phishing emails received
- 71% of AI detectors can’t tell if a phishing email has been written by a chatbot
“Without a doubt chatbots or large language models (LLM) lower the barrier for entry to cybercrime, making it possible to create well-written phishing campaigns and generate malware that less capable coders could not produce alone,” said Jack Chapman, VP of Threat Intelligence, Egress.
“However, one of the most concerning, but least talked about applications of LLMs is reconnaissance for highly targeted attacks. Within seconds a chatbot can scrape the internet for open-source information about a chosen target that can be leveraged as a pretext for social engineering campaigns, which are growing increasingly common.
“I’m often asked if LLM really changes the game, but ultimately it comes down to the defence you have in place. If you’re relying on traditional perimeter detection that uses signature-based and reputation-based detection, then you urgently need to evaluate integrated cloud email security solutions that don’t rely on definition libraries and domain checks to determine whether an email is legitimate or not!”
Key trends of the Phishing Threat Trends Report
As threats continue to evolve, the cybersecurity industry must collaborate to continue to manage human risk in email. To shed light on evolving attack techniques and to keep cybersecurity professionals informed, the Egress Phishing Threat Trends Report offers an in-depth look into key phishing trends, which include:
Most phished topics of the year
There has been no shortage of phishing attacks in 2023. The number one phishing topic was missed voice messages, which constituted 18.4% of all phishing attacks recorded from January to September 2023. A significant portion of these attacks employ HTML smuggling techniques to conceal their malicious payloads.
Can you detect if chatbots are being used to write phishing emails?
Concerns have arisen regarding cybercriminals potentially utilising chatbots to craft phishing campaigns and malware. However, is it possible to ascertain whether a phishing email has been authored by a chatbot? According to the report, no individual or tool can definitively tell whether an attack was composed by a chatbot.
This is because chatbots rely on large language models (LLMs), and the accuracy of most detection tools improves with longer text samples, often necessitating a minimum of 250 characters to function effectively. Given that 44.9% of phishing emails do not meet the 250-character threshold, and an additional 26.5% fall below the 500-character mark, AI detectors either won’t work reliably or won’t work at all on 71.4% of attacks.
Obfuscation techniques are on the rise
The proportion of phishing emails employing obfuscation techniques has increased by 24.4% in 2023, sitting at 55.2%. Obfuscation allows cybercriminals to hide their attacks from certain detection mechanisms. Egress Defend discovered that almost half of phishing emails (47%) that use obfuscation contain two layers, which increase the chances of bypassing email security defences to ensure successful delivery to the target recipient. Less than one-third (31%) use only one technique. The most popular obfuscation technique, accounting for 34% of instances is HTML smuggling.
To understand how graymail impacts cybersecurity, Egress researchers analysed a staggering 63.8 million emails that organisations received over four weeks. It was found that, on average, one-third (34%) of mail flow can be categorised as graymail (bulk but solicited emails including notifications, updates, and promotional messages).
Additionally, Wednesday and Friday are the two most popular days of the week to send or receive graymail. The study revealed a direct relationship between the volume of graymail and the frequency of phishing emails received. Individuals with busier inboxes are at a heightened risk of being targeted by phishing campaigns.
Phishing currently has the upper hand as traditional perimeter detection is falling short
Greater numbers of phishing emails are getting through traditional perimeter detection, so while overall volume hasn’t increased, this report shows that attacks are becoming more sophisticated, with cybercriminals using a range of tactics to successfully get through security. The percentage of emails bypassing Microsoft's defences has surged by 25% from 2022 to 2023. Similarly, the percentage of emails evading secure email gateways (SEGs) has risen by 29% during the same period.
In addition, there has been an 11% increase in phishing attacks originating from compromised accounts during 2023. These compromised accounts often operate from trusted domains, making them more likely to evade detection by traditional perimeter security systems.
Nearly half (47.7%) of the phishing attacks that eluded detection by Microsoft were dispatched from compromised accounts. The most common type of payload is phishing links to websites (45%), an increase from 35% in 2022, with all payloads bypassing signature-based detection to some degree.
Jack Chapman concludes: “We produced this report to equip cybersecurity professionals with insights into advanced attacks, and what we found is that real-time teachable moments really do improve people’s ability to accurately identify phishing emails. Legacy approaches to email security rely heavily on quarantine barring end users from seeing phishing emails, but as our report highlights, phishing emails will inevitably get through.
“This is one of the reasons why we’ve flipped the quarantine model on its head, adding dynamic banners to neutralise threats within the inbox. These banners are designed to clearly explain the risk in a way that’s easy to understand, timely, and relevant, acting as teachable moments that educate the user. Ultimately, teaching someone to catch a phish is a more sustainable approach for long-term resilience.”
Please also check out our upcoming event - Cloud and 5G LIVE on October 11 and 12 2023.
BizClik is a global provider of B2B digital media platforms that cover Executive Communities for CEOs, CFOs, CMOs, Sustainability leaders, Procurement & Supply Chain leaders, Technology & AI leaders, Cyber leaders, FinTech & InsurTech leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food.
BizClik – based in London, Dubai, and New York – offers services such as content creation, advertising & sponsorship solutions, webinars & events.