Mass email threats and targeted email threats were the subject of a recent presentation from global cybersecurity firm, Kaspersky. In the presentation, researchers shared insights gleaned from analyzing more than 197 million spam messages that were blocked by the firm’s filters in 2024.
The trends that the firm’s researchers say are worrying, include a 26 per cent increase in the number of phishing attempts observed. They also say that one in every two corporate emails are spam, a problem even if the emails aren’t malicious, as it takes employees time to navigate the onslaught.
The presentation then divided into a discussion about mass and targeted email threats. “Mass email threats are mostly scam, phishing and malicious messages. Such emails are universal and intended for any person or company who had the misfortune to get on the fraudster’s mailing list. Targeted emails threats, by definition, are aimed at certain organizations and hence, can be more complicated,” says spam analyst, Anna Lazaricheva.
In a discussion about the technologies available (Kaspersky was selling its own solutions), they say in real life they see companies misunderstanding what the various technologies do and don’t use them properly. “That’s why attacks actually succeed, leading to account compromise, data leaks and even worse situations. That’s why understanding the threats and matching them with the right technologies is key,” adds senior product manager, Alexander Rumyantsev.
Lazaricheva calls the scam category of messages particularly interesting, as scammers are always inventing new methods and tools in an effort to bypass different protection solutions. The extortion-style email examples provided mimicked job offers from human resources organizations, login requests from electricity providers and others. They add that “sextortion” is the most popular form of blackmail, accusing the targeted recipients that criminal charges may be pending against them for sending or receiving prohibited materials. To deny the charges, victims are asked for their information and a “fine” to avoid criminal proceedings.
Threats and conclusions
Among the lessons taught in the webinar, Kaspersky’s researchers say simply paying attention to certain details and being aware of what social engineering is can help to avoid most threats. “Pay close attention,” says product launch manager, Sergey Zarovny. “The attention of you and your employees is very, very important.”
Malicious emails are beginning to be sent requiring the victim to provide a password, often included in the legitimate-looking email, to download malicious content. Complicating this is the fact that the emails can look like they come from business partners, including the correspondence itself which can be lifted and appear legitimate. Other malicious links and attachments can come disguised as invoices, commercial offers, supply orders, tenders, schedules, court notices and other documents.
Targeted email threats, meanwhile, will often use some form of spoofing, where the sender’s name appears legitimate, while the underlying email is not. They say spoofing is widely used in business email compromise attacks. Attackers are also known to spoof organizations’ real domain addresses to trick end users.
Finally, QR codes were also discussed, noting that these often come in the form of an image file format, but are increasingly being embedded within PDF documents to make them more inaccessible to and challenging for protection systems.
Even if you receive an email from a supposedly trusted source, Zarovny says, someone you may know personally, “it’s still a great idea, it’s actually essential, to take a step back and examine the messages carefully. Because in today’s world where we receive 10s or even hundreds of messages a day and we rush to complete the next task, we can easily skip through all the little details and fall victim to the attack.”
In 2024 the firm observed the rise of emails delivering malicious SVG (scalable vector graphic) files disguised as images which deliver scripts to install malware on victim’s devices – resulting redirects to bogus login pages which can give attackers access to credentials. In another case, attackers presented an SVG attachment as a document which required review and a signature.
Also in 2024, the company discovered a phishing email scheme which leveraged legitimate Facebook notifications. Hackers in this case renamed compromised Facebook accounts and changed pictures to something official and alarming-looking (an orange exclamation point in this example), before creating posts that would warn victims about impending account bans. The means of disputing the ban presented would in turn harvest that user’s credentials, as well. The tactic has been used particularly effectively against those managing Facebook business accounts.
“A sense of urgency is the tool of cyber criminals,” Zarovny says. “They often make you act quickly, but you should always take a deep breath and actually examine the message you’re receiving.”
