Share This:

AI BECCybercriminals are quickly latching on to new technology and strategies to improve the success rates of their social engineering-based email attacks. In the latest Barracuda Email Threats and Trends report, the company found that although traditional email scams like phishing are still the primary type of attack, there has been a rise in more targeted methods like business email compromise (BEC) and the use of new technologies like QR codes, link shortening services, and artificial intelligence (AI) to tailor these attacks and improve their success rates.

Technology alone can’t stop social engineering attacks

Social engineering-based attacks, including BEC and conversation hijacking, can be highly lucrative and effective when successful. However, they are difficult to guard against because technology alone can’t identify and stop them. Employees remain the weak link in these attacks. Therefore, organizations must invest adequately in training, awareness, and intelligent security tools to help them spot unusual email behavior and messaging.

According to the data, BEC attacks comprised 10.6 percent of social engineering attacks in 2023, steadily increasing over the past three years. A related type of attack, conversation hijacking, rose from 0.3 percent in 2022 to 0.5 percent in 2023. While still a small number, that represents an increase in frequency of almost 70 percent.

According to the Barracuda report, conversation hijacking (or vendor impersonation) is “a targeted email attack where cybercriminals insert themselves into existing business conversations or initiate new conversations based on information they’ve gathered from compromised email accounts or other sources.” Criminals often execute this type of attack as part of an account takeover using stolen credentials, gaining access to better understand business operations and gather information that allows them to craft more convincing messages for social engineering attacks.

BEC involves a cybercriminal impersonating a specific individual (typically an executive) and then tricking employees into transferring money, donating to bogus charities, or sharing sensitive information or credentials.

Varying types of content are used to disguise attacks

Criminals also use different types of content to disguise their attacks. There has been a rise in quick response (QR) barcodes. These attacks increased in 2023 and are difficult to detect using traditional security and email filtering solutions because those systems can’t follow the link embedded in the QR code. The codes also typically require employees to use their personal phones to complete the scan, which pulls them away from their more secure work devices, making it easier to trick them into visiting malicious websites or downloading malware.

From October through December 2023, Barracuda researchers found that approximately one in 20 mailboxes was targeted with malicious QR codes. Attackers have also turned to commercial URL shortening services to embed malicious links in phishing emails. These disguised links are difficult to detect. Cybercriminals used the link-shortening service bit.ly in nearly 40% of social engineering attacks that included a shortened URL to conceal the link destination.

Generative AI solutions are also compounding the danger of social engineering attacks. Using AI tools, attackers can automate content generation for phishing, spear phishing, and BEC attacks and create convincing, personalized, and contextually relevant messages. These tools can also make it easier to spoof email addresses and websites.

Best practices to protect against social engineering attacks

In the report, Barracuda recommends several best practices to help managed service providers (MSPs) and their clients protect themselves against these more complex and sophisticated social engineering attacks.

  • Invest in multilayered email security. Properly configure spam and malware filters to block malicious content, and regularly perform a health check on the email gateway. You should also supplement gateways with AI-based cloud email security technology to analyze email for unusual activity and content. While criminals use generative AI to enhance their effectiveness, security teams can leverage AI-based detection to keep pace with new threats.
  • Secure user access with multifactor authentication (MFA) and zero-trust approaches. These strategies provide protection beyond simple passwords by verifying and only allowing users with the proper credentials to access data, applications, and networks, regardless of their location. This strategy can also help minimize the damage from stolen credentials, as it limits attackers to the access privileges of their chosen victims.
  • Deploy an automated incident response solution. This helps save critical time when a breach occurs, rapidly initiating mitigation processes without human intervention.
  • Provide regular cybersecurity awareness training. As mentioned, users are the weakest link in the security environment. Train and update employees regularly on how to spot current threats, recognize social engineering attacks, and quickly report suspicious emails. Phishing simulations can help identify gaps and training opportunities.
  • Invest in backup and recovery. To prevent data loss and lengthy disruptions, back up all data securely and ensure quick recovery. Companies should test these solutions regularly and conduct drills to ensure stakeholders know what steps to take to avoid data loss.

Combining social engineering attacks like BEC with QR codes, shortened link services, and generative AI is a potent emerging threat. For MSPs, keeping client data and networks safe will require leveraging advanced technologies against these attacks and doing the necessary work to ensure employees are properly trained to identify these increasingly sophisticated schemes.

This article was originally published at Managed Services Journal.

Photo: Monster Ztudio / Shutterstock


Share This:
Olesia Klevchuk

Posted by Olesia Klevchuk

Olesia Klevchuk is a Senior Product Marketing Manager for email security at Barracuda Networks. In her role, she focuses on defining how organizations can protect themselves against advanced email threats, spear phishing and account takeover. Prior to Barracuda, Olesia worked in email security, brand protection, and IT research.

Leave a reply

Your email address will not be published. Required fields are marked *