SlashNext released its 2024 Mid-Year Assessment on The State of Phishing. This update follows the annual State of Phishing report issued by the SlashNext Threat Labs team in October 2023. The significant rise in phishing attacks reported then led the team to perform a comprehensive six-month analysis to determine if the upward trend continued, particularly as threat actors increasingly use generative AI tools to enhance their phishing, business email compromise (BEC), and other social engineering attacks.
Fueled by AI-generated attacks, the Mid-Year Assessment revealed a 341% increase in malicious phishing link, BEC, QR Code and attachment-based email and multi-channel messaging threats in the last six months alone. This was on top of a staggering 856% increase in malicious email and messaging threats over the prior 12 months. And, since the launch of ChatGPT in November 2022, there has been a 4,151% increase in malicious phishing messages sent.
“Humans have been, and will continue to be, the weakest point in any organization’s security,” said Patrick Harr, CEO, SlashNext. “There is a reason threat actors continue to iterate on tactics like phishing that have been around for decades – they are highly effective. According to Verizon’s 2024 Data Breach Investigations Report, humans are increasingly falling for phishing attacks and it now takes a median time of only 21 seconds for a user to click on a malicious link, and only another 28 seconds to then enter their personal data. We know from our research these attacks are getting a boost from generative AI tools that are readily available. Threat actors are using gen AI to customize messages for their victims, write more convincing messages, and dramatically accelerate the speed and volume of these attacks with little to no added cost.”
In looking at specific threat types, SlashNext Threat Labs found a 217% increase in credential harvesting phishing attacks and a 29% increase in BEC attacks in the last six months. Losses due to BEC attacks exceeded $2.9B in 2023, at an average cost of $137,000 per BEC incident, according to the recent FBI IC3 Report. In addition, mobile phones have emerged as the most utilized and vulnerable communications channel, with 45% of all mobile threats now being reported as SMS smishing attacks.
CAPTCHA-based attacks, particularly using CloudFlare, are also on the rise and they are being used to mask credential harvesting forms. Attackers are generating thousands of domains and implementing CloudFlare’s CAPTCHAs to hide credential phishing forms from security protocols that are unable to bypass theCAPTCHAs.
“Leveraging legitimate services like Microsoft Sharepoint, AWS, and Salesforce to hide phishing and malware is another favorite tactic employed by threat actors because it preys on users’ trust in these tools,” continued Harr. “In addition to CAPTCHA-based attacks, QR code-based attacks are growing in popularity and now comprise 11% of all malicious emails – often embedded in legitimate infrastructures. The onus should not be on users to identify and avoid sophisticated attacks, especially when the research proves that relying on training and traditional cybersecurity tools is ineffective against modern attack tactics. It’s time to fight AI with AI and implement AI-powered email and messaging security tools that keep malicious messages out of users’ inboxes altogether.”
To counter the growing sophistication of these cyberattacks, the SlashNext advanced gen AI security platform is specifically engineered to identify, anticipate and block complex BEC threats, phishing, and ransomware. Utilizing generative AI, natural language parallel prediction, computer vision, relationship graphs, and contextual analysis, the platform achieves an industry-leading detection rate of 99.99%.
Download the full 2024 Mid-Year Assessment to The State of Phishing report.
Related News:
Spam and Graymail Detection Established by SlashNext Powered by GenAI
