The latest email threat landscape report from cybersecurity solutions provider Fortra identifies how stolen personal data is being leveraged to curate very detailed email attacks. Almost all these attacks are social engineering or phishing attacks, often across multiple channels, with the misuse of legitimate tools adding to the obfuscation targeted victims must contend with.
For the report, Fortra analyzed data from more than 1 million email threats received by corporate users in 2024 to inform its comprehensive report, which identifies trends and makes predictions. Although the situation is undoubtedly concerning now, Fortra believes that Generative AI (Gen AI) will only make the threat landscape more difficult to navigate.
Attackers are Adapting
The first trend they identified was that virtually all the threats they saw – 99 % of email threats reaching corporate user inboxes in 2024 – could be categorized as either response-based social engineering attacks or phishing attacks that didn’t deliver malware.
Fortra attributes the dominance of these methodologies in the report to the rise in the organizational deployment of pre-delivery security processes like anti-malware scanning and sandboxing. These processes combat malware-laden emails but are ineffective against social engineering and credential theft attacks, which don’t have payloads.
Taking a closer look at the specifics of the attacks, the report found Hybrid vishing to be the most prevalent response-based attack observed, closely followed by 419 and business email compromise (BEC) scams. In relation to phishing, a third of attacks were docuphishing attacks.
Having these methods as the main type of attack is interesting because, in both approaches, targets are required to take an extra step, either by opening an attachment or disclosing information. So, how are bad actors managing to elicit this information?
Shaping the Narrative
The report cites how over 1 billion records were breached in 2024 and that cyber-criminals are exploiting the plethora of stolen data to curate convincing narratives for their attacks. Fortra observed how attackers combine illegally obtained personal information from the dark web, such as a user’s address, with publicly available information, such as images of the user’s property sourced from Google Maps.
Combining this sensitive information goes a long way toward legitimizing a scammer’s script, but also, in terms of extortion, can magnify a sense of impending threat and instill a sense of fear and urgency to act in the victim.
Misrepresentation
According to the report, abuse cases of legitimate services escalated sharply in 2024, increasing by a staggering 200%. E-signatures were the most abused type of platform, with DocuSign being the service targeted the most frequently for the purpose of sending malicious emails and attachments. Cloudflare was the most targeted provider of free developer tools due to several factors, including free hosting, automatic SSL/TLS encryption providing sites with a perceived legitimacy, and the ability to create custom domains and mask URLs.
Often, what makes these services attractive to bad actors is that they offer a ‘freemium’ component where basic services are offered for free to entice people to upgrade after experiencing the service. With companies keen to make these trusted tools during this trial period as easily accessible as possible – it represents low-hanging fruit for cybercriminals seeking to introduce another layer of authenticity into their attack.
Changing Channels
As previously stated, hybrid vishing was recorded as the most common response-based scam. This approach merges traditional phishing and scam techniques to bypass human defenses. Multichannel attacks serve to lure victims away from secure email environments. Methods include malicious QR codes and telephone numbers, which are positioned in malicious communications as a call to action, often to provide further information or resolve a fabricated issue.
The report identified that in the fourth quarter of 2024, one in three hybrid vishing attacks impersonated PayPal, an online payment system trusted and frequently used by businesses. They detail a typical attack of this nature commencing with an email notifying users of a charge on their account, before directing them to a phone number they can call to cancel the transaction. When the call is made, they are deceived into divulging sensitive financial information.
AI Set to Exacerbate the Issue
When predicting what the report means in terms of future threats, a common theme in the report is how Gen AI will only add fuel to the fire. A ‘rising-tide’ effect is forecasted for social engineering attacks, where even limited attackers will be able to craft convincing emails with nuanced cross-cultural references in multiple languages. Broader adoption of AI voice generation will allow the impersonation of accents, dialects, and mannerisms of prominent individuals – something we have seen with the recent YouTube CEO scam.
In a recent interview, senior fellow and threat researcher at Fortra John Wilson set the scene when asked about the trends he expected to see in the phishing space in 2025. He said that he could envisage “complex, highly personalized scenarios such as a deep-fake voicemail from your boss instructing you to be on the lookout for an email from the Help Desk related to an important security update for your home router. The email might contain your home address as well as a link you should click to install malware disguised as a router update.”
AI has the capability to streamline all of the trends highlighted in the report and scale them to increase the attack surface. The report advocates for more detailed security awareness training and a strategic approach to email security where threats are analyzed and disrupted at multiple points in the attack chain. Tactics I’m sure we can all endorse.
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
