If it looks like your inbox has more email phishing than ever, there’s a good reason for that. Cofense released its “2023 Annual State of Email Security Report” a study of last year’s email phishing trends. Their report found a walloping 569% spike in these phishing threats to organizations globally, along with other eye-opening results.

According to our government’s CISA (Cybersecurity and Infrastructure Security Agency), email phishing is by far the chosen delivery method for more than 90% of cyberattacks that often bypass basic email security protections.

Credential Theft and BECs Favor Phishing

In their report, Cofense finds a 478% spike in credential phishing, where hackers send emails appearing to be from a trusted source but aim to steal employee credentials. The hijacked credentials can be used as a launch pad for additional attacks within an organization, with the ultimate goal something only the attacker knows for sure.

Cofense reports BEC (business email compromise) attacks increased for the eighth year in a row, up 81% last year according to Abnormal Security. Big money is what BECs are after, and the FBI estimates organizations in the US lost over $2.7 billion to them last year. The emails look like they’re from a company leader or higher-up, and target employees who make wire transfers. The message directs urgent, large transfers sent to an account that’s hacker-controlled.

Don’t Feed the Phish

Since employees of all levels are typically the first line of defense against email phishing, a cyber-smart staffer can spot the red flags before it’s too late. Below are tips to help stop a phishing attack before it starts.

  • Carefully check the sender email address and URL. Scammers spell them using slight differences to trick you into thinking it’s legitimate. Think a number 1 instead of lower-case “I.”
  • Any email pushing you to act quickly is a red flag. Hackers urge you to act fast, hoping you don’t take the time to think before doing their bidding.
  • Always use two-factor authentication (2FA) or MFA (multi-factor) for all accounts offering it. 2FA provides an extra layer of identity verification keeping hackers from accessing accounts that aren’t theirs.
  • Verify all requests involving monetary payments and transfers directly with the person requesting it, as well as any change in account information or payment process.
  • Never open attachments or follow links in emails sent by those you don’t know or trust, including any emails forwarded to you. Links can lead to phishing websites, and attachments can install malware.

Cybersecurity threats are always evolving and changing. It’s important to be aware of the latest trends and how they are changing to target new victims all the time.