Conversation hijacking attacks, which are typically a precursor to business email compromise (BEC), grew by triple-digits year-on-year in 2021, according to new data from Barracuda Networks.
The security vendor’s latest Spear Phishing: Top Threats and Trends report was compiled from an analysis of millions of emails across thousands of global business customers between January and December 2021.
It revealed a 270% increase in conversation hijacking, also known as vendor impersonation, in which threat actors insert themselves into existing business conversations or initiate new conversations based on information they’ve gathered.
It begins with a phishing attack to steal logins and hijack a corporate email account. The hacker then spends time reading through the emails in the compromised inbox and watching new messages come in.
During this time, they’re piecing together a picture of business operations, payment processes, partners and customers, which is then leveraged to send fake invoice and wire transfer requests to key individuals.
That’s one of the most effective ways of launching a BEC attack, although it requires significantly more effort.
This is why conversation hijacking accounted for less than 1% of social engineering attacks in 2021.
“However, even in small numbers they can be devastating for organizations,” Barracuda warned.
“The overall volume of conversation hijacking has been growing over the years, and their popularity among hackers doubled in 2021. This is not surprising because while these attacks require a lot of effort from hackers to set up, the payout can be significant.”
BEC attacks remained unchanged from 2020, accounting for around 9% of social engineering attempts, with phishing (51%) and scamming (37%) comprising the most significant number.
Barracuda also revealed that employees from small businesses are far more likely to encounter social engineering.
The average employee of a business with less than 100 employees will experience 350% more attacks than an employee of a larger enterprise, it claimed.