Corporate end-users should be on high alert for phishing attacks in the final quarter of the year as this is when most malicious emails are likely to land, according to new research from Tessian.
The email security vendor analyzed four billion messages sent between July 2020 and July 2021 to compile its Spear Phishing Threat Landscape 2021 report.
It found 45% more malicious emails sent in October, November and December 2020 than in the previous quarter. That’s perhaps not surprising given the number of opportunities for threat actors at the end of the year to capitalize on current events.
November 2020 saw the most significant spike, with around 90,000 malicious emails detected in the week of the Black Friday sales.
Overall, employee inboxes received 14 malicious emails per year, rising dramatically to 49 on average in the retail sector, 31 in manufacturing, and 22 in the food and drink industry. Employees working in research and development received 16, and those with tech roles received 14.
Organizations don’t just need to keep an eye out for phishing and scam emails in the fourth quarter; they should also train staff to be watchful at specific hours of the day.
The report revealed that malicious emails are typically delivered around 2 pm and 6 pm, perhaps trying to hit inboxes when employees are at their most distracted — just after lunch and at the end of the day.
The most common tactics detected by Tessian were impersonation techniques like display name spoofing (19%), as well as domain impersonation (11%) and account takeover (2%).
The most spoofed brands over the year were Microsoft, ADP, Amazon, Adobe Sign and Zoom.
Tessian CISO, Josh Yavor, argued that staff training alone is not enough to mitigate the threat from malicious emails.
“Gone are the days of the bulk spam and phishing attacks, and here to stay is the highly targeted spear-phishing email. Why? Because they reap the biggest rewards,” he added.
“Cyber-criminals are always finding ways to bypass detection and reach employees’ inboxes, leaving people as the last line of defense. Businesses need a more advanced approach to email security to stop the threats that are getting through because it’s not enough to rely on your people 100% of the time.”