Phishing Attacks – It is in the numbers. (pt 6)

I think we have established two key points in previous articles in this Back-to-Basics, Email Phishing Primer:

1 – Threat actors’ primary motivation for sending out phishing emails is financial.

2 – One of the best tactics any organisation can use to defend against phishing attacks is cyber security awareness training – also known as “spidey sense”.

Phishing – Threat actors don’t care who!

If you get a phishing email, most times you are not special – sorry. Previously we have looked at some of the major types of email phishing attacks, some of which can be targeted at specific people, and these can be some of the most devastating phishing attacks if successful – but generally, you are not special.

For a successful email phishing campaign, the threat actors will automatically generate and send out millions of malicious phishing emails, using email lists, probably purchased on the Dark Web. A recent attack that aimed to spread ransomware included subject lines “your document” and “photo of you???”, sent from the innocent-sounding “Jenny Brown” or “Jenny Green”. If you open the attached .zip file the attack chain activates and executes the malicious payload. Millions of these phishing emails were sent out – however, your and our email protection software probably filtered out many such emails, stopping them reaching you at your desk. (Gatlan, 2024)

phishing email threat

Why millions?

It is a numbers game. The threat actors are looking for a member of staff who is under stress and having a bad day, who will open an email with a convincing subject line. They are looking for a new member of your team or the senior manager who had a “good excuse”, neither of whom have been on the Cyber Security Awareness Training. They hope the email lands with Jenny Green’s girlfriend, who wonders exactly what pictures she has sent her! I could go on, but you get the idea. Millions for the few who will click.

Make sure it is not a member of your team that clicks when they should delete.

Clive Catton MSc (Cyber Security) – by-line and other articles

References

Gatlan, S. (2024). Botnet sent millions of emails in LockBit Black ransomware campaign. BleepingComputer. https://www.bleepingcomputer.com/news/security/botnet-sent-millions-of-emails-in-lockbit-black-ransomware-campaign

Further Reading

Phishing Primer – Social Engineering (pt. 1)

Phishing Primer – Social Engineering (pt. 2)

The Phishing Email and AI (pt. 3)

Phishing Primer – Phishing Types (pt. 4)

Email phishing needs bait… (pt 5)

Photo by Black  ice