Fake CEO emails are on the rise and are leading to the increase of business email compromise (BEC), according a recent industry report.
Trellix’s latest ‘The Threat Report: February 2023’ from its Advanced Research Centre, revealed that 78 percent of BECs involved fake CEO emails using common CEO phrases, resulting in a 64 percent increase from Q3 to Q4 2022.
The strategy involved in executing a voice-phishing, or vishing, scheme included requesting employees to verify their direct phone number. As for the means of sending these schemes, 82 percent of them were transmitted via free email services, meaning that attackers did not require any specialised infrastructure to carry out their campaigns.
The report examines cybersecurity trends from the final quarter of 2022 and is based on telemetry collected from Trellix’s extensive network of endpoint protection installs, as well as data gathered from open and closed source intelligence reports.
Trellix’s Head of Threat Intelligence, John Fokker, stated that Q4 saw malicious actors pushing the limits of attack vectors, with grey zone conflict and hacktivism leading to an increase in cyber as statecraft, as well as a rise in activity on threat actor leak sites. “As the economic climate changes, organisations need to make the most effective security out of scarce resources,” he said.
Increasing ransomware and nation-state backed attacks
The report also revealed that critical infrastructure sectors experienced the most significant impact from cyber-attacks, with 69 percent of detected malicious activity linked to APT actors sponsored by nation-states. Transportation and shipping were the sectors most targeted, followed by energy, oil, and gas.
According to Trellix’s telemetry, ransomware actors targeted finance and healthcare sectors the most, while malicious email attacks were primarily aimed at telecom, government, and finance sectors.
In addition, attacks on cloud infrastructure are also increasing. In fact, the report found that AWS recorded the highest number of threat detections, likely due to its significant market share.
Lastly, Trellix highlighted that LockBit 3.0 has the most aggressive ransom demands: Although no longer the most active ransomware group, as per Trellix’s telemetry, Cuba and Hive ransomware families generated more detections in Q4. However, LockBit’s cybercriminal organisation reported the most victims on their leak site, making them the most aggressive in pressuring their targets to comply with ransom demands.
“As threat landscape complexity progresses, so will our research. Our mission will remain wholly focused on delivering actionable intelligence to our stakeholders to ensure they can protect what matters most,” said Vibin Shaju, VP Solutions Engineering, EMEA at Trellix.
“But organisations need to do their part too. To effectively defend against these evolving threats, regional enterprises need an adaptable and responsive defense strategy and strong cybersecurity governance that starts at the board of directors.”
