Twenty-three years ago, a Filipino computer science student realized he could no longer afford to pay for internet access. But Onel de Guzman was not one to give up. A year earlier, he had laid out a password-stealing scheme in his thesis proposal at AMA College. The school rejected it, but Guzman was determined not to let his efforts go to waste. He put his proposal into practice, building the computer worm, which he dubbed ILOVEYOU, to steal other internet users' passwords and use their accounts without paying for access.
Guzman initially designed the bug to only work in Manila, where he lived. However, upon seeing how successful his worm was, curiosity got the better of him. Guzman lifted the bug's geographical restrictions. Chaos ensued. In just ten days, Guzman's worm had infected 45 million Windows computers and caused $10 billion in damages. Guzman, just 24 years old, had inadvertently created the world's first phishing email.
Nearly a quarter of a century later, the world has largely forgotten Onel de Guzman. When he created the worm, the Philippines had no law prohibiting malware creation, and Guzman miraculously avoided prosecution. But Guzman's actions echo throughout history; in the second quarter of 2023 alone, VIPRE Security Group detected over 230 million malicious emails.
Today, malicious emails plague the internet. From the most powerful multinationals to normal social media users, email threats can – and will – tarnish reputations and drain bank accounts. To effectively combat email threats, we must understand the landscape. VIPRE's Q2 Email Threat Report helps us do just that.
Who is being attacked?
While Guzman's attack was indiscriminate, cybercriminals today have favorite targets. In Q2 2023, Information Technology (IT) organizations received by far the most phishing emails, followed by government entities (21%), educational institutions (11%), the financial sector (9%), healthcare organizations (9%), and construction companies (4%).
Interestingly, cybercriminals targeted the financial sector most often in Q1 2023. Attacks on healthcare organizations also fell significantly from Q1 to Q2. This fall is likely because the financial and healthcare sectors, in the wake of a tough quarter, have upped their defenses against phishing attacks. Hackers have likely switched to targeting government agencies because they are notorious for having poor cybersecurity, handling an extraordinary amount of sensitive data, and it's relatively easy to discover what defenses they have in place.
What techniques do attackers use?
A staggering majority (85%) of phishing emails utilize malicious links embedded in an email's content, while only 15% hide them in attachments. Most modern internet users know the dangers of opening attachments; Guzman hid his Love Bug in a spoof attachment. It's a technique as old as email threats themselves, and users are wise to it, so cybercriminals avoid using it. However, malicious links in an email's content are more challenging to detect. Smart social engineering tactics can fool even the savviest users into clicking a spoof link. Hyper-responsive touch screens also make clicking a link embedded in text by mistake a distinct possibility.
While Guzman played on emotional weaknesses, disguising his malicious attachment as a love letter, modern cybercriminals use a more advanced, sophisticated approach, where they impersonate trusted brands. In Q1 2023, cybercriminals impersonated Microsoft most often, followed by DHL, WeTransfer, and Apple. In Q2, Microsoft still reigned supreme, with Apple, DocuSign, and SpareBank replacing the runners-up.
What are the new attack techniques to watch out for?
Twenty-three years on from the first phishing email, cybercriminals continue to innovate. In June 2023, VIPRE AV Labs discovered that cybercriminals had begun to use QR codes for phishing unsuspecting victims.
VIPRE also discovered a new malspam campaign containing a ".docx" attachment which, in turn, contained a malicious external resource page that was called when the user opened the file. The campaign exploits the CVE-2022-30190, or "Follina," vulnerability to facilitate remote code execution (RCE) on the victim's system by leveraging the Microsoft Support Diagnostic Tool (MSDT).
What about business email compromise (BEC)?
VIPRE classified 48% of scam emails in 2023 as BEC scams. BEC scams attempt to fool users into transferring money with social engineering techniques and typically impersonate a high-level executive. According to VIPRE, BEC scams tripled from Q1 to Q2 2023.
Commonly used BEC phrases include:
- "Complete an assignment for me."
- "Swift email response"
- "Confidential"
Commonly spoofed senders include examples like:
And commonly used domains are those from free email services, such as:
- Gmail.com
- Outlook.com
- Yahoo.com
The legacy of the ILOVEYOU worm continues reverberating through the digital landscape. While Guzman's actions went largely unpunished due to the absence of specific laws at that time, his inadvertent creation of the first phishing email set a precedent for cybercriminals to exploit vulnerabilities in email systems.
Today, malicious emails have become a pervasive threat, targeting various sectors, with IT organizations being the primary victims in Q2 2023, followed by government entities and educational institutions. Cybercriminals' tactics have evolved, with most relying on malicious links in email content to deceive users. These attacks often impersonate trusted brands to increase their chances of success.
As cybercriminals continue to innovate, new attack techniques emerge, such as using QR codes for phishing and exploiting vulnerabilities like CVE-2022-30190. The constant evolution of email threats demands heightened awareness and robust defenses from individuals and organizations alike.
Understanding the email threat landscape is crucial for combating these attacks effectively. Through vigilance, education, and improved cybersecurity measures, we can work towards mitigating the impact of malicious emails and protecting our digital identities and assets in an ever-changing cyber world.
---
About the Author: Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
