A study conducted by Agari and PhishLabs found a fivefold increase in attempted vishing attacks from early 2021 to Q1 of 2022.
The number of voice phishing or vishing cases has increased by a whopping 550% in the past 12 months alone, according to the Quarterly Threat Trends and Intelligence Report co-authored by Agari and PhishLabs. In March 2022, the number of vishing attacks experienced by organizations reached the highest level ever reported, surpassing the previous record set in September 2021.
As part of the investigation, it was found that the two companies “detected and mitigated hundreds of thousands of phishing, social media, email and dark web threats targeting a wide variety of businesses and brands.”
“Hybrid vishing campaigns continue to generate astonishing numbers, accounting for 26.1% of total volume share so far in 2022,” said John LaCour, chief strategist at HelpSystems. “We are seeing an increase in the number of threats moving away from standard voice phishing campaigns to initiating malicious email attacks in multiple phases. In these campaigns, actors use a callback number in the body of the email as a lure, then rely on social engineering and impersonation to trick the victim into calling and communicating with a fake rep.
Why Vishing Is Getting More Popular
According to the report, the explosion in vishing attacks has overtaken the corporate email compromise (BEC) as the second most-reported response-based email threat since the third quarter of 2021. The growing number of dual vishing identified in the survey reported shows that cybercriminals increasingly rely on different attack vectors when it comes to their campaigns.
The number of malicious emails targeting individuals’ inboxes also continues to increase quarter-on-quarter, after a brief dip in the last quarter of 2021. This escalation in the rate at which employees receive malicious emails attempting cyber-attacks indicates a growing need for more training for employees, as emails can still find ways to bypass spam folders and end up in a user’s inbox.
SEE: Mobile Device Security Policy (Tech Republic Premium)
Types of receiving malicious emails
According to the study, emails considered potentially harmful by employees rose to 18.3% between 2021 and 2022.
These malicious emails are categorized by percentage into the following threat vectors:
- Attempted theft of credentials (58.7%)
- Response Based Attacks (37.5%)
- Malware Delivery Attempts (3.7%)
Eighty percent of credential theft attempts were delivered via a phishing link, while 20% reached the inbox via an email attachment. Credential theft is the top threat to employees every quarter, according to the study, and should be a priority for staff to identify, avoid and report to security teams.
Vishing fell under the umbrella of response-based attacks, second only to 419 (Nigerian Prince) types of attacks. These 419 attacks made up a majority of those reported as response-based schemes in 54.1% of malicious emails received, and BEC ranked third behind vishing attempts in 12.8% of emails received. emails.
In terms of malware delivery, Qbot malware was dominant in the category, accounting for 75% of all activity in this sector in the first quarter of 2022. This represents a 15.1% increase in this type of attack.
“As the variety of digital channels organizations use to operate and communicate with consumers expands, attackers are presented with multiple vectors to exploit their victims,” said LaCour. “Most attack campaigns are not built from scratch; they are based on reshaping traditional tactics and integrating multiple platforms. Therefore, to stay safe, it is no longer effective for organizations to look only within the network perimeter. They also need to understand a variety of external channels to proactively gather intelligence and monitor for threats.”