Researchers at VIPRE Security observed a 276% increase in malware delivered by phishing between Q1 and Q4 of 2023. “Last year, our YARA rules caught between one and two million generic malware instances each quarter, with a nearly 20% jump in Q4,” VIPRE’s report says.

I recently read an article about a bright, sophisticated woman who fell victim to an unbelievable scam. By unbelievable, I mean most people reading or hearing about it could not believe it was successful. A group posing as an Amazon employee and various U.S. law enforcement agencies were able to convince a woman to take $50,000 out of her bank account in cash and hand it off to a complete stranger in the streets. It is a wild story and most of us would not be tricked into doing what happened to her.

Ten years ago, Congress passed the "CAN-SPAM Act" (also known as theYou-CAN-SPAM Act, since it defined legal spam and supersedes any stricter state-antispam laws). One of the provisions of the act is that there must be a legitimate physical address in the email. Spammers have long tried different tactics to get around this.

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group. The team found Tycoon Group during a regular investigation into a phishing incident, and its distinctive method of communication to its phishing server convinced the team to further explore this active PaaS operation.

Numerous state-sponsored threat actors frequently launched spear phishing attacks against European Union entities last year, according to a new report from the EU’s Emergency Response Team (CERT-EU). “In 2023, spear phishing remained the predominant initial access method for state-sponsored and cybercrime groups seeking to infiltrate target networks,” the report says.

A phishing campaign is attempting to trick users into downloading remote monitoring and management (RMM) software like AnyDesk, Atera, and Splashtop, according to researchers at Malwarebytes. While these tools are legitimate, they can be exploited by threat actors to carry out many of the same functions as malware. These tools may also be less likely to be flagged as malicious by antivirus software.

Researchers at Volexity warn that the suspected Iranian threat actor CharmingCypress (also known as “Charming Kitten” or “APT42”) has been launching spear phishing attacks against Middle Eastern policy experts. “Throughout 2023, Volexity observed a wide range of spear-phishing activity conducted by CharmingCypress,” the researchers write.

1. Personalization: AI algorithms can analyze large amounts of data scraped from social media, public databases, or leaked information to create highly personalized phishing emails. These emails may contain accurate details about the target’s interests, job positions, or recent activities, making them more convincing.

Today’s BEC attacks are more nuanced, more accessible, less technically demanding, and consequently, more dangerous than ever before. In our report, 2023 BEC Trends, Targets, and Changes in Techniques, we take a hard look at the anatomy of Business Email Compromise (BEC) attacks today and the lures that are drawing users to the bait in record numbers.