Barracuda Report: Business Email Compromise a Growing Email Threat

Business email compromise attacks now account for 1 in 10 email-based attacks and conversation hijacking is on the rise, according to a new report by Barracuda Networks, Inc., a trusted partner and leading provider of cloud-first security solutions.

Taking in 69 million attacks across 4.5 million mailboxes over a year, Barracuda’s report Email Threats and Trends, Vol. 1, reveals how cybercriminals are adapting their tactics and taking advantage of the ways generative AI can help them scale their attacks, bypass traditional security measures, and target and trick potential victims.

The report shows how despite being a resource-intensive approach for attackers, conversation hijacking attacks made up 0.5% of all social engineering attacks in the past year, an increase of almost 70% compared to 0.3% in 2022. Conversation hijacking attacks require a lot of effort to execute, but the payouts can be significant.

The report also shows that business email compromise (BEC) attacks have steadily increased over time, accounting for 8% of all social engineering attacks in 2022, rising to 10.6% (1 in 10) in 2023.

The report also shows that:

• Around 1 in 20 mailboxes were targeted with QR code attacks in the last quarter of 2023. QR code attacks are difficult to detect using traditional email filtering methods. They also take victims away from corporate machines and force them to use a personal device, such as a phone or iPad, which isn’t protected by corporate security software.
• Gmail was the most popular free webmail service used for social engineering. In 2023, Gmail accounted for 22% of the domains used for social engineering attacks, according to Barracuda’s data. Just over half the detected Gmail attacks were used for BEC attacks.
• bit.ly was used in nearly 40% of social engineering attacks that include a shortened URL. URL shorteners condense the link, so the actual link of the site becomes obscured with random letters or numbers. Using this tactic can disguise the true nature and destination of the link.

“IT and security professionals need to stay focused on the evolution of email threats and what this means for security measures and incident response,” said Sheila Hara, Sr. Director of Product Management at Barracuda.

“This involves understanding how attackers can leverage generative AI to advance and scale their activities, and the latest tactics they’re using to make it past security controls. The best defence is AI-powered cloud email security technology that can adapt quickly to a changing landscape and doesn’t solely rely on looking for malicious links or attachments.”