The total volume of phishing emails worldwide has eased this year, but offenders are coming up with more advanced, target-oriented tricks that take advantage of popular social media services such as LinkedIn, a report by a U.S online security firm showed.
The report by Websense said that the proportion of phishing messages in the total email volume shrank to 0.5 percent in 2013, from 1.12 percent last year. But cyber criminals now tend to set specific targets rather than sending out a massive number of emails to unspecified recipients, the security firm said.
The cyber security firm said the criminals are using techniques that utilize social media platforms, known as “social engineering tactics.”
“Scammers use social networks to conduct their recon and research their prey. Once the intelligence is harvested, they use that information to carefully construct email lures and yield maximum success,” said Carl Leonard, senior security research manager at Websense.
To entice users to open attachments or links enclosed in phishing emails, cyber tricksters use subject lines containing legitimate messages that are hard to be filtered.
Researchers at Websense released the top five subject lines most used in worldwide phishing emails. First on the list was “Invitation to connect on LinkedIn,” a fake email alert from the social networking website.
The list continued with No. 2 “Mail delivery failed: returning message to sender,” followed by “Dear ‘instant bank name’ Customer” and “Comunicazione importante,” while “Undelivered Mail Returned to Sender” came in at No. 5.
The study also identified the top countries hosting phishing URLs. China, which has never been listed on the rankings, came in first this year. The U.S., a long-time top source of malicious links, moved down to second place. Germany took the third spot and the U.K. and Canada were ranked fourth and fifth, respectively.
But the geographic location of the emails is not as important as widely believed in detecting unwanted and malicious messages, since scammers disguise their attacks through many detours and complex routes.
Leonard urged users to implement Web and data protection solutions to avoid such phishing attacks.
“To combat phishing attacks, be sure to adequately prepare yourself with a security solution that can expose advanced threats and alert your security team in real time,” he said.
By Park Han-na (firstname.lastname@example.org