Looks like cybercriminals have come up with yet another innovative means to distribute malware. Researchers at Inky, which provides tools to combat phishing attacks, have discovered that cybercriminals are now sending emails that come with fake attachments, known as phaxttachments. When recipients click on the attachment they are actually clicking on a URL that takes them to a fake website where they are prompted to give up their credentials.

Inky CEO Dave Baggett said cybercriminals then use those credentials to compromise a raft of software-as-a-service (SaaS) applications.

Phaxttachments look so much like the real thing that it’s difficult for the average end user to distinguish between a real attachment and fake one, Baggett said, noting the only way to effectively combat this threat is to rely more on algorithms that have been trained to look for phaxttachments. End user training is not likely to prove very effective at identifying phaxttachments; however, end users should be trained to not give up credentials simply because some website asks for them to access a file that appears to have come from a trusted source.

End users are, of course, still the first line of defense against most phishing attacks. However, it’s also apparent that the techniques being employed by cybercriminals continue to evolve. Phishing simulation platforms can help end users spot the most routine types of phishing attacks, but it’s only a matter of time before algorithms capable of spotting these types of attacks become more widely employed.

In the meantime, cybersecurity teams should expect to see phishing attacks continue to be tweaked and adjusted. The U.S. Federal Bureau of Investigation (FBI) recently warned that fake job offers are being used to lure unwary users into giving up sensitive data. More recently, the coronavirus epidemic is only the latest in a series of tragic events that are being employed to launch phishing attacks that, for example, start with bogus claims for cures.

The FBI in 2019 handled 23,775 complaints of business email compromise (BEC)/email account compromise (EAC) complaints that resulted in adjusted losses of more than $1.7 billion. Out of those 340,000 complaints, a total of 114,702 involved some form of phishing, vishing, smishing or pharming attack. Of course, that only represents a fraction of the attempts because most phishing attacks largely go unreported.

From a cybercriminal perspective, phishing attacks that rely on some form of social engineering or psychological manipulation to compromise credentials are simply too easy to pass up. They may need to send out millions of emails to get a few hundred people to click on a link or attachment but given the cost of sending email, the return on investment (ROI) for phishing is still very much worthwhile. It’s not likely the cost of email is going up anytime soon, so the only effective strategy going forward is to throw more advanced forms of artificial intelligence (AI) at the problem. There may never come a day when AI catches every phishing attack, but it is clear there’s plenty of room for improvement over the current state of email security.

— Michael Vizard