Being a bad guy on the Internet is a really good business. In more than 90% of cybersecurity incidents, phishing is the root cause of the attack, and during this third week of August phishing attacks were reported against the U.S. elections, in the geopolitical conflict between the U.S., Israel, and Iran, and to cause $60M in corporate losses.

Cross-Site Scripting (XSS) is alive and well, and used in attacks to obfuscate malicious links in phishing emails to redirect users to threat-actor controlled websites. We saw earlier this year that phishing attacks leveraging XSS were on the rise. Now, new scams are using XSS to hide their malicious intent within emails, according to new analysis from cybersecurity vendor INKY. These attacks usually begin with an email stating the victim has won something, as shown below: Source: INKY.

Researchers at Menlo Security warn that a phishing campaign is exploiting Google Drawings to evade security filters. The phishing emails inform the user that their Amazon account has been suspended, instructing them to click on a link in order to update their information and reactivate their account. The phishing page is crafted with Google Drawings, which makes it more likely to fool humans while evading detection by security technologies.

In our increasingly interconnected world, the specter of cybercrime looms larger than ever, casting a shadow over people, businesses, and governments alike. Among the slew of cyber threats bombarding entities daily, phishing attacks are a particularly pernicious menace. With each day, bad actors hone their techniques, leveraging the latest tools and psychological tactics to craft sophisticated phishing campaigns that are clever enough to defy all but the closest scrutiny.

Perimeter solutions such as Secure Email Gateways (SEGs) have long been a cornerstone of email security, historically serving as the primary line of defense against malicious emails entering an organization. Utilizing legacy technology such as signature and reputation-based detection, SEGs have provided pre-delivery intervention by quarantining malicious attacks before they reach the end recipient. Why, then, are 91% of cybersecurity leaders frustrated with their SEGs, and 87% considering a replacement?

This blog looks at the intersection of psychology and email attacks to help guard your business against elaborate deception and adopt actionable strategies to defend your people and assets from manipulative schemes. After reading it, you’ll be better prepared to thwart scams and bolster your organization’s resilience against email-based threats.

You no longer need to pull off a bank heist to pocket millions of dollars. Taking advantage of an email breach is easier for attackers and allows them to use your infrastructure’s weaknesses to demand ransom, steal personal information, or perform other fraudulent activities.

According to the FBI, billions of dollars have been lost through Business Email Compromise (BEC) attacks in recent years, so you may well think that there is little in the way of good news. However, it has been revealed this week that police managed to recover more than US $40 million snatched in a recent BEC heist just two days after being told about it.

A report from Darktrace has found that 62% of phishing emails in the first half of 2024 were able to bypass DMARC verification checks in order to reach users’ inboxes. “Building on the insights from the 2023 End of Year Threat Report, an analysis of malicious emails detected by Darktrace / EMAIL in 2024 underscores the implication that email threats are increasingly capable of circumventing conventional email security tools,” the report says.