Now, more than ever, users can fall prey to word-perfect AI-created phishing campaigns, subtle BEC messages that sound remarkably like the sender, and highly convincing ploys from trusted vendors with legitimate-looking websites and clean domains, according to VIPRE Security Group.

Spam emails overwhelm inboxes

The report is based on an analysis of 7.2 billion emails globally in 2024.

9 out of 10 emails were categorised as spam – i.e., unsolicited, unwanted emails or those sent with malicious intent. Of the never-seen-before spam emails, 37% fell into the commercial, 32% into the scam, and 21% into the phishing categories of spam.

Across each quarter of 2024, the US tops the ‘spam senders’ list, followed by the UK. Interestingly, many other countries that feature in the most ‘spam senders’ list are also considered amongst the most trusted, such as Switzerland, Sweden, and Norway, among others.

Most of the malware encountered in the last quarter of 2024 were infostealers and remote access trojans (RATs), designed to spy on victims’ machines and gather sensitive information to send back to the attacker as well as deliver threats, such as ransomware. Furthermore, all the malware encountered was Windows-based, such as Stealc, Lumma, and AgentTesla.

Cybercriminals deployed a variety of phishing tactics with links (70%) as the top favourite, followed by attachments (25%) and QR codes (5%). Noteworthy is that the use of QR codes peaked at 12% in Q4 of 2024.

Regarding phishing links, URL redirection was the most employed tactic (51%), followed by compromised websites (19%) and newly created domains (7%).

BEC scams at the heart of social engineering

Business email compromise (BEC) remained the favoured social engineering ploy, reiterating that despite security software becoming more effective, people continue to be the weakest link.

Threat actors leveraged ‘impersonation’ as a tactic in an average of 88% of all cases – followed by diversion, email hijacking, and account takeover. Also, executive spoofing persists as a serious threat, worsened by the use of AI. 74% of the time, CEOs and executives were the roles that were compromised.

The manufacturing sector (32%) was consistently the clear favourite for email-based attacks, with energy (9%), retail (8%), health (5%) and government (4%) as some of the others.

Microsoft (unsurprisingly) retained its title as the most spoofed brand throughout the year, with DocuSign, Apple, and Google ranking highly too.

“To counter the increasingly automated and AI-enhanced email-based threats, organisations need to implement robust email security technologies and foster a culture of highly vigilant security awareness among employees, in equal measure. This dual approach presents the most realistic and effective approach to surmount the advancing and difficult-to-spot email-based threats,” said Usman Choudhary, Chief Product and Technology Officer, VIPRE Security Group.

The use of deepfake technology and synthetic media (including manipulated images, audio, and video) will become more common in email-based attacks. Cybercriminals will increasingly use AI to generate highly personalized and convincing phishing emails.