BSI: Phishing emails on the rise

Phishing emails on the rise

Share post

Eight out of ten fraudulent emails are phishing emails, according to the 2023 BSI report. Many fraudsters pretend to be financial service providers or support charitable programs.

The current BSI situation report on IT security in Germany has once again made waves. The BSI reports, among other things, 250.000 new variants of malware, 21.000 systems infected with malware every day and 70 new security gaps per day.

Crisis situations as a hook for phishing emails

The topic of phishing also continues to play a major role in the cybersecurity mix. Concrete. According to the BSI, 84% of all fraudulent emails are so-called phishing emails. Criminals usually use these to try to obtain identity or authentication data in order to launch attacks.

For the past 12 months, the BSI has reported many phishing attempts in the area of ​​finance phishing, in which fraudsters pretend to be banks or financial service providers. Another driver for the growing number of phishing attempts were social crisis situations, which were used as a starting point for phishing emails. The crisis on the energy market was discussed particularly frequently. Attempts have also often been made to deceive email recipients in the name of charitable programs. The war in Ukraine and earthquakes in Turkey and Syria were often used as an opportunity to send dangerous emails.

Source of danger AI

According to the BSI, the ongoing development of AI also acted as a turbocharger for phishing in 2023. The increasingly powerful AI language models are increasingly being misused to make phishing emails more authentic and therefore more convincing.

“We have seen the danger posed by phishing emails for years. With the ongoing energy debate, the war in Ukraine, the conflict between Israel and Hamas as well as the elections in the USA and the heated migration debate, there will also be many topics on the agenda in 2024 that are very suitable for phishing emails,” warns Sascha Spangenberg from Lookout. “Phishing is not only a problem for private digital identities, but also for companies and their employees’ accounts. Stolen employee credentials are one of the most effective ways for attackers to infiltrate a company's infrastructure. Once they have the credentials of one of the accounts in hand, it is much easier for them to bypass security measures and gain access to sensitive data.”

Mobile phishing: Every third device affected

In its Mobile Phishing Report, Lookout examined how attackers in the corporate environment gain access and passwords. This global study from Lookout found that the number of mobile phishing attacks in 2022 was higher than ever before, with one in three personal devices and one in three corporate devices exposed to at least one attack per quarter. This trend continued unbroken in the first quarter of 2023.

Hybrid work environments and bring-your-own-device (BYOD) policies could be two reasons for the increase, Lookout said. Companies have had to accept that personal mobile devices are increasingly being used for professional purposes. However, it is important to remember that any mobile device – personal or corporate, managed or unmanaged, iOS or Android – is vulnerable to phishing attempts.

How BYOD has changed the phishing landscape

Smartphones and tablets have made it easier for employees to be productive from anywhere, but they've also brought new challenges for IT and security teams. BYOD policies mean more people than ever are using their personal devices for work. This means that the risks they face when using these devices for personal reasons also pose risks for the company. IT and security teams also have significantly less visibility into these devices than corporate-owned devices, meaning it's harder to control these heightened risks.

These factors mean that attackers are now targeting users' personal devices to penetrate corporate environments. An employee can fall victim to a social engineering attack through private channels such as social media, WhatsApp or email. Once this is the case, attackers can gain access to his employer's networks or data. This is also not a one-time event, as data from Lookout shows that in 2022, more than 50 percent of personal devices were exposed to some type of mobile phishing attack at least once per quarter.

Millions are at stake

Data isn't the only thing companies risk when employees fall for a phishing scam. Lookout estimates that the maximum financial impact of a successful phishing attack has increased to almost $5.000 million for companies with XNUMX employees. Highly regulated industries such as insurance, banking and legal are considered the most lucrative markets and are particularly vulnerable to attacks due to the large amount of sensitive data they hold.

These high costs come at a time when phishing attacks are at an all-time high. Compared to 2020, the number of phishing attacks is now 10 percent higher on corporate devices and 20 percent higher on personal devices. Also, people are clicking on phishing links more often than they were in 2020, which could mean attackers are getting better at crafting authentic-looking messages. With more risk and more money at stake than ever before, organizations must adapt their security strategies to protect their data.

Protect data against mobile phishing attacks

The mobile phishing landscape is more treacherous than ever, especially as remote working increases. IT and security teams must employ strategies that enable them to visualize, detect, and mitigate the data risks posed by phishing attacks across all employee devices. This applies regardless of whether the devices are company-owned or private. With the right strategy, based on the Zero Trust principle and SASE (Secure Access Service Edge), it is possible to make the hybrid working world secure.

“On-device and AI-powered phishing detection via a cloud-based security platform makes it possible to stop attacks where they start. A security solution like this prevents users from connecting to phishing websites on both corporate and personal devices,” said Sascha Spangenberg, Global MSSP Solutions Architect at Lookout. “Such a solution detects and blocks phishing attacks via any mobile app and prevents employees from revealing credentials or downloading malicious software. Protection against mobile phishing threats must be a priority if hybrid working is a reality.”

More at


About Lookout

Lookout co-founders John Hering, Kevin Mahaffey, and James Burgess came together in 2007 with the goal of protecting people from the security and privacy risks posed by an increasingly connected world. Even before smartphones were in everyone's pocket, they realized that mobility would have a profound impact on the way we work and live.


Matching articles on the topic

Cybersecurity platform with protection for 5G environments

Cybersecurity specialist Trend Micro unveils its platform-based approach to protecting organizations' ever-expanding attack surface, including securing ➡ Read more

Data manipulation, the underestimated danger

Every year, World Backup Day on March 31st serves as a reminder of the importance of up-to-date and easily accessible backups ➡ Read more

Printers as a security risk

Corporate printer fleets are increasingly becoming a blind spot and pose enormous problems for their efficiency and security. ➡ Read more

The AI ​​Act and its consequences for data protection

With the AI ​​Act, the first law for AI has been approved and gives manufacturers of AI applications between six months and ➡ Read more

Windows operating systems: Almost two million computers at risk

There are no longer any updates for the Windows 7 and 8 operating systems. This means open security gaps and therefore worthwhile and ➡ Read more

AI on Enterprise Storage fights ransomware in real time

NetApp is one of the first to integrate artificial intelligence (AI) and machine learning (ML) directly into primary storage to combat ransomware ➡ Read more

DSPM product suite for Zero Trust Data Security

Data Security Posture Management – ​​DSPM for short – is crucial for companies to ensure cyber resilience against the multitude ➡ Read more

Data encryption: More security on cloud platforms

Online platforms are often the target of cyberattacks, such as Trello recently. 5 tips ensure more effective data encryption in the cloud ➡ Read more