Email sextortion scams are the fastest-growing phishing threat, judging by a study released on Thursday by Barracuda.
Employees are twice as likely to be targeted by sextortion emails than BEC attacks, the study reports.
Sextortion threats now make up 11% of all spear phishing attacks, and BECs constitute 6%. Overall, 83% are brand impersonation attacks.
In the sextortion scams, the bad actors typically use harvested email addresses to reach people and threaten them the release of compromising videos that they claim to have accessed on the victims’ computers.
Few people report these scams out of embarrassment. However, the attackers have no such videos.
Most of these emails are sent as part of larger spam campaigns, so few get through spam filters, but the fraud artists “are continually evolving their email-fraud techniques, including using social-engineering tactics to bypass traditional email-security gateways,” Barracuda notes.
These include social engineering tactics that help them bypass traditional email security gateways, the company says. In addition, some personalize the messages, making it easer to get through. Few contain malware.
The subject lines do not usually mention sex videos, however — the top ones are “Security Alert” (54%), “Change Password” and Other (12%).
But some take on a threatening tone, such as:
This is my lastwarning firstname.lastname@example.org.
The education field is most likely to be targeted by sextortion emails — it receives 54% of the attacks — followed by government (14%) and the business services sector (11%).
“The overwhelming focus on education is a calculated move by attackers,” the study states.
It continues: “Educational organizations usually have a lot of users, some with a very diverse and young user base that may be less informed about security awareness and that may be less aware of where to seek help and advice.”
The study ads that, “Given their lack of training and experience with the nature of these types of threats, students and young people can be more likely to fall victim in these attack scenarios.”
To fight such attacks, Barracuda recommends AI-based protection and security-awareness training.