In a sharp rise that underscores the evolving tactics of cybercriminals, file-sharing phishing attacks have increased by 350% over the past year, according to new research from Abnormal Security.
This trend highlights how threat actors are increasingly turning to file-sharing services to advance their phishing schemes, even as they continue to scale traditional business email compromise (BEC) attacks by 50% during the same period.
Abnormal Security, a platform specialising in artificial intelligence (AI) and human behaviour security, released its H2 2024 Email Threat Report, detailing the growing threat of file-sharing phishing attacks.
These attacks, which use popular file-hosting or e-signature services as a cover, are designed to deceive targets into disclosing sensitive information or downloading malware. The report, based on data collected between June 2023 and June 2024, found that the volume of file-sharing phishing attacks had more than tripled, with a 350% increase noted over the year.
Financial services main vector for phishing campaigns
A significant portion, 60% of these attacks exploited legitimate domains, including well-known webmail accounts like Gmail, Outlook, and iCloud, productivity and collaboration platforms, e-signature solutions like Docusign, and file storage and sharing services such as Dropbox.
“The trust that people place in these kinds of services—especially those with recognisable brand names—makes them the perfect vehicle for launching phishing attacks,” said Abnormal Security’s chief information security officer Mike Britton. “Very few companies block URLs from these services because they aren’t inherently malicious. And by dispatching phishing emails directly from the services themselves, attackers hide in plain sight, making it harder for their targets to distinguish between legitimate and malicious communications. And when attackers layer in social engineering techniques, identifying these attacks becomes near-impossible.”
The finance industry emerged as the most vulnerable sector, with file-sharing phishing attacks accounting for one in ten of all attacks.
Financial institutions, which rely heavily on file-sharing platforms to securely exchange documents, offer ample opportunities for cybercriminals to slip fraudulent file-sharing notifications among a sea of legitimate invoices, contracts, investment proposals, and regulatory updates.
Close behind, the construction and engineering sectors, as well as real estate and property management companies, were also identified as prime targets. These industries not only depend on frequent document exchanges via file-sharing platforms but are also involved in time-sensitive projects with significant financial stakes. This urgency provides attackers with an opportunity to send phishing attacks that appear critical and blend with legitimate emails.
The biannual report also highlighted the continued growth of business email compromise and vendor email compromise (VEC) attacks.
Over the past year, business email compromise attacks increased by more than 50%, with smaller organisations experiencing a nearly 60% rise in the last half of the year.
Furthermore, Abnormal Security found that 41% of its customers were targeted by vendor email compromise attacks each week in the first half of 2024, up slightly from 37% in the second half of 2023.
BEC scams on the rise
Construction and engineering firms, along with retailers and consumer goods manufacturers, were particularly vulnerable, with 70% of organisations in these sectors receiving at least one vendor email compromise attack in the first half of the year.
“Cybercriminals are continuing to use email to target human behaviour, leveraging a variety of techniques—whether it’s social engineering for BEC or using the guise of legitimate applications in phishing schemes,” said Britton. “The report underscores a deliberate shift away from overt payloads and threat signatures toward email attacks designed to manipulate behaviour. To stay ahead, organisations must adapt, recentering their defences on protecting humans as their most vulnerable endpoints.”
Earlier this month, Interpol and Singapore Police successfully thwarted a major business email compromise scam. Interpol revealed that its global stop-payment mechanism enabled Singaporean authorities to recover nearly the entire $42.3m stolen from an unnamed Singapore-based commodity firm.
The recovery, achieved through the coordinated efforts of law enforcement agencies in Singapore and Timor-Leste, marks the largest amount ever reclaimed from such a scam.
In light of the growing threat of business email compromise, Microsoft has outlined several key strategies to bolster organisational defences. Microsoft recommends adopting secure email solutions that utilise AI and machine learning to enhance phishing protection and detect suspicious forwarding.
Additionally, securing identities through zero-trust policies and automated identity governance is essential to preventing lateral movement within networks. The company also advises transitioning to secure payment platforms specifically designed to authenticate transactions, reducing reliance on emailed invoices.
Lastly, Microsoft stresses the importance of continuous employee training to identify signs of fraudulent emails, such as domain mismatches, to mitigate the risks associated with BEC attacks.