Phishing email threats in the UAE surged 77% last quarter, Kaspersky says

Most-used illicit methods include undelivered parcels, know-your-customer messages, free money and unusual email login activity

Cyber criminals use social engineering techniques in fake emails or texts from a trusted source to dupe victims. Photo: Science Photo Library
Powered by automated translation

The UAE recorded a steep increase in the number of emails that contain phishing threats in the second quarter of 2023.

With the volume of such mails increasing by 77 per cent quarter over quarter, a new report from Kaspersky suggests that these illicit tactics are becoming more sophisticated.

The figure is a significant jump with phishing emails using mainly four methods, the cybersecurity company said in the study released on Wednesday.

These methods, which are prevalent in the Middle East, Turkey and Africa region, include mails involving undelivered parcels, know-your-customer messages, free money and unusual email login activity.

These tactics are known as social engineering techniques, which are built on how people think and act. In the case of electronic communications, it involves an email or text message pretending to be from a trusted source.

They are part of the broader scope of spam emails, which carry potentially more than one threat – malware and ransomware among the most notable – and pose significant danger to users, be they individuals or enterprises.

Spam emails are unsolicited messages sent in bulk that potentially carry malicious content, while phishing involves fake emails that appear to be from a reputable source with the aim of securing personal information, such as passwords and credit card numbers.

Emails about undelivered parcels, in particular, increased greatly in the UAE this year.

In January, the Telecommunications and Digital Government Regulatory Authority warned consumers to be alert for unexpected text messages that appear to be from well-known courier companies, including Emirates Post, Aramex and DHL Express, as they could be phishing scams.

Etisalat by e&, the UAE's biggest telecoms operator, and Dubai Police issued similar warnings this year over fake rewards and bogus fine payments, respectively.

"Once a cybercriminal understands what motivates an individual’s actions, they try to exploit their lack of knowledge and manipulate their behaviour to meet the end goal," Kaspersky said in Wednesday's report.

Cybersecurity attacks can cause reputational and financial damages to individuals and companies. The global average for a data breach in 2022 was $4.35 million, up from $4.24 million the previous year, according to the latest edition of IBM's Cost of a Data Breach report.

IBM's study included exploits resulting from emails that are of the spam, phishing, malware and ransomware types, among several other threats.

Last year, nearly half of all emails worldwide were spam, which was a more than 3 per cent increase over 2021, Kaspersky said in its spam and phishing report for 2022.

Spam and phishing attacks soared in 2021 as cyber criminals lured users by focusing on topics related to lucrative investments, online streaming of box-office hits including the James Bond film No Time to Die, and themes related to the pandemic, Kaspersky said previously.

In 2022, the trend continued, this time with threat actors using the new season of Netflix's Stranger Things, The Batman movie, Academy Awards and the Fifa World Cup in Qatar as a cover for their illegal operations, the company said.

Cyber risks in the AI age: Business Extra

Cyber risks in the AI age: Business Extra

“There is no aspect of our life that cyber criminals cannot exploit. Human behaviour and emotion is no exception," Maher Yamout, lead security researcher at Kaspersky, wrote in the report.

The four methods meant in the latest study are all incredibly dangerous. The free money technique is a long-running scam that tries to convince users to provide sensitive details to receive a cash deposit.

The KYC tactic, meanwhile, involves bogus messages posing as prominent banks requesting people to complete verification to comply with financial regulations or avoid suspension of transactions, while unusual email account log-in activity techniques flag false sign-in activity that prompts a user to report the activity via a link.

In all cases, cyber criminals are trying to manipulate user emotions, including by using terms such as urgent, trying to instil fear in them, or entice them so that they will be coerced to fall victim to these tactics.

"These scams are a result of manipulation based on fear, curiosity and greed. The key takeaway is to pay attention to basic details in emails before responding, even if they are from trusted sources, because one wrong click can lead to harsh consequences," the report said.

Updated: August 23, 2023, 2:27 PM