![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14080310/abstract_mail_blue-990x400.jpg) ## The year in figures * 45.60% of all email sent worldwide and 46.59% of all email sent in the Runet (the Russian web segment) was spam * 31.45% of all spam email was sent from Russia * Kaspersky Mail Anti-Virus blocked 135,980,457 malicious email attachments * Our Anti-Phishing system thwarted 709,590,011 attempts to follow phishing links * SafeMessaging feature in Kaspersky mobile solutions prevented more than 62,000 redirects via phishing links from Telegram ## Phishing and scams in 2023 ### Hunting gamers In 2023, as before, cybercriminals disguised their attacks on gamers as lucrative offers by the gaming industry. Potential victims were promised a free introduction to the latest title (at times even before the official release), or a slot in a gaming tournament with a tempting prize pool. To get access to the content (or contest), phishing sites prompted the victim to sign in to one of their gaming accounts. If the victim entered their credentials on the phishing form, the account was hijacked. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27181204/Spam_report_2023_01-940x1024.png)]() Other schemes touted the opportunity to try out a new version of a long-awaited game—for a small fee. Since the payment was made on a fake website, both the money and the victim's card details ended up in the attackers' hands, and the wish to play the new release remained only a wish. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27181348/Spam_report_2023_02-1024x819.png)]() Another bait was in-game valuables: threat actors "sold" in-game currency, skins, and "upgraded" accounts at bargain prices, and announced "events" where goodies were up for grabs. However, by buying something on an unverified site, the user risked both losing money and having their personal data, such as postal or email address, phone number, and other details, stolen. After the purchase was made, the scammers fell silent or sent the victim the credentials for a random stolen account containing nothing of value. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27181436/Spam_report_2023_03-1024x819.png)]() ### Out-of-the-blue winnings and refunds Breaks and benefits, especially tax-related, are alluring. Cybercriminals took advantage of this in 2023. Fake resources offering reimbursements closely copied the design of the legitimate websites of tax authorities in the US, the UK, Singapore, France, and other countries. However, some of the copies were slightly imperfect, in which case the site header duly noted that it was just a beta version in order to dupe even the most eagle-eyed user. Unsurprisingly, the user was asked to complete a few steps before getting the "reimbursement". The victim was first asked to update their details (documents) or read important information regarding the amount they were entitled to. Whatever tricks the scammers used, the goal was to make the victim believe in the payout. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27181507/Spam_report_2023_04-1024x819.png)]() The scheme, which targeted UK residents, promised a tax refund after the "details" had been "updated". For added credibility, the attackers specified an exact amount: GBP 891.45. To get the money, the "customer" was asked to fill out a short form, after which further proof of identity was requested. In this way, the attackers built a database of personal data, including card details, names, dates of birth, and addresses. The information could later be used to steal both funds from victims' accounts and their identities. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27181533/Spam_report_2023_05-758x1024.png)]() Refunds were offered not only under the guise of government agencies. Some of the scam sites discovered promised to reimburse a certain sum to the customers of a major international telecommunications company. To receive the money, a small fee had to be paid in advance, which resulted in the victim's payment card being compromised. Needless to say, the promised payout was never credited to their account. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27181811/Spam_report_2023_06-880x1024.png)]() In 2023, scammers ensnared victims not only with promises of money. For instance, we observed quite an original scheme that invited potential victims to take part in a lottery to win a work or student visa. Those interested were asked to fill out an "application" and then forward information about the "lottery" to a certain number of WhatsApp contacts and wait for the result. Magically, everyone who entered "won"—but before receiving the visa, they were asked to part with a small administrative fee. In reality, the victims did not even stand a chance of getting the visas: authorities never issue such documents at random, especially for long-term stays. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27181834/Spam_report_2023_07-1024x425.png)]() ### Easy money Besides refunds and lotteries, scammers in 2023 rolled out offers to make a fast buck. Alongside the usual get-rich-doing-nothing and paid survey scams, we encountered a few less conventional scenarios. For example, the site below positioned itself as a resource for making quick money in the form of entertainment. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27181902/Spam_report_2023_08-1024x393.png)]() The terms and conditions promised a payout for performing simple tasks: playing games, testing apps, taking surveys, and others. A choice of tasks was offered, the reward for each being a fixed payment. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27181925/Spam_report_2023_09.png)]() However, when selecting a task from the list, the user was redirected to a page with various scams. Even in theory, then, it was impossible to earn money on the site, as the pages with tasks served solely to generate clickthroughs to scam sites. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27181949/Spam_report_2023_10-1024x819.png)]() The scammers claimed that additional rewards could be had for involving as many friends and relatives as possible in the "project". [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182023/Spam_report_2023_11-1024x508.png)]() Given that there was no money to be made, by agreeing to the terms and recommending the scheme to loved ones, the victim only helped to create more such victims. True, some funds were credited to the victim as a referral fee, but there was no way to withdraw them. If they tried, the system reported that withdrawal was possible only if the amount exceeded a certain limit ($200 in the screenshot below), and suggested topping it up by attracting more friends and family. The required amount is most likely unattainable. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182047/Spam_report_2023_12.png)]() ### Cryptocurrency scams Phishing aimed at stealing crypto wallet credentials remained a common money-making tool. Fake pages mimicking popular cryptocurrency sites invited users to sign in with their wallet credentials. For example, one of the sites shown below imitates the new CryptoGPT project (LayerAI as of May 2023), offering users the chance to make money by selling their data, including to neural network developers; the other is a clone of the CommEX cryptocurrency exchange. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182111/Spam_report_2023_13-1024x755.png)]() Scam sites also used cryptocurrency as bait. Visitors to the page in the screenshot below were asked to download a "miracle" script to get free bitcoins every day and a massive boost to their crypto income. The description of another program on this site mentions something illegal: the script supposedly replaces the address of any wallet with the script user's address and siphons money out of the target wallet. The price of downloading either script was just under $50. Remember that by installing any software from unverified sources, you risk infecting your device with malware. Besides, the inflated amounts promised on the main page clearly indicated that this was a scam. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182143/Spam_report_2023_14-1024x819.png)]() ### Reeling in readers In 2023, threat actors added new forms of bait to their arsenals. For example, we came across a site that imitated an ebook on pension reform. The background of the fake page appeared to show a PDF of the book. But to take a closer look, the user was asked to sign up for free and link a bank card to their account. As in the case of online movie scams, card compromise was just a click away. The book will not become any more readable after you subscribe. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182208/Spam_report_2023_15-1024x819.png)]() ### Social networks and instant messaging under attack Social networks and instant messaging apps were targeted in a significant share of 2023's phishing attacks. In the Russian-language segment of the web, voting for participants in online contests remained a popular topic. Attackers sent links to votes through WhatsApp, both in DMs and group chats. Contest themes ranged from children's drawings to ballet. To vote, the user had to sign in to WhatsApp, give their phone number, and then enter the code from the site in the app under Link a Device. If the instructions were duly followed, the attackers gained access to the victim's account on their own device. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182258/Spam_report_2023_16-1024x639.png)]() Globally, scammers targeted Facebook business accounts by using discounted ads as bait. For instance, users were offered Meta ad credits for free. To claim the "gift", you had to sign in to your account—that is, share your credentials with the scammers. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182346/Spam_report_2023_17-1024x866.png)]() In 2023, threat actors came up with all kinds of bait for Telegram users. Potential victims were invited to download programs to hack video games, gain access to Telegram 18+, get free virtual currency or sign a petition. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182502/Spam_report_2023_18-1010x1024.png)]() Another instant messaging attack vector was the spread of phishing and scams that aimed at something other than hijacking IM accounts. In particular, attackers exploited quick-money offers. The screenshot below invites "investors" to download something called "WhatsApp Bot", allegedly developed by Zuckerberg's team. The cybercriminals claim the bot increases the likelihood of a profitable investment to 97%. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182531/Spam_report_2023_19-1024x533.png)]() To start earning, you just had to wait for "free space" (apparently in some bot-related program), register, and launch the bot. During signup, the scammers additionally offered the victim a "free consultation", during which they likely used social engineering to persuade the victim to hand over money. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182559/Spam_report_2023_20-1024x523.png)]() For added credibility, text below the registration form stated that residents of certain countries were temporarily unable to use the bot, but could follow updates. After sign-up, the victim was advised to "invest the recommended amount" to start earning. If they did so, their money most likely vanished. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182625/Spam_report_2023_21.png)]() In a Portuguese-language scam, a "math professor" claimed to have made an app to increase the chances of winning a lottery, and invited people to buy it. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182649/Spam_report_2023_22.png)]() Meanwhile, Telegram users were offered to monetize views of stories and videos. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182717/Spam_report_2023_23-1024x371.png)]() The scheme in all cases was roughly the same: the user was invited to go to the scammers' channel, where the monetization sum was confirmed; then, when trying to withdraw it, they were offered extra income for sending information about the "program" to friends and family, that is, for luring new victims into the trap. Next, the user was told that "the request has been sent to the payment gateway for processing", and after some time, they were asked to pay a small commission. Naturally, the victim saw neither the "monetization amount" nor the "extra income". [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182738/Spam_report_2023_24-1024x224.png)]() In addition to instant messaging scams, we observed schemes using social network assets as bait. For instance, boosting your follower base on the recently launched social network Threads might seem like a great offer. All you had to do was enter a user name and prove you were not a robot—and the selected number of followers would supposedly appear in your profile. However, the input form was on a fake page, and clicking the Verify Now button redirected you to a scam site. The new followers did not materialize. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182810/Spam_report_2023_25-970x1024.png)]() ### Beating two-factor authentication Serious-minded sites often use two-factor authentication to protect users' accounts from hacking. Generally speaking, to sign in to their personal account, the user has to first enter a user name and password, followed by a one-time code sent in a text, by email or in a push notification, or generated in a special app. Cybercriminals do what they can to overcome this obstacle. For example, a fake page mimicking that of a Russian bank offered victims a chance to take part in a promotion and receive RUB 6,000 after entering their user name and password. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182837/Spam_report_2023_26-1024x441.png)]() The bot sent the input data to a genuine online marketplace, which asked for a code sent in a text. Hence, the fake page displayed a field to enter the code. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182906/Spam_report_2023_27-1024x463.png)]() Having received the code, the bot sent it to the real site—the victim's personal account was now at the mercy of the fraudsters. ### Artificial intelligence at the service of scammers In 2023, no [technology of the year]() shortlist would have been complete without generative artificial intelligence. Cyberscammers jumped at the chance to exploit the topic. Using fake sites, they hosted "GPT chats" supposedly capable of diagnosing computer problems, making money and such. In fact, the site deployed no AI models, but only used the topic to stir interest with potential victims and make a bigger killing. One such page mimicking the Microsoft website warned visitors that their computer was infected with a Trojan. To avoid losing data, they were advised not to reboot or turn off the device until the issue was resolved. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27182934/Spam_report_2023_28-1024x458.png)]() Two options were offered: call a hotline or chat with Lucy, an AI chatbot. In the second case, you had to choose a method of diagnosing the device, after which the bot said it was unable to solve the problem and recommended calling support. Naturally, professional scammers, not Microsoft engineers, were waiting at the other end of the line. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27183003/Spam_report_2023_29.png)]() "Smart chatbots" were also used as "consultants" on making money online. On one site a bot pretending to be an Elon Musk design advertised investment services. After telling the new "client" that it could make them rich quickly, the robot asked about their education, income level, and investment experience. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27183027/Spam_report_2023_30-1024x316.png)]() Regardless of the answers, the bot informed the client that it would do all the earning. Next, it demonstrated an amount it could offer and prompted the user to register simply by providing their contact details. Events then likely unfolded as in other similar schemes: The "AI" asked for a small fee in recognition of its intellectual abilities, and then simply vanished into the ether. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27183054/Spam_report_2023_31.png)]() ## Spam in 2023 ### Scams In the mid-spring of 2023, a massive wave of email relating to a fake investment project hit the Runet. The email offered recipients the opportunity to earn several hundred thousand rubles with minimal effort. Clicking the link took the victim to a "project" website, where they first had to answer questions about their investment experience, then leave a phone number and email address for feedback. Next, the scammers called the number and offered to create a wallet for future investments. However, rather than making money for the victim, the wallet would channel the funds straight to the scammers. In addition to the main scam, after inputting their details, the victim was sometimes redirected to a dubious site, such as a fictitious brokerage company. If they deposited money into the account of that company, it was likely the last they ever saw of it. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27183136/Spam_report_2023_32-953x1024.png)]() Throughout the campaign, the spammers took pains to change the format of the email: they placed a link in an attachment or in the message body, asking recipients to respond; the text varied greatly, with some emails containing none at all; and graphic elements, such as the bank logo, would appear and disappear. Scammers continue to send similar emails to this day, altering the layout from time to time. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27183203/Spam_report_2023_33-1024x388.png)]() ### Cryptocurrency scams Spammers actively used the topic of cryptocurrency as bait. For instance, fraudsters sent out emails warning potential victims about the imminent closure of a certain account, urging them to withdraw their funds without delay. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27183224/Spam_report_2023_34-1024x383.png)]() After clicking the link, the recipient was informed they had opened an account on a bitcoin mining platform at some point in the past, and since then, it had earned tens of thousands of dollars. Naturally, a modest fee was required to make the withdrawal. Of course, no such account existed, and this "fee" was the scammers' ultimate goal. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27183246/Spam_report_2023_35-1024x388.png)]() A similar scheme, but with a more original cover story, caught our eye in a bulk email last November. A group of online scammers were said to have opened a crypto wallet in the name of the email recipient, and transferred ill-gotten cryptocurrency there. The scammers had been caught, the story continued, but the cryptocurrency remained, and the recipient was free to withdraw it from the account. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27183314/Spam_report_2023_36-1024x742.png)]() To help guide them through the process, they were advised to contact "support" via WhatsApp. During the chat, a "support agent" asked for a scan of an identity document, whereupon the victim would be authorized to withdraw the funds. For a commensurate percentage, of course. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27183353/Spam_report_2023_37-1024x560.png)]() ### Charity scams Threat actors have traditionally exploited high-profile global events to profit from human suffering and people's desire to help others. In the second half of February 2023, we saw several scam emails requesting the recipient to transfer money to a bitcoin wallet to help victims of the recent earthquake in Turkey. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27183518/Spam_report_2023_38-894x1024.png)]() And in October, scammers sent emails asking to help the victims of the Israeli-Hamas conflict. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27183618/Spam_report_2023_39-911x1024.png)]() If in the first case the attackers' wallet address was given directly in the message body, the October emails contained a link to a site with several wallets in a range of cryptocurrencies. Interestingly, the scammers set up websites to help both sides of the conflict, but with the same wallet addresses. More typical emails with the wallet address in the body were also encountered. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27183650/Spam_report_2023_40-1024x517.png)]() ### Blackmail The year 2023 saw a number of email extortion scams. For example, in December, we came across a bulk email threatening to send the recipient's intimate videos to their friends and family. The extortioners claimed to have hacked into the victim's device, seized control of the camera and microphone, and made screen recordings. They further edited the video, combining the on-screen content with the victim's alleged activities in front of the computer. As a ransom for not distributing the video, the criminals demanded a bitcoin transfer to the crypto wallet indicated. The scheme itself is nothing new: extortion (and sextortion) with empty threats is a well-worn type of online fraud. However, in 2023, the execution changed somewhat. First, the details of the "hack" and the demands of the attackers were not contained in the email as before, but on a page the victim was taken to after clicking a link in the email. Second, this time, the attackers tried to give their cover story more credibility by adding personal information about the email recipient: full name, phone number, taxpayer ID, and other details. These they probably got from databases on the dark web. Of course, this impacted the scale of the distribution—usually such emails are sent out in the millions, but this time, we recorded only a few hundred. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27183725/Spam_report_2023_41-1024x467.png)]() In the summer, we discovered another curious mass mailing with a demand to transfer money to a bitcoin wallet. The emails in French stuck to the usual format of any extortion demand (threats to send intimate videos, threats from law enforcement agencies, threats to discredit the company's reputation on the internet), but the attackers went further by adding a death threat. The sender posed as a professional killer allegedly hired to poison the recipient of the email. However, whilst tracking the victim-to-be, he came to realize he had been ordered to assassinate a good person. This caused him to hesitate. True, he is not ready to abandon the job just like that, and so invites the target to pay him off with a cryptocurrency transfer to the wallet specified in the email. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27183846/Spam_report_2023_42-1024x361.png)]() ### Malicious attachments To distribute malicious files, scammers in 2023 continued to disguise their mailings as official communications. In March, for instance, we discovered a bulk email signed as being from a government agency. In it, the attackers requested verification of employee information supposedly contained in the agency database. However, the list of employees they distributed was malware in disguise. To get the victim to open the attachment without thinking, the attackers stressed the urgency: the recipient could be held administratively liable for not sending the updated information right away. Such emails were aimed primarily at employees in HR and finance. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27183911/Spam_report_2023_43-1024x566.png)]() In mid-August, attackers targeted users with bulk emails seemingly from the Russian Investigative Committee. The sender's address contained an official-looking domain name, and the text of the email instructed the recipient to read the materials of a criminal case in which they were allegedly a witness, and to report their readiness to give testimony in court. To view the "materials", the recipient had to click a link to a file-hosting service. To sound convincing, the email contained some of the recipient's personal data, likely obtained as a result of a data leak. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27183939/Spam_report_2023_44-1024x539.png)]() Throughout the year, we observed malicious bulk emails claiming to be from business contacts of the recipient. The emails generally contained previous correspondence between the parties, in response to which the attackers pretended to send some kind of business document (an agreement, invoice, and so on). To view it, the victim had to open the attachment and follow the link, which downloaded malware onto the computer. Threat actors switched between different ways of distributing harmful content. For example, some emails contained a password-protected archive, while others provided a link in an attached PDF or even an HTML attachment. Whereas [Qbot]() was actively distributed at the beginning of the year, in mid-May, we found several thousand comparable emails with a link for downloading the PikaBot Trojan. Later, we saw other malware spreading via the same pattern. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27184009/Spam_report_2023_45-1024x585.png)]() Throughout the year, we observed attempts to target hotel owners and employees. They received emails seemingly from former or potential guests. As a rule, the email either made a complaint (the guest had been charged twice, the staff was rude, poor living conditions), or asked for information about available hotel services or clarification of prices. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27184040/Spam_report_2023_46-971x1024.png)]() In some cases, the attackers first exchanged a few "clean" emails with the hotel administration, and only then did they send a link to download malicious files. Various threats were distributed in this way, such as the Xworm Trojan and the RedLine [stealer](). [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27184111/Spam_report_2023_47-1024x576.png)]() ### List linking According to our observations, cases of DoS attacks known as list linking, or mail bombing, became more frequent in 2023. The essence of the attack is as follows: cybercriminals register the victim's mailbox on numerous legitimate sites, whereupon thousands of automatic confirmation notifications flood the mailbox. This places a heavy load on the recipient's mail server and makes it impossible to use the mailbox normally. If, say, a shared mailbox for communication with clients or partners comes under attack, this can paralyze the entire organization. The challenge in countering such attacks is that the emails are perfectly legitimate, as are the sites from which they were sent. ## Spear phishing and BEC attacks in 2023 With the development of neural networks, and particularly generative AI systems (such as ChatGPT), it is becoming ever easier for attackers to craft polished text for targeted (or spear) phishing. If before 2023, business email compromise (BEC) attacks were characterized by poor grammar and style, as well as limited size of the text, now such emails are starting to resemble the format of business correspondence far more closely. [![BEC emails in 2021 and 2023](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27184136/Spam_report_2023_48-1024x351.png)]() BEC emails in 2021 and 2023 In addition to English, attackers began to send emails to potential victims in their native languages, regardless of their prevalence. This is perhaps due to the emergence of publicly available large language models (LLMs) capable of composing texts in a variety of languages, including less common ones. [![BEC email in Belarusian](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27184206/Spam_report_2023_49.jpeg)]() BEC email in Belarusian [![Phishing email in Indonesian](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27184235/Spam_report_2023_50-1024x245.png)]() Phishing email in Indonesian ### Other email phishing trends in 2023 #### Obfuscation Threat actors continued to come up with new ways of obfuscating emails to bypass content filters. In particular, we encountered emails whose authors used the Right-To-Left Override code (&#8238) to flip the writing direction, and wrote the text backwards. On opening such an email, the user sees a mirrored version of the message, and the keyword filter proves useless, since all the words in the original text are reversed. [![Mirrored text in the email source code](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27184308/Spam_report_2023_51.jpeg)]() Mirrored text in the email source code [![Displayed text when the email is opened](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27184339/Spam_report_2023_52-1024x515.jpeg)]() Displayed text when the email is opened #### QR codes [Emails with QR codes]() pointing to scam sites can be said to be one of the main email phishing trends of the year. If in early 2023 a vast majority of emails were false notifications purportedly from Microsoft, then by yearend, attackers had switched tactics and begun serving up QR codes under the name of many different organizations. [![Example of a phishing email with a QR code](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27184415/Spam_report_2023_53.jpeg)]() Example of a phishing email with a QR code [![Email with a QR code, late 2023](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27184444/Spam_report_2023_54.png)]() Email with a QR code, late 2023 [![Phishing login form pointed to by a QR code](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27184609/Spam_report_2023_55-473x1024.jpeg)]() Phishing login form pointed to by a QR code #### IPFS The use of [IPFS systems]() to host phishing pages was another important trend of 2023. Besides mass mailings, this hosting method started to be used in spear phishing campaigns aimed at specific companies. [![Spear phishing email in Korean. Clicking the link opens a phishing page in IPFS](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27184728/Spam_report_2023_56.png)]() Spear phishing email in Korean. Clicking the link opens a phishing page in IPFS [![Phishing login form in IPFS](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/02/27184808/Spam_report_2023_57.jpeg)]() Phishing login form in IPFS ## Statistics: spam ### Share of spam in email traffic In 2023, the average share of spam in global email traffic dropped by 3.03 p.p. to 45.60% from the previous reporting period. The lowest proportion of spam was observed at the beginning of the year: 42.68% in January and 42.88% in February. On average, 42.93% of emails in Q1 were spam. By contrast, Q2 was the most active quarter: 48.00% of email traffic was junk. This figure peaked in May at 49.94%. _Share of spam in global email traffic, 2023 ([download]())_ As usual, spammer activity in the Runet was higher than in the world as a whole. On average, 46.59% of emails in 2023 were spam, which is 5.85 p.p. lower than in 2022. Q1 was the calmest quarter as it was, globally. During this period, the average share of spam in Runet email traffic was even lower than the global figure at 42.88%. The Runet's quietest month was February, in which spam made up just 42.47% of all traffic. Spammer activity surged in May and June, when the share of junk emails exceeded half of the total: 52.46% and 52.12%, respectively. On the average, every second email in Q2 was spam. _Share of spam in Runet email traffic, 2023 ([download]())_ ### Countries and territories where spam originated The share of spam from Russia in 2023 rose again, to 31.45%. Moving up into second place was the US (11.30%), whose share also increased slightly. Spam from mainland China (10.97%) was 3 p.p. lower than in 2022. _TOP 20 countries and territories where spam originated in 2023 ([download]())_ Germany's share (3.25%) continued to decline, while Japan's (3.63%) climbed slightly, placing the country fourth. Despite losing some share, Brazil (2.84%) rose from seventh to sixth position, overtaking the Netherlands (2.54%). In eighth place this time was Kazakhstan (2.51%), which a year earlier failed to make the TOP 20; ninth and tenth position went to India (2.02%) and South Korea (1.55%), respectively. ### Malicious email attachments In 2023, our solutions detected 135,980,457 attempts to open a malicious attachment. As with the share of spam in email traffic, the number of Mail Anti-Virus detections was relatively low at the beginning of the year and peaked in May–June. _Number of Mail Anti-Virus detections, 2023 ([download]())_ The Trojans most frequently encountered in email came from the [Badur]() family (7.24%). They are PDF files with links to dubious web resources. In second place came [Agensla]() stealers (5.98%), whose share continued to decline. The [Badun]() family of Trojans (4.72%), which masquerades as e-documents and spreads via archives, retained third position. _TOP 10 malware families distributed as email attachments, 2023 ([download]())_ The [Noon]() family of spyware (3.37%) dropped to fourth place, while exploits for vulnerabilities in the Equation Editor component swapped places again: [CVE-2017-11882]() (3.06%) moved up to fifth position, [CVE-2018-0802]() (2,33%) fell to ninth. In 2023, attackers often mailed out phishing forms as [HTML attachments](), which our solutions detect as [Hoax.HML.Phish]() (3.01%). Also in the picture were [Makoob]() Trojans (2.41%), which previously were not among the most common email attachments. In addition, the share of attachments containing [Taskun]() (2.80%) rose slightly. A characteristic feature of this family is the creation of malicious tasks in Task Scheduler. By contrast, malicious [ISO]() disk images (2.16%) were less popular among attackers than they were in 2022. _TOP 10 malicious programs distributed as email attachments, 2023 ([download]())_ As usual, the distribution of specific threats is almost identical to the distribution of families. The only difference is that the most common member of the Taskun family (2.73%) was sent more often than the most common type of phishing HTML attachment (2.48%). ### Countries and territories targeted by malicious mailings In 2023, Mail Anti-Virus was triggered most often on devices located in Russia (16.72%). This country's share of all malicious spam targets more than doubled from 2022. Spain (9.53%) dropped to second place despite its share also increasing. Users from Mexico (5.99%) encountered malicious attachments almost as frequently as the year before, while the share of Brazil (2.63%) nearly halved. _TOP 20 countries and territories targeted by malicious mailings, 2023 ([download]())_ Turkey (5.04%) ranks fourth by number of Mail Anti-Virus detections in 2023. Vietnam (4.37%) and Italy (3.18%) swapped places, while Germany (2.92%), the UAE (2.90%) and Malaysia (2.70%) all moved up one spot. ## Statistics: phishing Phishing attacks increased again in 2023: Kaspersky solutions blocked 709,590,011 attempts to follow malicious links. Aside from a spike in phishing activity in May and June, the number of attacks climbed steadily throughout the year. _Number of Anti-Phishing triggerings, 2023 ([download]())_ ### Map of phishing attacks Users from Vietnam (18.91%) encountered phishing most often. In second place is Peru (16.74%), closely followed by Taiwan (15.59%), Lesotho (15.42%), and Ecuador (15.29%). Greece places sixth (14.97%), and Malawi, seventh (14.91%). Rounding out the TOP 10 countries and territories by phishing attacks are Portugal (14.07%), Sri Lanka (14.04%), and Palestine (13.89%). Top 10 countries and territories by share of attacked users **Countries/territory** | **Share of attacked users*** ---|--- Vietnam | 18.91% Peru | 16.74% Taiwan | 15.59% Lesotho | 15.42% Ecuador | 15.29% Greece | 14.97% Malawi | 14.91% Portugal | 14.07% Sri Lanka | 14.04% Palestine | 13.89% _* Share of users who encountered phishing out of the total number of Kaspersky users in the country/territory, 2023_ ### Top-level domains In 2023, the COM domain zone (19.65%) remained the most common for hosting phishing sites. In second place was the top-level domain CLUB (5.79%), previously unpopular with cybercriminals. TOP (5.46%) came third and IO (2.57%), fourth, with the latter being the domain of the British Indian Ocean Territory and used extensively by IT companies worldwide, as it additionally stands for "internet organization". This domain is favored by cryptocurrency scammers. _Most frequent top-level domains for phishing pages, 2023 ([download]())_ The fifth most in-demand domain zone among attackers is XYZ (2.50%). Phishing sites were also frequently hosted in the APP domain zone (1.58%), which [Google positions]() as a domain zone for web applications, as well as in the Russian zone RU (1.44%) and in the global domains ORG (1.40%), NET ( 1.23%), and SITE (1.20%). ### Organizations targeted by phishing attacks _The rating of organizations targeted by phishers is based on the detections of the deterministic component in the Anti-Phishing system on user computers. The component detects all pages with phishing content that the user has tried to open by following a link in an email message or on the web, as long as links to these pages are present in the Kaspersky database._ In 2023, phishing pages mimicking global internet portals (16.46%) reclaimed the top spot by number of attempted redirects. Users of smaller web services (14.66%) were also of interest to threat actors. A further 12.22% of phishing attacks targeted users of online stores. _Distribution of organizations targeted by phishers, by category, 2023 ([download]())_ In 2023, banks (11.29%) ranked fourth, and delivery services, fifth (8.30%). In addition, attackers preyed on social networks (6.96%), instant messaging apps (6.32%), and online games (5.24%). Also among the TOP 10 categories of sites most often targeted by scammers were payment systems (5.83%) and cryptocurrency websites (5.24%). ### Telegram phishing _Statistics on instant messaging phishing are derived from anonymized data from the SafeMessaging component of Kaspersky Internet Security for Android, voluntarily shared by users. SafeMessaging scans incoming messages and blocks attempts to follow any phishing or scam links._ In 2023, Kaspersky solutions prevented 62,127 redirects via phishing and scam links on Telegram, which is 22% more than in 2022. On average, 170 phishing attacks were blocked per day. Phishing activity on Telegram changed little during the year, except for a late-May spike. _Dynamics of phishing activity on Telegram, 2023 ([download]())_ _This spike may be related to phishing attempts to steal Telegram accounts, which, as our data shows, increased markedly from May 19 through June 5, 2023. Attackers usually post fraudulent links aimed at account theft in chats and channels on Telegram itself._ _Number of phishing attacks targeting Telegram users, May–June 2023 ([download]())_ Most attempted redirects via phishing and scam links, as in the previous year, were blocked by our solutions on devices belonging to users from Russia. Brazil held on to second place, having doubled the number of blocked phishing attacks and followed by Turkey, India, Germany, and Italy, where Telegram-based phishing activity also grew. Seventh place this time around went to users from Mexico, who squeezed Saudi Arabia out of the TOP 7. _TOP 7 countries and territories where users most often followed phishing links on Telegram, 2023 ([download]())_ ## Conclusion The widespread adoption of technologies with built-in GPT chats will give scammers a wealth of new topics to exploit. We are likely to encounter many such schemes in the near future. At the same time, attackers are unlikely to abandon their time-tested techniques. High-profile releases, events, and premieres will remain irresistible to phishers and scammers, whose fake sites will dupe those wanting to get their hands on the next big thing that bit earlier or cheaper. Those who make money on cryptocurrencies and other investments also need to keep a sharp lookout, as it is becoming increasingly difficult to distinguish fraudulent platforms from legitimate ones. We recommend being especially vigilant during the pre-holiday period and large-scale sales: when users are in a hurry to snap up bargains, it is much easier to lure them into a trap. Finally, as instant messaging apps expand their toolkits, they will gradually sideline social networks. This growing demand for instant messaging will spark a rise in cybercriminal interest. In the enterprise sector, threat actors will likely continue to send out phishing and BEC email in various languages, generated with the help of LLMs. Message history from compromised mailboxes will continue to be used in malicious and targeted phishing campaigns. Going forward, the range of malware distributed in this way looks set to expand.