This is a simple warning — but it’s critical. A new surge in malicious emails puts all users at risk, and comes as Google and Microsoft warn you to stop using passwords and add passkeys instead. Hackers are more likely to log into your account than break in.
Sometimes staying safe is difficult. A tidal wave of AI-fueled attacks is heading our way. These new threats almost perfectly mimic companies we trust and people we know, making them almost impossible to detect. But sometimes staying safe is easy.
Here are two facts from VIPRE’s newly published email threat report.
First, a staggering 90% of all the detected phishing attacks targeted either Gmail or Outlook. “This indicates that attackers are prioritizing access to the two largest business and personal email ecosystems and hoping to save time in the process.”
And second, PDFs are now “three out of four of all malicious attachments; attackers favor them because they’re universally trusted as legitimate ‘business documents’.”
Those PDF attachments are unexpected, and while they will come in an email pretending to be from Microsoft or DocuSign or even your own company, the lure will be urgent and also unexpected. The sender address will almost certainly be a giveaway.
None of us need to be mathematicians to work out that if 90% of email threats affect Gmail and Outlook, and if 75% of malicious attachments are disguised as regular PDFs, then Gmail and Outlook users must not open PDFs unless they’re explicitly expecting them. If there’s any doubt, contact the sender (not by replying to the email) and ask.
PDFs aren’t the only dangerous attachment. VIPRE says the other 25% of malicious files “are spread across eight file types (EML, HEIF, HTML, GIF, SVG, ICS, PPTX, BMP). You should avoid opening any unexpected attachments or clicking any links.
But PDFs are still the most dangerous culprit.
The goal of these attachments is to trick you into logging into an account using credentials the attacker will then steal and attempt to use for themselves. Sometimes the attack plants malware on your device, to embed itself and steal your data that way. But burying links or QR codes in PDFs is much more common.
Better defending your accounts keeps you safe from most attacks. Always add a (not SMS) form of multi-factor authentication, and always add a passkey if you can.