Email security and threat detection company Vade has found that phishing emails in the third quarter this year increased by more than 31% quarter on quarter, with the number of emails containing malware in the first three quarters surpassing the 2021 level by 55.8 million.Malware emails in the third quarter of 2022 alone increased by 217% compared to same period in 2021. Malware email volume peaked in July, reaching 19.2 million, before month-over-month declines in August and September, with numbers dropping to 16.8 million and 16.5 million respectively.According to the report,\u00a0 email is the preferred attack vector for phishing and malware, as it gives hackers a direct channel to users, the weakest link in an organization\u2019s attack surface. The report analyzes phishing and malware data captured by Vade, which does business internationally.As attacks become more sophisticated, Vade said, they also become increasingly capable of evading the basic security offered by email providers, which almost eight in 10 businesses still rely on, according to Vade\u2019s research.While the activity of threat actors fluctuates, Vade\u2019s research found that impersonating trusted and established brands remains the most popular strategy for hackers. In the third quarter of 2022, Facebook was the most impersonated brand for the second consecutive quarter, followed by Google, MTB, PayPal, and Microsoft.The financial services sector remains the most impersonated industry, representing 32% of phishing emails detected by Vade, followed by cloud at 25%, social media at 22%, and internet\/telco at 13%.Phishing attacks are becoming more targetedAs phishing attacks increase, the techniques used by threat actors continue to evolve. While phishing campaigns were traditionally large scale and random, more recent campaigns seen by Vade suggest that hackers have pivoted to using more targeted campaigns.For example, in the report, Vade highlights an attack it observed in July 2022 where a phishing email impersonated Instagram in order to exploit the social media platform\u2019s verification program. The campaign targets victims with emails that display their actual usernames, showing that the hackers spent time researching their targets before each attack.Another concerning campaign style outlined in the report takes the form of hackers weaponizing legitimate services to transmit and conceal their phishing attacks. For example, Vade said that in September it detected a campaign that exploited P\u00f4le Emploi, a French career website, using it to distribute phishing links to companies looking for job candidates."In the attack, hackers apply to job postings and upload a PDF resume containing malicious links," Vade said. "Once submitted, the platform generates an email containing the malicious PDF, which it auto-sends to the recruiting company for review."According to Vade, this is a new attack strategy that is likely to become more common in the future as it saves hackers the time and effort to design an email that impersonates an organization. It also increases the likelihood of a successful attack by lowering victims\u2019 suspicions of nefarious activity.Training employees to spot phishing attacksWhile providing training to employees about the dangers of phishing is undoubtedly beneficial, earlier this month the UK\u2019s National Cyber Security Centre (NCSC) warned businesses not to become "seduced" by the attractiveness of issuing phishing tests to staff, claiming that most implementations rarely offer \u201can objective measure\u201d of an organisation's defenses and can \u201cjust end up wasting time and effort.\u201dA blog post on the NCSC\u2019s website explained that responding to emails and clicking on links is an integral part of work, therefore attempting to stop the habit of clicking is extremely difficult.\u201cAsking users to stop and consider every email in depth isn't going to leave enough hours in the day to do work,\u201d the post read.Duane Nicol, senior product manager awareness training at Mimecast, agreed with this approach, stating that holistic awareness training is far more suitable for keeping users engaged, as it provides more context as to why employees are having to do this and how it contributes their organisation\u2019s overall resilience to cyberattacks.\u201cWith a multi-layered training approach, users are more likely to be engaged in training which would breed a culture of it becoming a norm to report suspicious emails within the workplace and to be more vigilant outside of it too, for example on social media and in their daily lives,\u201d he said.