Authors: Martin Kraemer, Safety Consciousness Advocate at KnowBe4 and James Dyer, Menace Intelligence Lead at KnowBe4
This Valentine’s Day, Cupid wasn’t the one one taking intention. Our Menace Analysis staff famous a 34.8% improve on Valentine-related risk visitors compared to February of 2024.
Leveraging impersonation and social engineering methods, attackers have used a seasonal occasion to use heightened feelings and a way of urgency, successfully rising the chance of success of their phishing campaigns.
Our staff noticed these assaults starting on February 2nd this 12 months, in comparison with January twenty ninth final 12 months, peaking on February third. Apparently, regardless of the later begin in 2024, their quantity as a share of mail movement is larger than in earlier years.
Fast assault abstract
All assaults in these campaigns have been recognized and neutralized by KnowBe4 Defend and analyzed by our Menace Analysis staff.
Primarily link-based in nature, attackers are exploiting the cultural buzz that surrounds Valentine’s Day with phishing campaigns that leverage the seasonal occasion. The truth is, our Menace Analysis staff has famous that 8.45% of phishing emails made some type of reference to ‘valentines’ since February 2nd to eleventh, 2025.
Many of those assaults impersonated well-known manufacturers, utilizing a single picture within the electronic mail physique that directs the recipient to a malicious web site. Some additionally employed hyperlink obfuscation methods to hide the top vacation spot. These two ideas are defined in additional element beneath.
Vector and sort: E mail phishing
Method: Hyperlink obfuscation and model impersonation
Targets: World
Platform: Microsoft 365
Prime 5 manufacturers impersonated in Valentine’s-themed campaigns:
- Hilton (Luxurious Lodge)
- Marriott Bonvoy (Luxurious Lodge)
- Walmart (Commerce)
- Amazon (Commerce)
- 7-eleven (Commerce)
Breakdown of payloads current within the assaults:
- Hyperlinks: 82.6%
- Attachments: 11.2%
- Social engineering: 4.8%
- Malware: 1.5%
Instance 1 – A Typical Assault
Within the assault analyzed beneath, the cybercriminal has despatched a phishing electronic mail impersonating the big luxurious resort supplier Marriott Bonvoy with a stylized template that mimics Marriott’s branding to leverage shopper confidence within the model’s status and decrease recipient suspicion.
The assault directs the recipient to click on on a hyperlink that can supposedly reveal their ‘unique’ deal, ‘simply in time’ for Valentine’s Day. Right here, the attacker is using social engineering techniques that exploit the overall pleasure individuals really feel about exclusivity and funds offers – particularly for a luxurious expertise. They’ve additionally added a way of urgency by implying the recipient should act shortly to safe the deal.
The e-mail’s physique consists of a single embedded picture relatively than separate elements like textual content and buttons sometimes present in normal emails. In different phrases, your complete electronic mail features as a screenshot, designed to look as a standard message.
That is an obfuscation approach designed to restrict the detection efficacy of electronic mail safety instruments. With out textual content to scan, the standard signature-based detection current in Microsoft’s native safety and safe electronic mail gateways (SEGs) can’t establish hyperlinks to identified phishing web sites, whereas extra superior instruments, akin to pure language processing (NLP) and pure language understanding (NLU), can’t detect the linguistic identifiers of social engineering, akin to pressing or emotive language. That is probably why our Menace Analysis staff noticed the assaults bypass varied configurations of Microsoft 365’s safety instruments.
Screenshot of a phishing assault impersonating Marriott Lodge with KnowBe4 Defend’s anti-phishing banners utilized.
For instruments like KnowBe4 Defend to establish such assaults, they have to take a holistic strategy to phishing detection, analyzing all indicators that may present malicious intent. Components like topic line and sender evaluation, in addition to recognizing when the e-mail consists primarily of a single picture enabled us to detect these phishing emails after they obtained via native and SEG safety.
If the recipient hovers over the picture, a preview of the vacation spot hyperlink will seem. This hyperlink itself could be seen within the link-scanning screenshot beneath. The attacker has employed a way known as ‘typosquatting’ (a type of hyperlink obfuscation), the place they modify a number of characters in a registered ‘lookalike’ area to make it visually just like the legit area.
On this case, the attacker barely misspelled “Marriott” by eradicating a single ‘r’ and used a special top-level area—changing ‘.com’ with ‘.us.’ The attacker hopes that these refined discrepancies will go unnoticed, main the recipient to click on the hyperlink with out suspicion.
Screenshot of a partly redacted finish vacation spot hyperlink if a recipient have been to click on on it, processed via a hyperlink re-writer.
If a recipient doesn’t have an anti-phishing device to establish and block the hyperlink, clicking it could set off a Captcha, as proven within the screenshot beneath. Usually used to confirm {that a} person is human relatively than an automatic bot, Captchas in most of these assaults are employed to dam sure types of hyperlink scanning performance, together with end-destination scanning, stopping safety instruments from detecting malicious websites.
From there, the malicious web site might be used to reap the recipient’s credentials, obtain malware onto their system, and probably steal delicate info or acquire unauthorized entry to non-public or organizational accounts.
Screenshot of the captcha that seems if the malicious hyperlink was clicked
Instance 2 – Combining Seasonal Occasions
Cybercriminals have taken it a step additional over Tremendous Bowl Weekend (February 9-Eighth), leveraging the thrill of a serious cultural occasion alongside Valentine’s Day to create a double risk, focusing on victims with extremely related and well timed scams.
On this instance, the attackers have impersonated the NFL. Nevertheless, the template is much less subtle than the primary, utilizing a mixture of pictures, hyperlinks, and textual content inside the physique. The message urges the recipient to click on a hyperlink to assert a free reward, as soon as once more using social engineering techniques like cut-off dates to create a way of urgency.
Screenshot of a phishing assault that impersonates the NFL, with KnowBe4 anti-phishing banners utilized.
Mitigating Superior Threats with Human Danger Administration
In 2024, we noticed a 43% improve in assaults impersonating courting apps, highlighting that cybercriminals have acknowledged the effectiveness of exploiting this vacation season—tapping into heightened feelings and other people’s want for a very good deal.
These assaults are strategically timed to align with a rise in legit emails about holidays and key occasions, maximizing their probabilities of success. It’s no shock, then, that we’ve seen a 34.81% improve in Valentine’s Day-themed scams this 12 months. Cybercriminals solely pursue assaults that ship a return, and clearly, these techniques are paying off.
To successfully fight these threats, it is essential to pair well timed person schooling and training with clever anti-phishing options. Whereas educating customers on the hazards of phishing and easy methods to spot suspicious messages is crucial, superior technological defenses, akin to machine studying and AI-powered detection, play a essential function in figuring out and neutralizing these threats. Collectively, these methods kind a complete protection that may higher shield people and organizations from subtle phishing assaults.
So this Valentine’s Day, love could have been within the air, however so have been cyber threats. As we celebrated the season of affection, we needed to keep in mind that cybercriminals have been additionally focusing on our hearts—and our private knowledge. Whereas Valentine’s Day has handed, the necessity to keep alert and cautious when clicking on hyperlinks or sharing delicate info stays essential all 12 months spherical.
