Authors: Martin Kraemer, Safety Consciousness Advocate at KnowBe4 and James Dyer, Menace Intelligence Lead at KnowBe4
This Valentine’s Day, Cupid wasn’t the one one taking intention. Our Menace Analysis group famous a 34.8% improve on Valentine-related menace visitors compared to February of 2024.
Leveraging impersonation and social engineering strategies, attackers have used a seasonal occasion to use heightened feelings and a way of urgency, successfully growing the chance of success of their phishing campaigns.
Our group noticed these assaults starting on February 2nd this 12 months, in comparison with January twenty ninth final 12 months, peaking on February third. Apparently, regardless of the later begin in 2024, their quantity as a share of mail stream is larger than in earlier years.
Fast assault abstract
All assaults in these campaigns had been recognized and neutralized by KnowBe4 Defend and analyzed by our Menace Analysis group.
Primarily link-based in nature, attackers are exploiting the cultural buzz that surrounds Valentine’s Day with phishing campaigns that leverage the seasonal occasion. In reality, our Menace Analysis group has famous that 8.45% of phishing emails made some type of reference to ‘valentines’ since February 2nd to eleventh, 2025.
Many of those assaults impersonated well-known manufacturers, utilizing a single picture within the e-mail physique that directs the recipient to a malicious web site. Some additionally employed hyperlink obfuscation strategies to hide the top vacation spot. These two ideas are defined in additional element under.
Vector and sort: E-mail phishing
Method: Hyperlink obfuscation and model impersonation
Targets: International
Platform: Microsoft 365
High 5 manufacturers impersonated in Valentine’s-themed campaigns:
- Hilton (Luxurious Resort)
- Marriott Bonvoy (Luxurious Resort)
- Walmart (Commerce)
- Amazon (Commerce)
- 7-eleven (Commerce)
Breakdown of payloads current within the assaults:
- Hyperlinks: 82.6%
- Attachments: 11.2%
- Social engineering: 4.8%
- Malware: 1.5%
Instance 1 – A Typical Assault
Within the assault analyzed under, the cybercriminal has despatched a phishing e-mail impersonating the massive luxurious resort supplier Marriott Bonvoy with a stylized template that mimics Marriott’s branding to leverage shopper confidence within the model’s repute and decrease recipient suspicion.
The assault directs the recipient to click on on a hyperlink that can supposedly reveal their ‘unique’ deal, ‘simply in time’ for Valentine’s Day. Right here, the attacker is using social engineering techniques that exploit the final pleasure folks really feel about exclusivity and finances offers – particularly for a luxurious expertise. They’ve additionally added a way of urgency by implying the recipient should act shortly to safe the deal.
The e-mail’s physique consists of a single embedded picture quite than separate parts like textual content and buttons usually present in commonplace emails. In different phrases, the complete e-mail capabilities as a screenshot, designed to look as a traditional message.
That is an obfuscation method designed to restrict the detection efficacy of e-mail safety instruments. With out textual content to scan, the normal signature-based detection current in Microsoft’s native safety and safe e-mail gateways (SEGs) can’t establish hyperlinks to identified phishing web sites, whereas extra superior instruments, resembling pure language processing (NLP) and pure language understanding (NLU), can’t detect the linguistic identifiers of social engineering, resembling pressing or emotive language. That is probably why our Menace Analysis group noticed the assaults bypass varied configurations of Microsoft 365’s safety instruments.
Screenshot of a phishing assault impersonating Marriott Resort with KnowBe4 Defend’s anti-phishing banners utilized.
For instruments like KnowBe4 Defend to establish such assaults, they have to take a holistic method to phishing detection, analyzing all indicators that may present malicious intent. Components like topic line and sender evaluation, in addition to recognizing when the e-mail consists primarily of a single picture enabled us to detect these phishing emails after they received by means of native and SEG safety.
If the recipient hovers over the picture, a preview of the vacation spot hyperlink will seem. This hyperlink itself may be seen within the link-scanning screenshot under. The attacker has employed a way referred to as ‘typosquatting’ (a type of hyperlink obfuscation), the place they modify just a few characters in a registered ‘lookalike’ area to make it visually just like the authentic area.
On this case, the attacker barely misspelled “Marriott” by eradicating a single ‘r’ and used a distinct top-level area—changing ‘.com’ with ‘.us.’ The attacker hopes that these refined discrepancies will go unnoticed, main the recipient to click on the hyperlink with out suspicion.
Screenshot of a partly redacted finish vacation spot hyperlink if a recipient had been to click on on it, processed by means of a hyperlink re-writer.
If a recipient doesn’t have an anti-phishing device to establish and block the hyperlink, clicking it might set off a Captcha, as proven within the screenshot under. Usually used to confirm {that a} consumer is human quite than an automatic bot, Captchas in all these assaults are employed to dam sure types of hyperlink scanning performance, together with end-destination scanning, stopping safety instruments from detecting malicious websites.
From there, the malicious web site might be used to reap the recipient’s credentials, obtain malware onto their gadget, and probably steal delicate data or achieve unauthorized entry to non-public or organizational accounts.
Screenshot of the captcha that seems if the malicious hyperlink was clicked
Instance 2 – Combining Seasonal Occasions
Cybercriminals have taken it a step additional over Tremendous Bowl Weekend (February 9-Eighth), leveraging the joy of a significant cultural occasion alongside Valentine’s Day to create a double menace, concentrating on victims with extremely related and well timed scams.
On this instance, the attackers have impersonated the NFL. Nevertheless, the template is much less refined than the primary, utilizing a mixture of pictures, hyperlinks, and textual content inside the physique. The message urges the recipient to click on a hyperlink to assert a free reward, as soon as once more using social engineering techniques like closing dates to create a way of urgency.
Screenshot of a phishing assault that impersonates the NFL, with KnowBe4 anti-phishing banners utilized.
Mitigating Superior Threats with Human Threat Administration
In 2024, we noticed a 43% improve in assaults impersonating courting apps, highlighting that cybercriminals have acknowledged the effectiveness of exploiting this vacation season—tapping into heightened feelings and other people’s need for deal.
These assaults are strategically timed to align with a rise in authentic emails about holidays and key occasions, maximizing their probabilities of success. It’s no shock, then, that we’ve seen a 34.81% improve in Valentine’s Day-themed scams this 12 months. Cybercriminals solely pursue assaults that ship a return, and clearly, these techniques are paying off.
To successfully fight these threats, it is essential to pair well timed consumer schooling and training with clever anti-phishing options. Whereas educating customers on the risks of phishing and how one can spot suspicious messages is crucial, superior technological defenses, resembling machine studying and AI-powered detection, play a important position in figuring out and neutralizing these threats. Collectively, these methods kind a complete protection that may higher shield people and organizations from refined phishing assaults.
So this Valentine’s Day, love might have been within the air, however so had been cyber threats. As we celebrated the season of affection, we needed to keep in mind that cybercriminals had been additionally concentrating on our hearts—and our private information. Whereas Valentine’s Day has handed, the necessity to keep alert and cautious when clicking on hyperlinks or sharing delicate data stays vital all 12 months spherical.