Despite the rise of live messaging and video conferencing in professional interactions, email communication is as widespread as ever. Unfortunately, so are cyberattacks that use this channel to extort and steal from businesses.
Let’s take a quick look at the most widespread security attacks that happen via email.
1. Business Email Compromise (BEC)
BEC is an email scam that relies on social engineering. According to the FBI, it is the most financially damaging type of cyberattack. Between 2016 and 2019, companies lost a total of over $26 billion as a result of BEC attacks.
The idea behind BEC is simple: the scammers impersonate a trusted coworker (or sometimes a client or other professional contact). Through email, they request a money transfer. The email recipient has no reason to suspect anything is wrong, and so they send money to the scammers’ account.
A classic example is when an employee receives an email that appears to come from the CEO of the company. The request is urgent and it sounds legitimate, so the employee doesn’t double-check it through other channels.
Another possibility is for the scammers to impersonate a random employee and email payroll with false “new account details,” and then wait until their monthly payment lands.
In order to impersonate a sender that people will trust, the attackers may:
● Spoof a real email address
In this case, the scammers use a fake email account that looks similar to the real one. For example, the CEO’s real address is w.a.mozart@nameofcompany.com, and the scammers create and use the address w.a.mozart@nameofconpany.com. The recipient might not notice the difference.
Note: The term ‘spoofing’ refers to impersonating legitimate sources of any kind.
● Hijack a real email address
Through malware attacks or software engineering, it is possible to take over an employee’s actual email account. In this case, the scammers may contact the victim through several channels simultaneously (e.g. through chat or texting)
2. Phishing
Once again, this scam relies on the construction of a false identity. From a spoofed email address, the scammers send an email asking the recipient to share some information. These emails tend to include a clickable link.
You might think phishing scams only work on gullible people who aren’t fully in touch with online norms of behavior. And some scams do fit this profile! For example, there are phishing attacks that have a convoluted story attached, and the email is deliberately misspelled and full of grammar errors. The errors are there to filter out suspicious would-be victims: the email looks unprofessional, but some recipients don’t notice that, and they are the likeliest to give up their personal information. Here’s a good example from Berkeley’s Information Security Office.
However, it’s important to realize that there are much more sophisticated phishing methods than that. Even in professional inboxes, it is common to receive phishing emails that appear to be from banks, subscription services, money transfer services, etc. For example, you may receive an email that appears to be from PayPal, with a ‘Go to PayPal’ button in the body of the email. Upon clicking this link, you’ll be redirected to a false (spoofed) version of the PayPal website. If you enter your bank account information here, you’ll be transferring your money to the scammers.
Apart from bank account info/credit card details, phishing attacks may be aimed at your passwords. They can also redirect you to a website that contains malware.
Note: Some scammers use exact copies of emails you’ve received in the past from legitimate sources, except they add a dangerous link or include malware. This is known as clone-fishing. To avoid falling for it, always check the email address of the sender, even if everything else looks normal and expected.
3. Spear-Phishing
Regular phishing emails tend to start with a general greeting, such as “Dear Client” or “Dear Customer” (or in the case of less formal emails, “Hello friend”). They are typically sent out en masse, to thousands of recipients at the same time.
Spear-phishing is the targeted form of the same attack. Before emailing you, the attackers gather information about you - most notably, your name. A spear-phishing email will address you personally, which increases the appearance of legitimacy.
The most sophisticated spear-phishing attacks will even contain accurate references to past email exchanges or your online behavior. The attackers get this kind of information through previous malware attacks.
4. Malware
According to Verizon’s 2019 Data Breach Investigations Report, “the median company received over 90% of their detected malware by email. […] It is possible for malware to be introduced via email, and once the foothold is gained, additional malware is downloaded, encoded to bypass detection and installed directly.”
Types of malware frequently aimed at businesses:
● Ransomware is an extortion method that allows the attackers to collect confidential data or lock down crucial processes within the company. The victims are told to pay a ransom if they want to stop the attack.
● Trojans seem like legitimate applications, but they give cybercriminals access to the victim’s computer and local server.
● Spyware is malware that spies on the user and collects passwords, bank account numbers, etc. Using spyware can be the first step of a BEC or spear-phishing attack.It’s important to realize that malware attacks may endanger your clients and business partners as well as your own company. For example, a ransomware attack in Finland targeted a mental health clinic. Since the attackers obtained extremely personal information, they then extorted the patients of the clinic, threatening to make their patient files public.
5. Spam
Statistics show that spam accounts for over half of global email traffic. While it may seem harmless, spam impacts server productivity. It also wastes time - even if your team has plenty of experience with recognizing spam, dealing with it can derail their ability to focus. Due to the sheer volume of received spam, employees are in danger of overlooking a legitimate, important email.
Start Protecting Your Company Today
On average, 306.4 billion emails get sent per day worldwide. This number is predicted to reach 361.6 billion by the year 2024. We are relying on email more than ever before – so let’s make sure we do it without any unnecessary risks.
It’s a matter of time before your business gets attacked. So, in addition to obtaining good cybersecurity software, you need to make sure your team understands the risks.
Occasional training seminars are a good place to start, but it’s better to provide employees with an up-to-date, interactive way to learn about cybersecurity risks as they work. The world of cybercrime is constantly evolving and adapting - make sure your team is doing the same