The Top 3 Current Email Threats

Uploaded on 2022-08-15 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

Emails originated as a convenient way to remotely share information and security has been a foremost concern in the design and use of email applications. Consequently, criminals and other threat actors have long used email as a primary and highly effective attack vector on people and organisations. 

Email is a vulnerable resource that is typically critical for an organisation's infrastructure and can be used for phishing scams, business compromise and ransomware,

Each attack can be carried out by other means, such as phone calls, text messages or malicious websites, but email messages remain a convenient and reliable vector for attackers, who often combine two or more of these types of attacks to increase their chances of success. Here are the top three email threats, what they have in common and how you can protect your organisation.

Email attacks fall into three broad categories: phishing, social engineering and malware infections, typically designed to extort ransom,

Phishing & Spoofing Attacks

Most successful email-based attacks have something in common. They generally involve email spoofing, which is when an attacker fakes the sender's address to make it seem like an email message comes from a trustworthy sender. You're more likely to click on a link or open an attachment when you think it comes from someone you know or a company you trust.

  • Spoofing is not an attack itself but a means to an end. Fortunately, technological defenses against spoofing called DKIM, DMARC and SPF are free and widely available. Implementing them will go a long way toward making your organisation's email communications, both incoming and outgoing, more secure. 
  • Phishing Phishing is the most common email threat and the one that's least likely to disappear with time. It tricks you into handing over private bits of information such as account usernames, passwords, email addresses, credit-card numbers or Social Security numbers.

The phisher hides from you by using technology pretending to be a trustworthy entity, which can be a well-known company or a workplace colleague. Malware is usually not involved, and there's little personal interaction. The best phishing scams blend into your daily routine so that you never notice anything is wrong.

A report from CyberRiskAlliance has found that 60% of CISOs and other IT managers surveyed cited phishing and spoofing as among their top three email-security concerns, right behind ransomware. 

In the most common scenario, a phisher's email message tells you there's something wrong with one of your accounts and that you need to log in immediately. The message includes what seems to be a link to the account login page but is really a clever mockup. As soon as you type in your credentials, the attacker has them.

Phishing can also be done via SMS text messages and or through voice calls. But phishing email messages are still the primary method of attack.

Targeted phishing attacks aimed at a single person or a small group of people, such as company executives or human-resources or IT staffers and attackers often research their targets beforehand and personalise the malicious messages to make them more likely to succeed.

While anti-spoofing defences will reduce the number of phishing messages that reach your staffers, they won't stop them all. If an attacker gets access to an employee's internal network account, possibly by spear phishing, then they can send phishing emails to other staffers that genuinely come from that employee's account.
Your correspondent once fell for an email that seemed to come from an HR staffer and asked all staffers to address a payroll issue. A link in the message led to what looked like the Office 365 login page. 

Antivirus software blocked the site for some staffers, but other employees weren't so lucky and had their paycheck direct deposits rerouted to other bank accounts.

Aside from anti-spoofing protocols, protections against phishing are numerous. Training  all your organization's employees about how to monitor emails, looking out for phishing attacks and what to do if they fail to detect them is critical.

Social Engineering &  Business Email Comromise (BEC)

Social engineering is a new name for old-school confidence tricks that don't always involve technology. If you've ever talked your way into an exclusive party or event you weren't invited to, that's social engineering. Today, crooks are using high-level social engineering to carry out business email compromise attacks. They impersonate company CEOs or CFOs and convince employees to pay phony invoices or make wire transfers to random bank accounts.

The attacks usually include spoofing and may be facilitated by phishing, but do not generally involve malware; the goal is money.

These BEC attacks can be done in a number of ways, including by sending text messages to staffers after hours or by dialing into video conferences. "In those meetings, the fraudster would insert a still picture of the CEO with no audio, or a 'deep fake' audio through which fraudsters, acting as business executives, would then claim their audio/video was not working properly," said the FBI in its 2021 Internet Crime Report.   

The most common vector for attacks is via email. Often, the attackers compile lists of company employees authorised to make payments, which can be obtained from LinkedIn or company websites. Then the attackers target employees with spoofed emails that seem to come from the boss and demanding urgent wire transfers to a specific companies or bank accounts. If the employees who get the emails believe the scam and can make the payments, then the money may be gone for good.

The FBI estimates that US businesses and individuals lost $2.4 billion to BEC scams in 2021, with losses rising 65% from July 2019 to December 2021. The worldwide cumulative damage since June 2016 reached $43 billion.

 Malware Infection & Ransomware

In 2011, a large information security vendor was struck by Chinese state-sponsored attackers who sent email messages to just a few people in the company, spoofing addresses so that employees appeared ed to be emailing each other. 

Attached to the messages was a Microsoft Excel file that exploited a previously unknown vulnerability in Adobe Flash and gave the attackers full control of the employees' machines.

The attackers used that access to penetrate the vendor's networks and compromise its leading security product, which was used by US defense contractors and thousands of other organisations to protect their networks. The security company had to make good with its clients and took a $66 million charge because of the attack.

Email-delivered malware is perhaps the most dangerous email threat of all. It can deeply penetrate an organisation's systems, quietly stealing information for months or even years. If the goal is money rather than information, then it can install ransomware that locks up those systems and demands payment to free them or steal proprietary data and ransom that too.

Such malware often comes in the form of an attachment that looks innocuous, like an invoice or a resume. The accompanying message may urge that the attachment be opened immediately. In other cases, the message contains a link that takes the recipient to a website that silently tries to install malware through a web browser.

Aside from anti-spoofing measures, the best defenses against email-borne malware are strong end-point protection software that automatically scans all email attachments, regular application and operating-system updates, and strict security policies.

Conclusion

Email is by far the most common way businesses communicate and in the digitised business world it provides an   open door. Even our most sophisticated detection systems can be fooled by a crafted email from a skilled bad actor. 

Ultimately, the final defence layer is the email user. It is the user who reads the email and clicks the link. With better education in spotting rogue emails, and thinking before they click, many users can stop an attack before it even starts.

IC3:      SC Magazine:   Cyber Risk Alliance:

You Might Also Read:    

Phishing - The Game Is Changing:

 

« $3 Million Romance Fraudster Arrested
British Parliament Shuts Down Its TikTok Account »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Council of European Professional Informatics Societies (CEPIS)

Council of European Professional Informatics Societies (CEPIS)

CEPIS is the representative body of national informatics associations throughout Europe and represent over 450,000 ICT and informatics professionals in 32 countries.

CRYPTTECH

CRYPTTECH

CRYPTTECH specializes in Information Security and Intelligence, Risk Evaluation and Vulnerability Recognition against Cyber-Attacks and APTs.

Tigera

Tigera

Tigera provides zero-trust network security and continuous compliance for Kubernetes platforms that enables enterprises to meet their security and compliance requirements.

Micro Strategies Inc.

Micro Strategies Inc.

Micro Strategies provides IT solutions that help businesses tackle digital transformation in style.

MyCyberSecurity Clinic (MyCSC)

MyCyberSecurity Clinic (MyCSC)

MyCyberSecurity Clinic's main goal is toward establishing an international reference centre for excellence in the field of digital forensics and data recovery services.

Westminster Insight - Cyber Security Conference

Westminster Insight - Cyber Security Conference

Join colleagues this December for Westminster Insight’s Cyber Security Conference, as you’ll assess how new technologies such as AI can secure your organisation against future threats.

Fairfirst Insurance

Fairfirst Insurance

Fairfirst Cyber Insurance protects your business assets against the complexity of cyber threats.

Gluu

Gluu

Modern Authentication for Digital Enterprise. Organizations around the world trust Gluu for large-scale, high-security identity & access management.

Dasera

Dasera

Dasera’s Radar and Interceptor products deliver visibility, governance, and protection solutions for data-agile companies.

Everything Blockchain

Everything Blockchain

Everything Blockchain offer solutions that transform enterprise data-management capabilities. Increased efficiency, super-charged performance and all with government grade security.

Quantropi

Quantropi

Quantropi is bound to be the standard for quantum-secure data communications – forever unbreakable, no matter what.

OptimEyes.ai

OptimEyes.ai

OptimEyes.ai is a unique AI-powered, on-demand SaaS solution for cyber-security, data privacy and compliance risk modeling.

CertiProf

CertiProf

CertiProf has been enhancing professional lives since 2015, offering a wide range of IT certifications and agile framework training.

Appknox

Appknox

Appknox is the world’s most powerful plug-and-play security platform that helps developers, security researchers, and enterprises to build a safe and secure mobile ecosystem.

Attestiv

Attestiv

Attestiv puts authenticity into photos, videos and documents by utilizing advanced technologies in AI and tamper-proofing.

InQuest

InQuest

InQuest specialize in providing comprehensive network-based security solutions that empower organizations to protect their most critical assets: their people.