Beware of Increasingly Sophisticated and Costly Email Threats

Photo credit: iStockphoto/scyther5

As technology infiltrates every aspect of business and our lives, cybercriminals are taking advantage of the larger attack surface to launch ever more complex and costly attacks. In the first 11 months of 2019 alone, the Government Computer Emergency Response Team in Hong Kong handled 8,827 security incidents, including 2,342 cases of phishing and 1,205 cases of malware.

Among them, fraudulent emails are the most common cyber security incidents. Email and phishing threats faced by organizations today vary in complexity, volume, and the impact they have on businesses and their employees. As social-engineering tactics are increasingly sophisticated and become harder to defend against, they can cause costly damages to an organization’s business and brand.

Here are the three types of complex email threat that organizations should be beware of: brand impersonation, business email compromise and account takeover.

Tricking users into revealing personal information

Brand impersonation is designed to impersonate a company or a brand and trick their victims into responding and disclosing personal or otherwise sensitive information. Common types of brand impersonation include service impersonation and brand hijacking.

Service impersonation is a type of phishing attack designed to impersonate a well-known company or commonly used business application. It is used in 47% of all spear phishing attacks. Cybercriminals can use this technique to steal personally identifiable information such as credit card and ID card numbers.

Microsoft is the most impersonated brand (56%). Microsoft and Office 365 credentials are high value because they allow hackers to penetrate organizations and launch additional attacks. Other brands being impersonated include We Transfer, DHL, Chase and Netflix.

Meanwhile brand hijacking occurs when an attacker appears to use a company’s domain to impersonate a company or one of its employees. This is usually done by sending emails with false, or spoofed domain names that appear to be legitimate.

Brand hijacking or spoofing attacks are made possible by a weakness in the email RFC standard that does not require full authentication of the sending domains. A Dell Technologies study showed that there are almost 30,000 spoofing attacks each day. Plus, 77% of Fortune 500 companies do not have DMARC policies set up, making it easy for scammers to spoof their brands in phishing attacks.

BEC is small in number but big in financial damage

Business email compromise (BEC) is one of the most prevalent types of cyber fraud. In a BEC attack, scammers impersonate an employee in the organization to defraud the company, its employees, customers, or partners.

Payroll scams are a popular form of BEC attack. These scams target human resources and payroll departments with the goal of getting an employee’s salary transferred to a different, fraudulent account.

BEC is also known as CEO fraud, CFO fraud, or employee impersonation. These attacks use social-engineering tactics and compromised accounts, and often include no attachments or links. While BEC makes up only 7% of spear-phishing attacks, it caused more than USD1.7 billion in losses in 2019 alone, according to the FBI. Gmail accounts are used to launch 47% of BEC attacks.

Almost a third saw email accounts compromised

Account takeover is where cybercriminals use brand impersonation, social engineering and phishing to steal login credentials and access email accounts.

Once the account is compromised, hackers monitor and track activity to learn how the company does business, the email signatures they use, and the way financial transactions are handled. This helps them launch successful attacks and harvest login credentials for other accounts.

A Barracuda report found that 29% of organizations had their Microsoft office 365 accounts compromised by hackers in March 2019. Over 1.5 million malicious and spam emails were sent from the hacked office 365 accounts in that 30-day period.

Employees as a defense layer

Companies may guard against these types of threats with security awareness training. Other than advising their employees to stay vigilant of email attacks, companies should also consider upgrading to more secure email gateway solutions as they block most malicious messages.

However, while email gateways are still necessary, they are no longer enough to protect organizations from socially engineered attacks. An additional layer of protection — inbox defense — relies on API to integrate directly with your email environment, including individual inboxes. Using API integration provides visibility into both historical and internal email communication for every individual in the organization.

In conclusion, as email threats evolve, traditional defense mechanisms are no longer sufficient. As human error continues to be the major cause of data breaches, it is crucial for organizations to provide end-user training and phishing attack simulation to educate users on recognizing and reporting malicious content, transforming them into a layer of defense.

James Forbes-May, vice president of Barracuda Networks Asia Pacific, wrote this article. The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Photo credit: iStockphoto/scyther5