Understanding Email Threats & Vulnerabilities
Often used to steal data, login credentials, and other forms of valuable information. How does the attacker get away with it?
Phishing emails take the guise of emails that come from ordinary and or legitimate companies. For instance, if you receive an email that looks like it’s from Chase Bank, but there are a couple of extra letters or wrong punctuation, you should be suspicious.
When you open the email, it may prompt you to click a link or download an attachment that contains malware. These attacks can be devastating for companies and individuals alike.
These emails rarely target specific individuals or organizations. They’re typically like roaming sharks, trying to get any particular user of an application or service.
Like ordinary phishing emails, the aim of this cyber attack is to steal information or money.
Spear Phishing attacks tend to be more dangerous though because targets are better researched, and the attacker is able to impersonate a legitimate sender.
For instance, the spear phishing email may look like an email from your boss or one of your employees.
With social media sites like Facebook and LinkedIn, it’s becoming easier for criminals to get information about people you know and impersonate them. Because these types of attacks take more time and energy to prepare, they’re usually aimed at larger organizations that have more to lose.
Used by cybercriminals, this scam impersonates a legitimate company or individual to trick you into giving up valuable information, money, or system credentials. But while phishing attacks target a general user base, and spear-phishing targets organizations previously scouted, whaling attacks specifically go after the “whales” of a company: executives, senior staff, etc.
Whaling attacks masquerade as other senior leaders within an organization. It’s much easier to refuse to give up valuable information to a “Nigerian prince” or “Mike from IT” than it is to refuse a request that looks like it’s from senior management.
Business Email Compromise
Business Email Compromise (BEC) cyberattackers pose as someone within the organization in order to ask for system credentials, sensitive information, or request money.
According to the FBI, a hacker might get access to the information needed to carry out a BEC attack in a few ways:
- Spoofing an email account or website using a slight variation on a real email address, eg firstname.lastname@example.org vs. email@example.com.
- Spearphishing emails trick one user into revealing confidential information allowing criminals access to company accounts, calendars, and data from which they can extract the details they need.
- Malware can be used to get access to legitimate email accounts and/or gain information like invoicing schedules.
It can be difficult to detect these kinds of attacks through automated software and hardware tools so regular security awareness training is critical for keeping your company safe.
Once an attacker has the information they need to successfully impersonate a legitimate business email, there are four primary types of BEC attacks they’ll carry out:
- Account Compromise — An employee's email is hacked and used to request money from other people within the organization.
- Attorney Impersonation — An attacker impersonates a lawyer or legal representative. Lower-level employees are commonly targeted through these types of attacks where one wouldn’t have the knowledge needed to question the validity of the request.
- False Invoice Scheme — Attackers request payment for what looks like a legitimate invoice.
- Data Theft — Attackers acquire data belonging to individuals within a company, often CEOs and other executives, as a way to better plan future attacks. For this reason, these attacks are typically aimed at HR employees.
These attacks guise themselves as ordinary attachments and documents that, once clicked or opened, launch an attack on your computer. Sometimes the attack is a virus that takes your information, and sometimes it puts your critical data up for ransom.
These attacks may also just be one step in a larger attack, especially if the cybercriminal aims to launch a whaling attack.
Unsolicited Email (Spam)
Spam emails tend to just be unwanted advertisements sent at a large scale, but they’re also a hotbed for bad actors.
Other times, however, they’re just a newsletter you subscribed for that ended up in the wrong folder.
Spammers are often businesses that purchase mailing lists or use web-scrapers to collect publicly available email addresses. While not all spam emails are from cybercriminals, many of them are, so be wary.
Email Password-Based Attacks
This threat is fairly straightforward, but can severely undermine the security of your organization’s email communications.
When companies don’t adhere to password best practices, it becomes easy for a cybercriminal to break into IT-related accounts, including email.
There are many ways a hacker might attempt to breach email security through passwords, including:
- Brute Force Attacks — When a hacker tries to break into email by attempting to log in several times by guessing different possible passwords. Hackers use a program to auto-generate potential passwords and then repeatedly and rapidly try to log in. These programs can sometimes make a thousand password guesses per minute. Most modern logins restrict the number of login attempts for this reason.
- Traffic Interception Attacks — When a cybercriminal utilizes a traffic interception tool to intercept your wireless data. With enough data packets, the hacker is able to breach your network security to decipher any encrypted data, including passwords.
- Man in the Middle Attacks — When a hacker puts themselves in the middle of the communication between you (the client) and your server.
- Keylogger Attacks — The hacker will utilize keylogging software that tracks the keys you type into your keyboard. They will use the data gathered to uncover any passwords or any other valuable data.
Sharing of Sensitive Data
There are some types of information you don’t want to communicate via email.
Things like bank account information, password information, and other types of sensitive data should be delivered in a more secure medium. This is especially important if your organization works in the medical industry since employees may accidentally share personal health information (PHI) on email servers.
If emails aren’t armored up with encryption and other safety precautions, sharing PHI via email may result in a HIPAA violation costing up to $1.5 million. Email can be safer if you utilize software solutions that can encrypt messages and protect accounts against malware.
One such solution isn’t technically email. It works by sending a link to the person you want to email. When they click that link, they’ll be able to securely sign in to a web page that displays the contents of your email there.
With Managed Security Services, you get top-of-the-line cybersecurity solutions that automate much of the tedious work that you’d normally need to do.