Technology has made significant strides over the last few years, but the tactics used for email phishing haven’t changed all that much. Many of the old strategies still work, and as the saying goes, “If it ain’t broke, don’t fix it.”
During Bee Token’s initial coin offering (ICO) in 2018, a scammer pretended to be a member of the Bee team, sending emails to would-be investors and instructing them to deposit ETH into crypto wallets under their control, supposedly in return for Bee Tokens. The scammer ended up collecting $1 million.
The attacker’s tactic was, in short:
- Pretend to be someone that victims trust.
- Trick victims into handing over something of value.
Four years later, in 2022, the same technique is being used to steal Microsoft 365 and Outlook credentials. Hackers pretend to be someone from Microsoft, telling customers in an email that they have a voicemail. Victims have to click a link to listen to the message. After clicking, they’re brought to a site that looks like a legit Microsoft sign-in page but is, in fact, a phishing site. They’re then asked to enter their login credentials to access the voicemail.
Credentials that hackers steal are either sold online or used to access the victims’ accounts. In other cases, they’re used to execute a brute-force attack, which is a method used to crack usernames and passwords and then illegally infiltrate a system. So if a user logs in to their financial account using the same Microsoft 365 credentials a hacker just stole, for example, the hacker could easily steal the target’s funds.
Regardless of what attackers seek to accomplish when launching email attacks, phishing involves trickery, followed by theft. This underscores the need for stringent email security.
Why Email Is the #1 Attack Vector
Email is a popular attack vector among cybercriminals for various reasons:
- Email is versatile: Email users—including attackers—can attach documents and embed links in messages.
- Email is a widely used communication channel: There are billions of email users worldwide. So the more phishing emails attackers send, the more likely someone will take the bait.
- Email can disguise a bad actor’s identity: Many email users don’t take the time to examine senders’ email domains, so attackers can easily pretend to be someone else. Also, hackers can slip into the digital shadows after a successful attack, especially because email makes it relatively easy to conceal their identity.
- People still fall for phishing scams: Despite repeated warnings, people still click on bad links or download malicious attachments in emails—not because they are inherently lazy but because phishing attacks replicate existing workflows and the average worker juggles scores of tasks, making them prone to error.
- Email provides access to corporate networks: A bad actor duping an unsuspecting employee into handing over their login credentials can easily slip into your corporate network undetected.
The Importance of Email Security
The Department of Justice (DOJ) recently filed a suit against a cybercriminal who allegedly stole $100 million using what’s known as business email compromise (BEC). BEC occurs when an attacker targets a specific person at an organization, tricking them into providing credentials or other sensitive information, and then using those to steal money.
An email scam usually starts with a hacker building a website that looks very similar to a legit site, such as that of a bank or another financial institution. For the domain, they can choose words or phrases that add to the “legitimacy” of the site. For instance, the site’s URL could be something like BankofAmericaBoston.com, so an email from Accounts@BankofAmericaBoston.com may seem authentic at first glance.
At that point, all the hacker has to do is make sure the text and format of the email looks professional enough to be believable. If the victim falls for the ruse, they are likely to enter their banking login information into the fake site.
At no point in the process is the attacker exposing their identity. They can also levy the same kind of attack on hundreds of people, using the same site and email address every time.
Types of Data an Email Scam Can Compromise
Hackers can steal various types of data with a phishing scam, but the following top the list:
- Credentials, such as usernames, personal identification numbers (PINs), and passwords
- Personal data, including names, home or business addresses, email addresses, phone numbers, and social security numbers
- Healthcare records, including medical record numbers, insurance claim data, and treatment information
Consequences of a Malicious Email
Losing the above information to a cyber criminal via a malicious email can come with serious consequences, including:
1. Data Loss
A malicious email may steal authentication data that can be used to access sensitive areas of your network. It can include a malicious attachment that, when downloaded, can infect your system with malware designed to steal, erase, or corrupt data.
2. Reputational Damage
A data breach resulting from an email attack can corrode investors’ and customers’ confidence in your organization. It can take years to regain lost trust.
3. Financial Loss
Aside from the amount attackers can steal directly from your company, mitigating an attack is expensive. You may have to redesign security systems, rebuild portions of your network, or hire professionals to bolster your defenses. In addition, if customers lose money as a direct result of their data being stolen, you can be held responsible for those funds.
4, Reduced Productivity
After an attack, it’s common for an organization to invest inordinate amounts of time recovering lost data or trying to figure out the vulnerabilities that caused the breach. This means other projects or revenue-generating activities may have to be set aside.
5. Lost Customers
If customers feel you can no longer be trusted to safeguard sensitive information, they may refuse to do business with your company.
6. Penalties for Noncompliance
A data breach may cause you to shoulder penalties for violating data protection legislation such as the Health Insurance Portability and Accountability Act (HIPAA) or Europe’s General Data Protection Regulation (GDPR).
7. Intellectual Property Theft
For some businesses, loss of intellectual property can be more devastating than losing money. This applies to those in the entertainment industry, for example, that produce audio or video content that, if released prematurely, can lose much of its value. The same goes for company blueprints, schematics, and technologies. If these intellectual assets get leaked or illegally distributed, the company may lose its ability to compete in the market.
8. Reduced Company Value
Regardless of the reason, anytime investors lose confidence in your company, its business value drops considerably.
Phishing Attack Types and Recent Trends
Phishing is a form of social engineering and can be classified according to different types:
- Email phishing: Most phishing scams happen via email
- Spear phishing: Phishing emails sent to specific people. In this type of phishing, attackers usually have done extensive research on their targets
- Whaling: A phishing attack that targets senior management
- Smishing: A type of phishing that involves a phone instead of email. Smishing attacks are sent via SMS
- Vishing: Short for voice phishing, vishing involves scammers calling victims and then asking them to provide sensitive information, such as payment card details
- Angling: A form of phishing that uses fake social media accounts of well-known entities
Recent phishing attack trends include:
- Invoice phishing: The attacker sends an invoice saying you have an outstanding balance with a company or vendor. When you click on a link to try to pay, the hacker collects any login or account information you submit.
- Tax-themed scams: In a tax scam, you get an email claiming you owe money to the IRS and are subject to legal action if you don’t pay right away. The attackers then steal your information when you enter your credentials into what looks like a legit payment site.
- Downloading scams: These involve a hacker tricking you into thinking there’s a download waiting for you. You click on a link and enter your login information to gain access to it. But anything you input gets stolen by a malicious actor.
Protect Your Organization with the Right Email Security Solution
With billions still using email as a primary form of communication, attempts to defraud people via email will continue. The good news is that you can protect yourself and your organization with the right technology solution. For instance, an email anti-phishing solution scans every email you get for language, links, or files that may indicate a phishing attempt. A solution designed to protect against BEC, on the other hand, analyzes email attributes such as header data, the sender’s IP address, and the message body for specific words or phrases.
A combination of these and a culture that supports employee awareness can make it easier to safeguard your assets against email scams.