September 16, 2022
Barracuda, a leader in email protection, application and cloud security, network security and data protection, has recently compiled a comprehensive eBook outlining the 13 email threat types that currently threaten organizations worldwide. These common attacks are listed in order, from the least complex to the most complex:
- Data Exfiltration
- URL Phishing
- Spear Phishing
- Domain Impersonation
- Brand Impersonation
- Business Email Compromise
- Conversation Hijacking
- Lateral Phishing
- Account Takeover
In this blog, I’ll explore each of these in more detail and how you can best safeguard your organization. As 91% of cyber attacks start with an email, understanding these threats is critical to maintaining a robust cybersecurity posture.
As you read, you’ll probably notice that many of these attacks are related, and cybercriminals will combine certain techniques to launch more sophisticated attacks.
Those junk emails from companies you don’t do business with, you haven’t interacted with online, and whose mailing lists you’ve never subscribed to…that’s spam. It’s a pretty simple threat to your email, and it’s certainly not highly targeted. Spammers collect their email targets from a variety of sources, including using software to harvest them online. They can also sell those email addresses to other spammers.
Most people don’t click on their junk mail, but that doesn’t matter to scammers. One study found that one sender generated 350 million emails in just one month. Only 28 of those emails resulted in sales, but that’s more than enough. Over the course of a year, at that rate, that spammer would generate $3.5 million.
While some spam emails are designed to sell low-quality or fraudulent products, others are generated for the purposes of email fraud. Some spam will also include phishing scams to try to trick their targets into revealing sensitive information.
FUN SPAM FACT
If you’ve been wondering (but were afraid to ask), yes, spam is named after the canned pork product, albeit indirectly. The name comes from the Monty Python “Spam” sketch in which the pork product is, according to Wikipedia, “ubiquitous, unavoidable, and repetitive.
Malware is malicious software, and 94% of it is sent through email. Common types of malware include viruses, Trojans, spyware, worms, and ransomware. It’s no accident that ransomware is the most popular type of malware among cybercriminals — it’s highly profitable. Ransomware can encrypt files on a single computer or across a whole network and its servers. The cybercriminal then demands a ransom to unencrypt their data.
3. DATA Exfiltration
Data exfiltration is also known as data breaches, data extrusion, data exportation, data leaks, data leakage, data loss, and data theft. In essence, it’s an unauthorized data transfer. While data is sometimes lost due to human error, you guessed it — your data is most vulnerable in email. In fact, according to a recent Egress study, 83% of organizations experiencing email data breaches in the past 12 months.
4. URL PHISHING
URL phishing is a phishing technique that directs potential victims to enter sensitive information on a malicious website that appears legitimate. Also known as fake websites and phishing websites, cybercriminals often are phishing for login credentials or banking information. Just like spam, most users know better, and don’t enter this information into the phishing website. But 4% do, and that’s enough for this crime to pay off.
Email scams frequently include promises that are too good to be true, like notifications that you’ve inherited money from a distant relative or there’s an incredible job opportunity that’s too good to pass up. However, what these scams are really after is personal information that will allow cybercriminals to commit identity theft or fraud. While some scams seem relatively obvious, some are much harder to recognize. Some scammers like to prey upon their target’s sympathies and will try to take advantage of tragedies, like natural disasters or the COVID-19 pandemic.
6. spear phishing
Spear phishing (a.k.a. whaling and laser phishing) is a more sophisticated form of phishing. Phishing emails cast a wide net; spear phishing is much more targeted to an individual. In this attack, cybercriminals do much more research and social engineering to craft their emails. They may go so far as to impersonate someone or something their targets know and trust, like a colleague or an established business. Like less sophisticated phishing, the real goal is to steal sensitive information to commit more serious crimes.
7. DOMAIN IMPERSONATION
In this attack, hackers try to impersonate trusted domains by registering a new domain name that looks so similar that a careless user might fail to spot the difference, even if they hovered their mouse over the link. For example, instead of usbank.com, a legitimate banking website, a hacker might register usbank.net, ubank.com, usbamk.com, us-bank.com, or something similar.
8. brand IMPERSONATION
Some attackers will use brand impersonation as a part of their attack, disguising their communication by attempting to impersonate a trusted brand. The most commonly impersonated brands in 2022 include LinkedIn, Microsoft, DHL, and Amazon. Of course, some tools can help companies safeguard their identities, like Domain-based Message Authentication, Reporting, and Conformance (DMARC) authentication. Unfortunately, adoption rates, even among Fortune 500 companies, are low.
In an extortion attack, cybercriminals often claim to have a compromising or sensitive video taken from a victim’s smart device. They will threaten to release the video unless they are paid. When the video allegedly contains sexual content, this attack is commonly called sextortion. Ransomware can also be used to commit extortion.
10. business email compromise
Business Email Compromise (BEC) attacks start when an attacker impersonates a trusted employee in order to commit fraud. Their target is often another employee who has access to the company’s financial accounts or other sensitive information, and their goal is typically to trick that employee into initiating a wire transfer or revealing information. These emails are very difficult for software to catch, as they typically don’t include files or links.
Some BEC attacks may involve payroll scams, where HR professionals are tricked into transferring funds into a scammer’s account instead of a legitimate employee’s. You may see forms of BEC also referred to as employee impersonation, CEO or CFO fraud, whaling, social engineering, and wire transfer fraud.
11. conversation hijacking
Cybercriminals have to do more research for this one. In order to successfully hijack a conversation, hackers will have gathered a great deal of information about their victims in order to insert themselves into an existing email thread or start a new one. This research is often at least partially accomplished through previous phishing attacks.
Conversation hijacking takes up much more of a hacker’s time, but it’s far more profitable. In fact, in 2019, one hacker managed to wedge themselves in between a venture capital firm and a startup and walked away with $1 million in stolen funds.
12. lateral phishing
Most people are overconfident in their abilities to recognize a phishing email. But increasingly sophisticated phishing techniques like this one are harder to spot. With lateral phishing, a hacker will use a previously hijacked account to send more phishing emails to others in the account’s contact list. These emails will look like they’ve been sent by a trusted colleague or business partner, so they appear more legitimate. According to a recent study, lateral phishing has an 11% success rate.
13. account takeover
In an account takeover, or account compromise attack, a hacker uses stolen credentials to access a legitimate user’s account and then uses that account to learn more about how an organization conducts business, how they communicate, and how financial transactions are made. Eventually, the attacker will attempt to gain access to additional accounts to launch additional attacks.
why email security is important
Traditional email gateways are still a helpful tool, as they are incredibly effective at blocking most simple email attacks. However, as more sophisticated email attacks may not contain malicious links or other easily identifiable threats, and they might be coming from an account with legitimate credentials, traditional email gateways are no longer sufficient to safeguard your organization’s email.
Marco’s experts are proud to recommend Barracuda email protection, which is the only solution that defends against all 13 email threats, including sophisticated socially engineered attacks like BEC and account takeover. As a strategic partner, our technicians are specially trained to offer you expert guidance and support.