Most businesses receive hundreds of emails each day — and there is a good chance some of them have been sent by hackers. After analyzing more than 500 million emails sent in the first half of 2018, FireEye researchers found that 1 out of every 101 emails sent is malicious. Spam is not included in this count. It includes only those emails sent by cybercriminals with the express purpose of pilfering money, stealing data, or compromising systems.
The vast majority (90%) of the malicious emails do not contain any malware, but they are far from being benign. They can be just as dangerous as those containing malware.
Hackers Are Using Both Old and New Tricks in Malware-Less Emails
Not surprisingly, around 80% of the malware-less emails were phishing attacks. In this type of attack, cybercriminals try to trick recipients into performing an action, such as clicking a link that leads to a malicious website. Phishing emails are generic so that they can be sent to a large number of targets, which is why the researchers found so many of them.
The remaining 20% of the malware-less emails were impersonation scams. These highly personalized emails try to con recipients into transferring money or revealing sensitive information. Cybercriminals spend a lot of time researching their targets in order to create legitimate-looking emails. Because these emails appear to be normal traffic, it is harder for email security solutions to detect them.
One of the cybercriminals’ favorite type of impersonation email is the business email compromise (BEC) scam. In this type of attack, cybercriminals masquerade as executives, supplier representatives, and other business professionals to con companies out of money. In 2017, hackers stole more than $675 million from US businesses using BEC scams.
While the researchers found that hackers were still using old favorites like the BEC scam, they also discovered a new type of impersonation scam: impersonation emails that led to phishing sites, where login credentials were harvested or malware was uploaded to victims’ computers. By including phishing links, hackers can send out vaguer emails to a larger number of targets. Because these emails still include some personalization, the recipients are more likely to think the emails are from trusted sources and click the link compared to generic phishing attacks. As a result, the email open rate for this new type of impersonation email is similar to that for highly personalized impersonation emails, according to the researchers.
Common Ways in Which Hackers Try to Deceive Recipients
In both the new and old types of impersonation emails, the cybercriminals typically manipulate the entry in the “From” field to trick recipients into believing the messages are from legitimate senders. The techniques include:
- Spoofing the display name of an email address (e.g., Jane Doe)
- Spoofing the username (the portion before the @ sign) of an email address (e.g., JaneDoe@)
- Creating and using a domain (the portion after the @ sign) that is similar to a legitimate one (e.g., @paypa1.com, @secure-paypal.com)
How to Protect Your Business from Malicious Emails
To protect your business from impersonation and phishing attacks as well as emails containing malware, you can use the stop, educate, and mitigate strategy:
Stop as many malicious emails as you can from reaching employees. To do so, you need to keep your company’s email filtering and anti-malware tools up-to-date. They can capture many phishing and malware-laden emails. You might even want to explore getting an email security solution that uses advanced technologies to catch malicious emails. In addition, make sure that employees’ email addresses and other potentially sensitive information (e.g., job titles) are not publicly available.
Educate employees so they can spot any malicious emails that reach their inboxes. While email filters often snag phishing attacks, they are not as good at stopping impersonation emails. Plus, most anti-malware software is only effective against known malware strains. Thus, it is important to educate employees about the types of malicious emails they might encounter and how to spot them (e.g., check for spoofed names in an email’s “From” field). As part of this training, be sure to inform them about the risks associated with clicking email links and opening email attachments. Plus, let them know how hackers find the information they need to personalize impersonation emails (e.g., social engineering).
Mitigate the effects of successful email attacks. Cybercriminals keep coming up with new ways to pilfer money, steal data, and compromise systems using email, so your company might fall victim to an attack despite everyone’s best efforts to prevent it. Taking a few preemptive measures might help mitigate the effects of a successful email attack. For example, since obtaining login credentials is the goal of many phishing emails, you should make sure each business account has a unique, strong password. That way, if a phishing scam provides hackers with the password for one account, they won’t be able to access any other accounts with it. Equally important, you need to perform backups regularly and make sure they can be restored. This will enable you to get your data back if an employee inadvertently initiates a ransomware attack by clicking a link in an impersonation email.
The Individual Steps
The individual steps for implementing the stop, educate, and mitigate strategy will vary depending on your business’s needs. We can help you develop and implement a comprehensive plan to defend against malicious emails.