Email interception attacks have been rising over the past few years, and businesses have the biggest targets on their backs.
Email interception occurs when any unauthorized user gains access to an email that he/she wasn’t meant to see. This is a complicated type of attack that can be done in several ways:
- DNS record hijacking, occurring when malware redirects sent data to a fraudster’s account;
- TLS downgrade attacks that decrypt and expose email information;
- Phishing scams that manipulate users into giving up sensitive data that can be used to access their accounts.
That last one is key for small businesses. While DNS hijacking and TLS downgrades are effective ways to spy on the data travelling in and out of a system, they’re complex and require a certain level of tech know-how to implement. Phishing, however, is a simple way to steal data that targets your organization’s biggest weak point: Your employees.
Phishing is an old (ancient, by internet standards) attack vector that has nonetheless remained effective over the years. As we know, phishing occurs when fraudsters use underhanded tactics to trick users into giving up their personal details. And as we’ll review, this attack vector is one of the biggest threats to your organization’s security.
Why Phishing Works
Phishing is one of the most common forms of social engineering out there, and it can occur in numerous ways:
- Sending batch blast spam emails that request users to enter personal info;
- Mining data on social media and using this information to break into accounts;
- Posing as legitimate banks or other institutions and making contact in hopes of tricking the user into giving up login credentials;
- Tricking users into clicking links or downloading attachments infected with malware.
According to research from Symantec, over half (54.6 percent) of all emails sent in 2017 were spam, with the average user receiving close to 65 emails per month. This presents plenty of opportunities for fraudsters to gain the leverage they need for email interception.
Of course, you’d think users these days would be savvy enough to catch on to these age-old tactics—but in truth, phishing has stood the test of time because it always works eventually. While many of us recognize a scam when we see it, phishing can be launched at massive scales to attack thousands of users at once. At some point, one of these users will be fooled.
In fact, the Federal Trade Commission (FTC) has already issued several alerts this year to warn users of the danger of personal info scams. World Cup 2018 scams and vacation rental scams were just two of the most recent topics that fraudsters have leveraged to steal user data.
And while individual users can educate themselves on how to avoid these scams, things are a bit tougher for businesses. If just one employee falls victim to a phishing scam, the organization’s entire network—and their customers—are at risk.
Email Interception Through Phishing
Individuals are always a target for cybercrime, but let’s face it—business attacks are where the money is. Known in the industry as business email compromise (BEC) attacks, this type of cybercrime is devoted to cracking a business’s security system and accessing the wealth of data inside.
Just last year, the FBI reported that BEC attacks were already a $12 billion industry, with over 41,000 victims from 2013 through 2018 in the U.S. alone. They also listed the five primary methods by which these attacks occurred:
- Bogus invoice schemes where fraudsters pose as legitimate suppliers and send invoices requesting payment;
- CEO fraud schemes where the email addresses of C-suite executives are compromised and used to request that payments be made to specific accounts;
- Fraudulent correspondence schemes where an employee’s email gets hacked and used to send invoices or collect data from vendors;
- Impersonation schemes where fraudsters collect data on the company’s legal representation and claim to be them in official communications;
- Data theft schemes where fraudsters collect personal information from a compromised account’s email text.
Notice a trend, here? All of these schemes have to do with phishing or otherwise manipulating a compromised email account. They aren’t brute-forcing a system or trying to hack their way through a company’s established security. Why go to that much effort when so many users leave the keys in the lock?
Businesses of all sizes need to be aware of these issues and how to protect their enterprises. Proper employee training on how to detect phishing scams is a must; it’s a threat we’re all aware of. But equally important is working with a trusted consultant who can protect your company from the threats you aren’t aware of. And as your company grows, these threats will increase exponentially. Do your research and stay on top of your security—email, malware detection, disaster recovery, and everything in between.