Small businesses suffer 43% of all cyberattacks, according to data from Accenture, but only 14% of small businesses are ready to defend themselves. Considering that cybersecurity incidents cost businesses an average of $200,000 and that 60% of small businesses will go out of business within six months of an attack, cybersecurity should be a top-of-mind concern for small to mid-sized enterprises (SMEs).
Email is an enormous attack vector for SMEs, and it is often the doorway to much more sophisticated attacks. Here is a list of 8 major email attack methods used by cybercriminals to try and gain access to your network or cripple your business channels.
Email attack types
1. Phishing
Phishing occurs when scammers create an email designed to look like it comes from a reputable company or trusted person. The email often contains malicious links or attachments that, when clicked or downloaded, can open up a Pandora’s Box of cyber pain.
How it works:
To make an illicit email look legit, fraudsters will often use the brand colors and logo of the company they’re impersonating. The links in the email will then lead to phishing websites that also attempt to impersonate a known business.
What’s the risk?
Phishing can open the door to many other types of attacks. Downloading a malicious attachment might result in a ransomware infection. The phishing website is likely designed to trick you into revealing your credentials for banking, email, work, or any other type of account. After a successful phishing attack, the house and its many rooms is accessible to exploit.
2. Spear Phishing
Spear phishing works just like phishing but targets a singular person or company.
How it works:
Whereas phishing attacks send out broad emails in the hopes of getting a “bite,” spear phishing targets a specific person, often by name and position, leveraging additional research to increase the chances of success.
What’s the risk?
According to InfoSecurity Magazine, the average business cost of a spear phishing attack is $1.6 million. Social engineering is used heavily in spear phishing attacks and it’s far more likely to elicit a response because it has been coupled with some degree of identity theft. For example, spear phishing was reportedly used during the 2016 election by Russian cyber espionage groups to steal Hillary Clinton’s emails.
3. Email Spoofing
Email spoofing is a more sophisticated form of phishing where the email address that the email is sent from seems to be a legitimate address associated with the company that is being impersonated.
How it works:
Every email has something called “headers” which are invisible lines of text in the email that let your email program know things such as:
- Who the email came from.
- What servers it has traveled through.
- What errors occurred while delivering it.
Using sophisticated techniques, it is possible to change the email header of a fraudulent email to make it look like it came from a legitimate address.
What’s the risk?
Because the “from” address in the email looks like it comes from a genuine account, the attack is far more likely to succeed. Spoofing attacks can deliver ransomware, viruses, or elicit payments from employees.
Belgian firm Crelan Bank had to pay €75.6 million in damages as a result of a highly targeted spoofing attack. The attackers masqueraded as the company’s CEO and elicited payment from one of the employees. Although the amount paid was never revealed, the damages the company had to pay were enormous.
4. Email Thread Hijacking
This is an extremely sophisticated form of spear phishing where an attacker infiltrates an email server and intercepts an ongoing conversation. You think you’re communicating with the person you’ve been communicating with, but you are actually now communicating with an in-between snooper.
How it works:
These attacks typically infiltrate a vulnerable email server or Microsoft Exchange Server to gain access to ongoing email conversations. If you don’t keep your email software or servers properly updated, they may be exposed to additional risk. Email thread hijacking attacks can also be deployed through botnets and malware, as occurred with the Qakbot malware that hijacked email conversations on Windows computers.
What’s the risk?
Because the attack leverages an ongoing conversation, its hit rate can be extremely high — trust has already been established between the victim and the supposed person on the other side of the conversation. The fraudulent email can lead to the installation of ransomware or malware that can be leveraged to use the computer in a massive botnet.
5. Email Bombs and Email DoS/DDoS Attacks
Email bombs are massive amounts of emails sent to a mail server in the hopes of preventing it from functioning normally, thereby blocking legitimate emails from coming through. This is technically called a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack. In a distributed attack, the emails come from many different IP addresses (a botnet) instead of only one.
How it works:
There are several ways to achieve an email bomb:
- Fraudulently sign an email address up to dozens or hundreds of newsletters.
- Activate a botnet to bombard an email server with emails.
- Send a torrent of emails with massive text file attachments in a zip format. The server receiving the file will unzip it to check for malware, straining the server’s capabilities.
What are the risks?
The idea behind a DoS/DDoS attack is to prevent the company’s mail server from functioning normally because of overload, thereby preventing the company from dealing with legitimate email traffic from customers.
On an individual level, a key employee’s specific address can be targeted to prevent them from dealing with legitimate business because of the flood of emails they suddenly have to deal with.
6. Email Relaying
Email relaying is when a hacker uses your company’s email server to send malicious emails to others. This is a common way to achieve spoofing because hackers will have the ability to send emails from your domain.
How it works:
Poorly configured SMTP servers—the servers used to send email—can be compromised by attackers who can then use your organization’s “from” name in the messages they send.
What are the risks?
Although the attack is not aimed at your company, it could have devastating effects on your domain’s reputation because the hackers would typically start sending spam and malware through your company’s servers, potentially causing your domain and IP to be blacklisted. This can be particularly disastrous if your business relies heavily on sending emails as part of its sales strategy.
7. Email Account Compromise/Takeover
This is one of the most dangerous attacks if achieved because it gives the person direct access to a legitimate email account in the company, allowing them to send fraudulent emails that go completely undetected.
How it works:
As soon as a hacker has your login credentials, they can send and receive emails directly from your account. It is the ultimate impersonation.
The methods of gaining these credentials include:
- Phishing websites asking you to log in with your email address
- Theft
- Unsecured phones that get lost
- Social engineering
What are the risks?
Because the emails are originating from an account within the organization, all internal security checks are bypassed. Recipients are sitting ducks for attempts of fraud. The only method they have to detect it is to look for “out of character” behavior from the email account, or sudden requests for sensitive information such as passwords or banking details.
8. Business Email Compromise (BEC)
BEC leverages a combination of techniques including social engineering and email account takeover to commit fraud against a company. These attacks focus on senior executives or budget holders.
How it works:
There are multiple methods that can be used to achieve BEC such as:
- Spoofing
- Spear phishing emails
- Using malware
BEC attacks often make use of sophisticated social engineering techniques, including emails and phone calls to build confidence.
What are the risks?
The primary risk of BEC attacks is heavy financial loss or the theft of personal data which can lead to severe data breach fines. BEC attacks were termed the “$43 billion scam” in 2022. The attacks tend to target individuals that are responsible for the transfer of funds, although they also sometimes seek Personally Identifiable Info (PII). BEC financial losses were almost double the amount in 2022, compared to 2019, indicating that the practice continues to grow and become more effective.
How to detect and prevent email attacks
To help organizations protect themselves from email attacks, they need a combination of capabilities:
- Advanced email protection – prevent what you can before it reaches your employees. Ensure that the platform goes beyond just anti-spam and can address the different type of email threats holistically.
- Phishing simulation and training – educate and test your staff on how to identify these email attacks and report them accordingly.
- Endpoint Detection and Response (EDR) – it’s not possible to prevent everything so if an attack does get through then you need to detect and act on suspicious activity from a company’s many endpoints—mobile phones, tablets, laptop devices, etc.
Small and medium-sized businesses are best off hiring a modern Managed Security Service Provider (MSSP) that can take care of everything regarding your company’s email security. By hiring an MSSP, you won’t be burdened by the high cost of hiring in-house specialists and can receive 24/7 coverage at a fraction of the cost of doing it alone.
To learn more about how SolCyber can help your business navigate the precarious world of advanced email attacks, talk to our team today.