Here, Toni El Inati – RVP Sales, META & CEE, Barracuda Networks, identifies 13 different types of email threats including the most challenging for users and security systems to detect which are Business Email Compromise (BEC), conversation hijacking and brand impersonation.
The first email phishing attacks were reported in 1995. Almost three decades later, email-based threats are as potent and prevalent as ever. This is due in no small part to their ability to evolve. Email threats have become more sophisticated and stealthier. Attackers are applying Machine Learning to launch credible impersonation attacks and to bypass security detection. They’re introducing new ways to ruthlessly exploit human trust, anxiety and frustration – for example through Multi-Factor Authentication (MFA) spamming – and turning their attention to users of cloud platforms such as Microsoft 365.
The email threats that are hardest to detect
We have identified 13 different types of email threat. The three that are the most challenging for users and security systems to detect are Business Email Compromise (BEC), conversation hijacking and brand impersonation.
Business Email Compromise (BEC)
BEC attacks happen when someone impersonates an individual – often someone in authority – within or connected to an organisation to obtain something of value. Most often these types of attacks are hoping to dupe the victim into handing over money, login credentials, or other sensitive data. According to our research, in 2021, just under one-in-ten (9%) of all email-borne threats were BEC attacks and they were as likely to attack smaller businesses as enterprises.
Such attacks are hard to detect because emails are crafted to look like they come from someone’s personal email account – we found that Gmail accounts were abused most often – and include an urgent request. They want the recipient to think ‘this person is in a rush and they need my help’. Adding an indicator that the message was sent from a mobile device makes it more likely that the recipient will overlook typos or abnormal formatting. Often, individuals don’t know the legitimate personal email addresses of their co-workers or managers, so if the name looks correct in the header and signature, they don’t question it.
Conversation hijacking
This type of attack happens after a bad actor has already gained access to an internal account. They insert themselves into a legitimate conversation thread by spinning up a lookalike domain and effectively remove the compromised party, isolating the email thread to just the hacker and their new victim. Our research shows that in 2021, conversation hijacking grew almost 270%.
Such attacks are hard to detect because the victim has already established a rapport with a legitimate recipient — this might be someone they email on a regular basis, maybe even someone they’ve talked with over the phone or met in person. Sometimes the only clue will be a very subtle difference in the email address and/or domain of the compromised party. If the recipient of the conversation hijacking email is on their mobile device, distracted, or not in the practice of double-checking an email sender’s FROM address, they can easily fall victim to this type of attack.
Brand impersonation
There are two types of brand impersonation: Service impersonation and brand hijacking. Service impersonation is when a hacker impersonates a commonly used application to coax users into re-entering login credentials or other personal information. Brand hijacking is when a hacker uses a spoofed domain to impersonate a reputable company.
Such attacks are hard to detect because users have become accustomed to receiving legitimate emails from applications prompting them to re-enter their credentials. Requests from Microsoft 365, Amazon and Apple asking users to confirm their identities, reset their passwords, or agree to new service terms are commonplace in many user inboxes, so most don’t think twice before clicking links that ultimately send them to phishing sites.
Our research shows that in 2021, Microsoft was the most impersonated brand, used in 57% of phishing attacks. One in five organisations using Microsoft 365 had an account compromised in 2021.
The growing acceptance by users of regular and repeated alerts and prompts is also being actively exploited by attackers. One example, MFA spamming or ‘fatigue’ relies on bombarding users relentlessly with authentication messages until they click on one just to make it stop – and in doing so hand access to their compromised account to the attacker.
How to protect your organisation
Security leaders need to ask themselves two questions. First, do our users know how to distinguish between a legitimate email and an email threat? Second, are our security systems equipped to distinguish between a legitimate email and an email threat and to respond immediately to block or contain and mitigate any damage if it’s the second?
Employee security awareness
Regular employee awareness training across all the potential email threats they might encounter at work is critical in protecting an organisation against email-based attacks. Employees should understand how different email threats function, how to identify them and where and how to report them.
Next-generation security for next-generation threats
Advanced email threats are difficult to detect with traditional email security gateways alone. They require a security approach that involves multiple layers of protection. No system is 100% secure against every email threat, especially when it is encountered for the first time.
It’s therefore important that security leaders implement advanced threat protection features like attachment sandboxing, time-of-click URL analysis, AI-powered Impersonation Protection, automated incident response and more to protect against the latest threats.
Conclusion: Enduring email threats
Earlier this year we published the results of an in-depth study into spear phishing. The findings show the extent to which email threats continue to dominate the attack landscape. Not all attacks are advanced, more traditional approaches such as phishing remain in use and, sadly, successful. In 2021, more than half (51%) of all social engineering attacks were phishing.
Smaller companies, with fewer IT security resources are particularly at risk of email threats. We found that employees of businesses with less than 100 employees experience around 350% more social engineering attacks than an employee of a larger enterprise.
An overwhelming 91% of cyberattacks begin with an email and about 32% of breaches involve some type of phishing. Email security is, quite simply, business critical.