Phishing attacks are the most common form of cyber attack. Why? Simplicity – email gives cyber criminals an easy route in, allowing them to reach users directly with no defensive barriers, to mislead, harvest credentials and spread malicious elements.
Everyone thinks it won’t happen to them, but phishing isn’t a trap that only ensnares the gullible or those unacquainted with technology. Far from it. Gone are the days of poorly-worded, patently obvious attempts at scamming users out of their hard-earned cash. Some of today’s most sophisticated phishing attacks are almost indistinguishable from legitimate business communications – they’re well-written, thoroughly researched, and establish a thread of communication with the victim before attempting to steal their credentials or bank balance.
Email is the single biggest attack vector used by adversaries, who employ a plethora of advanced social engineering techniques to achieve their goal. Here are five common types of email attacks you don’t want to see in your inbox:
1. Payment diversion fraud
Cyber criminals often masquerade as a supplier, requesting invoices are paid to alternative bank details. They can also pretend to be an employee, asking the HR department to pay their salary into a different account. Payment diversion fraud targets businesses and individuals alike, and the results can understandably be devastating.
There’s little point requesting someone to make a bank transfer or change payment details who isn’t authorised to do so – threat actors target finance and HR teams, who would expect to process payments and deal with changes to personal account details, so are more likely to comply with the fraudulent request.
“One medium-sized insurance business said they had not thought about the issue [of supplier risks] until they suffered a breach emanating from one of their suppliers. Their supplier’s email account was hacked and they (the insurance business) were sent new bank details alongside a fraudulent supplier invoice, which they paid.”
2. CEO fraud
Impersonating a VIP – often the CEO – is big business for adversaries. If you get an urgent email request from your CEO, you’d action it straightaway without question, right?
Threat actors research their executive target thoroughly to make sure their spoofed email is as convincing as possible, so it stands more chance of succeeding. They prey on users’ implicit trust of their seniors to coerce them into providing commercially sensitive information, personal information, or bank account details.
These deceitful requests often convey a sense of urgency, and imply the interaction can only be carried out via email – the victim therefore has no time to question the validity of the request, and to confirm if it’s genuine from the CEO.
The opposite of CEO fraud, whaling targets senior executives rather than impersonating them. These targets are often the decision-makers in a business, who have the authority to give the go-ahead on financial transactions and business decisions, without further levels of approval.
These phishing attacks are thoroughly researched, containing personalised information about the company or individual, and are written in the company’s tone, adopting fluent business terminology that’s well-known to the VIP.
Like CEO fraud, these attacks convey a sense of urgency – if a senior executive knows something isn’t urgent, it won’t get actioned immediately and may easily get forgotten about.
4. Spear phishing
Perhaps the most widespread form of email-based cyber attack, spear phishing targets individuals and specific companies with links to credential harvesting sites or requests for confidential information (such as bank details and personal data). Attackers study their victim’s online presence to include specific information which adds credibility to their request, such as purporting to be from a streaming service the victim is subscribed to, or a supplier that is known to the target company.
Not all phishing attacks are subtle. A form of cyber blackmail, sextortion is where cyber criminals email their target claiming to have evidence of them committing X-rated acts or offences, and demanding payment to stop the criminals from sharing the evidence with their victim’s family or employer.
Attackers count on their victim being too embarrassed to tell anyone about the email (although they haven’t done anything wrong), because it’s a taboo subject most wouldn’t feel comfortable talking about with others. They often make the email sound like they’re doing their victim a favour in keeping the details to themselves. The victim may decide to pay up to stop embarrassing details about their private lives being made public, regardless of whether they’re true or not. Payments are usually demanded in Bitcoin so the transaction is untraceable, meaning the adversary cannot be identified.
But if the victim knows they’re innocent, why do these attacks still work? It’s all about credibility – attackers harvest email addresses and passwords from previous cyber attacks, which are available on the internet, and include them in their email to add credibility. If an attacker emails you claiming to know one of your passwords and includes it for proof, you’re more likely to believe the rest of the email is genuine. Visit haveibeenpwned.com to check if your account details have been compromised in a previous data breach, so could be available to cyber criminals looking to run a sextortion attack.
Ready to secure your emails against these threats?
Implement a technological solution that takes the burden of identifying fraudulent emails off of your users. CORVID Email Protection carries out a wide variety of fraud and content checks on each inbound email to identify and stop phishing attacks before they can cause damage to your business. Speak to our experts today to find out how it can benefit you.
A higher education research partner has the potential to be hugely beneficial for your business, both financially and reputationally. But universities – especially the well-funded, ...
Cyber attackers are quietly appreciative of businesses across all sectors for making their job easier. With all the information they need to craft their attack laid out neatly in ...
Aside from the usual “strict diet and fitness regime starts on 1 January” resolution that everyone makes and forgets by February, now is the perfect time to take stock of your ...