Headlining cyber news this week is Queenslands iconic XXXX beer company. 9news reports that beer could be in short supply over the next few weeks due to Lion Nathan, the owner grappling with a major cyber-security breach. Not just XXXX but also Furphy, James Squire and for milk lovers, Dairy Farmers and Farmers Union alike.  These are fast becoming everyday occurrences. Cyberattacks are affecting businesses in many ways, and vary in nature, scope and severity. Just last year (2019) cybercrime (IC3) cost a whopping $3.5 billion in losses for business, according to the FBI’s Internet Crime Complaint Centre.  This amount didn’t include any of the unreported losses, that are likely to have an even larger dollar value. They found that business email compromise or BEC for short, caused the most damage. To give you an idea of the nature and intensity of cyberattacks;

  • IC3 received 467,361 complaints in 2019, that equals over 1,300 per day
  • Phishing is responsible for 93% of email breaches

The list of costs that are caused from breaches (unreported) include regulatory fines, legal fees, operational disruptions such as the one XXXX is now experiencing, damaged brand and reputation just to name a few.

In March 2020, Gartner predicted that up to 2023, “BEC attacks will continue to double each year to over $5 billion and lead to large financial losses for enterprises.” In part that is due to the continually advancing environment of today. As a consequence- traditional email security solutions are just not enough to protect your business.

These cybercriminals can bypass your defences using their list of backdoor techniques that include;

  • Spoofing
  • Social engineering
  • Fraud

Therefore, you must effectively protect yourself against these sophisticated email threats!

Firstly, an extensive email gateway defences will provide a solid foundation and secondly, using a multilayered protection strategy such as 2FA will reduce susceptibility to email attacks. That’s to say these applications, help to better defend your business, data, and your people.

In addition, we’ll go through the 13 email threats you should know about, including their risks, and impact on your business. Importantly, we’ll explain how AI and API-based inbox defence can address the gaps in the email gateway and help provide total email protection against attacks.

Fighting the thirteen type email attacks

Varying in complexity, volume and the impact they have on businesses and their employees, are the email and phishing threats faced by organizations today. There are two categories, the complex and then the less complex that include the different types of email threat. Hackers often combine various threat types to help their cause, these include;

1. Spam

Also known as junk email, spam are those uninvited bulk email messages. Spammers send out their bulk email to millions of addresses, knowing that a small number will fall for their trap. Spam can have different forms such as;

  • some push scams
  • others conduct email fraud
  • also comes in phishing email form, that use brand impersonation to trick users into revealing personal information

Example of an attack

Impact of Spam

Even though spam is one of the lesser complex email- threat, it still costs business around $20 billion per year in losses. Secondly, spam also lowers productivity by flooding inboxes with junk email and can impact server traffic negatively. Spam accounts for over half of the world’s email traffic, 53% Thirdly, spam can be used to disperse malware and phishing attacks on a larger scale.

Strengthening email defence against spam

The latest gateways do very well at blocking spam. The inline deployment of spam filters can help stop the message before it even gets anywhere near your inbox. On the other hand, the api-based inbox defence isn’t as good against these largescale attacks. By the sheer volume, spam can overload an inbox creating a large inbox load before being clawed back by apis, deteriorating the inboxes overall performance.

2. Malware

Malware are emails containing malicious software. Cybercriminals typically hide the malicious software (malware) directly in the document itself or embed it in downloads from an external website.  For example, just a few types of malware includes;

  • Viruses
  • Trojans
  • Spyware
  • Worms
  • Ransomware

Common types of malware attacks

Volumetric malware:

Volumetric malware also known commodity malware and viruses is designed to be spread as a group. It likes to take advantage of older, unpatched systems using ordinary vulnerabilities. Next it takes advantage by exploiting these known vulnerabilities. It can generally be caught by signatures and simple heuristics.

Zero-day malware:

Advanced malware attacks use zero-day threats or 0Day for short. Firstly, these are the attacks that haven’t been seen before and secondly, don’t match any known malware signatures. In addition, they may exploit a previously unknown software vulnerability or use a new malware variant delivered by standard means. The important thing to understand is that zero-day attacks are impossible to detect with traditional signature-based solutions.

URL attacks:

URL attacks are usually aimed at getting users to click on and download their malware that navigated to malicious websites or payloads.

For example

Impact of malware

It seems that 94% of malware is delivered by email. Ransomware is definitely- the most popular type, as cybercriminals cash in by infecting your network, locking up email, data, and other critical files until a ransom is paid. It’s both costly and damaging. In 2019 alone ransomware costs, hit the 170 billion- dollar mark as well as paralysing the day to day operations. In other words, exactly what  XXXX is experiencing today. In addition, it results in financial losses resulting from downtime, ransom payments, recovery costs, losses resulting from a reduction in stock, legal fees and other unbudgeted expenses. Not to scare you but to let you know the facts, the average amount of ransom more than doubled from $41,198 in Q3 2019 to $84,000 in Q4 2019.

In 2019, there were a lot of ransomware attacks that made the headlines. These included government, local, state and federal, along with schools, healthcare, libraries, courts and a array of other entities.

Email defense against malware

Similar -to spam, firstly, malware protection is best done at the gateway level, before any emails hit the inbox. Secondly, signature matching is a good tool to in detecting and blocking most malware anomalies. But, in terms of detecting zero-day threats, there are more advanced techniques available. For example, sandboxing; is a tool where suspicious files and links are analysed in an isolated test environment to make sure they are safe before being delivered to users’ inboxes. That’s to say, new malware signatures can be created based on sandbox analysis. This helps to prevent any future attacks.

3. Data Exfiltration

Next up in the less complex category is Data Exfiltration, also known as data extrusion, data exportation, data leaks, data leakage, data loss and data theft. It is the unauthorized transfer of data from a computer or other device. This can be performed either manually (physical access) or via the internet/network as an automated process using malicious programming (remotely). This attack is aimed at stealing your data. Data at times, is also lost unintentionally due to human error.

Impact of data exfiltration

The average cost of a data breach was $3.92 million dollars in the year 2019, according to the annual ibm report. The average size of a data breach was 25,575 records. That’s a lot of money and a lot of information. In the healthcare sector the cost of a data breach almost doubles. And in the US, the average cost of a breach is $8.1 million.

Not only does a data breach incur a financial loss but also a loss of reputation.

Email defence against data exfiltration

Firstly, in-line with mail flow secure email gateways are deployed which can filter both inbound and outbound messages. Secondly, data loss prevention or dlp for short is a combination of technologies and business policies put in place to ensure end users do not send sensitive or confidential data outside the organization, causing a data leak. To secure your data, a dlp system scans all outbound email to look for any pre-determined patterns.  The sensitive data it’s securing can including credit card numbers, social security numbers, and medical information.

4. URL phishing

When is comes to phishing attacks, cybercriminals are trying to get to your sensitive – information. For example, they want to get their hands- on information such as usernames, passwords, and banking details. Also known as fake websites and phishing websites, URL phishing is where cybercriminals use email to direct you, their victim to enter your username, password or banking details on their fake website that looks like the real thing.

Example of an attack

Impact of URL phishing

In 2019, according to Verizon, roughly 32 percent of breaches involve phishing. The use of urls in these phishing emails is many, being both popular and effective with a 4% success rate with each campaign. It only needs one person to fall for their schemes. Only 57 percent of organizations have url protection in place, according to a recent survey. Therefore, we are not surprised that losses in 2019 due to phishing reached almost $58 million.

Email defense against URL phishing

Similarly, to data exfiltration, gateways protect against mass URL phishing attacks. Gateways deploy url filtering and url re-write technologies to block access to malicious website links distributed via email, including all known malware and phishing sites. Sandboxing is another effective way to help block malicious links.

Importantly, both complementing and completing the security a gateway provides, is API-based inbox defence that checks off the url history used by an organization. It blocks any sign of a phishing attack by scoping for imposter urls, internally. The inbox defences can help protect against targeted spear-phishing attacks that use malicious urls regardless of if the phishing website has been used previously.

5. Scamming

When it comes to scamming, a cybercriminal is looking to either defraud victims or steal their identity. They achieve this by using fraudulent schemes, tricking victims to giving over their personal information. Examples of scamming include fake job postings, investment opportunities, inheritance notifications, lottery prizes, and fund transfers.

Impact of scamming

Scammers use a pool of different techniques to scam their victims these range from fake lottery- wins, inheritance claims to investment scams. And account for 39% of all spear-phishing attacks. This amount raises during times of tragedies such as hurricanes and at the present time the CoVid-19 pandemic.  Scammers love to prey on our sympathies, charity, or fear. It’s not surprising that many individuals fall for email- scams, sharing their sensitive information or making payments to scammers. As a result these scams have reported losses of millions of dollars according to FBI records.

Take a look at the losses reported by the FBI in 2019

Email defence against scamming

Some of the scamming emails could be classified as spam. Therefore, organizations need to firstly, use spam filters at the email gateway as an effective way to defend attacks but not in isolation. As this method can at times lead to misdirecting your important messages to your junk mail.

Secondly, the api-based inbox defence is an effective second layer of defence against scammers. When criminals send scamming emails to their victims that fall outside of normal and expected communication, the api’s ability to use inbox history, flags and blocks by way of inbox defence.

In other words, both spam filters at the email gateway and api-based inbox defence is required for good protection against would be scammers.

6. Spear Phishing

Spear phishing also known as whaling and laser phishing is a carefully designed message with a particular- victim in mind. It’s highly personalised, as cybercriminals research their victims and often impersonate their trusted co-workers, websites or business. The aim of spear phishing is to steal your sensitive data which is then used to commit fraud, identity theft, and other crimes. For example, if they get your login username and passwords to the bank via what you thought was a trusted website, they can steal company money. In addition, cybercriminals are also renown for using social engineering schemes for spear-phishing attacks. For example, urgency, pressure, threats of litigation, all to enlarge their success rate.

Impact of spear phishing

According to a recent barracuda trend survey, 43 percent of businesses said in the last 12 months, they had fallen victim of a spear-phishing attack But, only 23 percent of businesses said they had protection in place to specifically combat spear-phishing.

The impacts of spear phishing, firstly, include both malware infection of their machines and the network. Secondly, direct monetary losses through wire transfers and a loss of reputation. In addition, many cases of lead to the theft of credentials and email account takeover. As a result, these compromised accounts are often used to launch another spear-phishing attack. To stop this vicious cycle, organizations need dedicated spear-phishing protection.

Email defence against spear phishing

A statistical model of API based inbox defence, specific for each user that’s has access to their historical email communications. The API statistic model is used to detect any anomalies, that fall outside of its parameters. Therefore, predicting and consequently blocking any spear-phishing attacks that have made it through the first line of defence, the gateway.

In contrast, gateways have no visibility into historical data they evaluate each email based on a set of already in place policies and filters rather than on historical email communications. Spear-phishing attacks are designed to bypass these filters and policies that make-up the gateway and as a result land in the victim’s inbox.

In other words, an API based inbox defence, is the best defence to guard against spear-phishing.

7. Domain Impersonation

Domain impersonation is also known as typosquatting and lookalike domains. These attacks try to impersonate a legitimate domain by slightly changing the web address with a typo. Sometimes these typos are hard to spot at first glance. Important to know is domain impersonation is a very high-impact attack. Domain impersonation is at times used by hackers as part of a conversation-hijacking attack.

Rockit.cloud

Rocit.cloud

Rokit.cloud

Rackit.cloud

Rockit.clode

Similarly a subtle change such as .net or .co. is all it needs for an attacker to trick victims.

Cybercriminals can either register or buy these not quite right domain addresses, in preparation for their attack.

Impact of domain impersonation

The researchers at Barracuda have seen a huge spike in domain-impersonation attacks used to facilitate conversation hijacking. After analysing 500,000 monthly emails results show a 400% increase in this type of conversation hijacking via domain impersonation. In July 2019 there were 500 of domain-impersonation attacks in the emails, compared to more than 2,000 in November 2019. That equates to a massive 300% growth rate.

Email defence against domain impersonation

Detecting typosquatted domains from a real website is the biggest challenge with domain impersonation.  With so many email domains and variations, using gateways to detect domain impersonation leads to large numbers of false positives. In addition to letting the impersonating ones through. This system is prone to error and needs continuous management and updates. On the other hand, an api-based inbox defence uses past email communications that are- able to associate specific email conversations, requests and people with a particular -domain, used by the organization, their partners, and customers. For example, when a vendor sends an unusual request from the wrong domain, inbox defence detects and blocks it.

8. Brand Impersonation

Designed to trick a person into disclosing their sensitive information, is brand impersonation. As the name suggests the attacker impersonates your favourite brand.

Two common types of brand impersonation include: service impersonation and brand hijacking

Service impersonation: also called vendor email compromise is a popular type of phishing attack designed to impersonate a well-known company or a frequently used business application. The emails used by attackers are carefully put together and act as an entry point to gather credentials and carry out an account takeover. Above all the attackers want to steal your identifiable information. For example, credit card and social security numbers.

Brand hijacking is another common form of phishing attack that impersonates a company or one of its employees, using a company’s domain. This is achieved by sending emails that appear to be legitimate. But these are false, spoofed domain names.

Impact of brand impersonation

47 percent of all spear phishing attacks use service impersonation. It’s important to note that Microsoft is the most impersonated brand when it comes to spear-phishing attacks as cybercriminals want to take over an email account. Microsoft and office 365 are sort after credentials because they allow access into an organisation in order to continue attacks.

brand hijacking or domain spoofing is widely used by hackers.  A recent study found there are almost 30,000 spoofing attacks each day. And brand hijacking or spoofing is made possible by a weakness in the email RFC standard that doesn’t require full authentication of sending domains. Importantly, standards like DKIM, SPF and DMARC can make it much more difficult for these attacks to launch. Making it easy for scammers to spoof their brands in assault style phishing attacks are the Fortune 500 companies. Can you believe 77% do not have DMARC policies set up?

Most commonly impersonated brands

Email defense against brand impersonation an api-based inbox defence against service impersonation uses historical and internal email messages to get visibility into the services used by an organization. the data can the then differientiate between fake and legitimate emails, including the branding and images of the legitimate services used by an organization.

Relying on predetermined policies, gateways firstly, have no visibility into the services used by an organization and secondly can’t recognize the specific branding and images used by legitimate brands.  API-based inbox defence is a much more effective way of blocking service impersonation attacks.

DMARC is a way organisation can see into domain fraud, reporting provides the how an email domain is used. This in turn allows an organization to set up DMARC protection policies that will prevent spoofing of the domain.

9. Blackmail

Blackmail scams are increasing in their regularity and sophistication and their ability to bypass email gateways. Blackmail scams also include sextortion. By way of sextortion or exhortation attacks, cybercriminals use stolen passwords and usernames in data breaches to try and trick victims into handing over their money. These scammers pretend to have a compromising video of the victim on their computer. After that they threaten to share the video with all their contacts unless they pay up.

Impact of blackmail

About 7% of spear-phishing attacks are blackmail. In 2019 according to the FBI, blackmail exhortation attacks cost more than $107 million dollars.  Attackers on average ask for hundreds or thousands of dollars, amounts people can give over quickly. But these amounts soon add up, as we see.

Due to their potentially embarrassing nature, blackmail scams are thought to be under-reported and IT teams are left unaware.

Strengthening email defense against blackmail

Via API inbox defence historical emails are accessed, building a statistical model of communication patterns, including the tone of voice used by individuals. Importantly, this allows inbox defence to recognize the threatening voice of blackmailers, used in combination with other signals, to identify it as a malicious email.

On the other hand, gateways have a lack of visibility into historical email data and the inability to recognize an abnormal tone of voice. Certainly, what it can do is monitor for some signs of blackmail.  For instance, the use of keywords.

10. Business Email Compromise

In Business email compromise or BEC for short, a scammer, hoping to defraud the company impersonates an employee, customer or partner. Attackers generally hone- in on an employee with access to the business finances or personal information of clients and staff alike. For instance, the CFO, or CEO in a hope of stealing money or sensitive information. A majority, of these emails don’t include any links or attachments, they use social engineering schemes to trick their victims into transferring money or disclosing sensitive information.

BEC is also known as CEO, CFO fraud, whaling, social engineering, employee impersonating and lastly wire transfer fraud.

Impact of business email compromise

Making up about 7% of spear-phishing attacks are Business Email Compromise. However, these cause more than $1.7 billion in 2019. In contrast to blackmail with the same percentage of spear-phishing attacks, we can see the cost is substantially more.

This is due to two popular forms of BEC attack being payroll scams and fraudulent supplier invoices, that target the finance department. For example, getting an employee’s salary transferred to a different, fraudulent account.

Email defence against business email compromise

Firstly, historical email data or identity graphs distinguish who is likely to talk to who and the identities they use. This is all done through api-based inbox defence. Secondly, using sentiment analysis api-based defences also analyse typical requests between employees within the organization. Api-based inbox defence can identify an impersonator based on the communication history, when an unusual request is made.  In contrast to traditional email gateways that have no view into communication patterns and relationships relying on predetermined rules and policies. For spoofing and impersonation protection, gateways also rely on customized granular policies and DMARC. In other words, gateways are not enough to protect against BEC as they just cause an increase in the number of false positives or negatives. API based inbox is the superior defence against BEC type attacks.

11 Conversation Hijacking

Conversation hijacking is where the cybercriminal, slip into one of your business email conversations after gathering information from an already compromised account. It is also worth noting they can initiate a conversation as well. Cybercriminals do this in order to steal money and/or your sensitive information. For instance, they study past emails in order to understand business practice, payment procedures, contracts and other company details. It can be part of an email account takeover attack.

However, cybercriminals tend not to use compromised accounts to send a conversation hijack attack. They prefer to use email-domain impersonation, instead.

This is an example email showing how an attempted conversation hijacking attack using an impersonated internal email domain.

Impact of conversation hijacking

There’s been a sharp rise in recent months of over 400% in domain-impersonation attacks, used to make conversation hijacking possible. But these- type are quite low in number when compared to other types of phishing. Most importantly, when these attacks are used by hi-jackers they are highly developed, very individualised attacks that are hard to detect. It makes them a very effective attack, that cost businesses lots of dollars. For instance, Barbara Corcoran America’s Shark tank business investor ended up being scammed of $400,000, using email-domain impersonation. Barbara Corcoran’s bookkeeper was sent a fake invoice from her assistant. The assistant never sent the invoice, hijackers did. The email closely resembled her address. Unfortunately, by the time Corcoran’s IT team realised something was up, the money was gone. The transferred $400,00 was now in the hi-jackers bank account.

Strengthening email defence against conversation hijacking

In the same vein as BEC, inbox defence gains access to historical email communications through API integration, with the inclusion of external contacts and the historical interactions with them. For example, if a trusted partner is impersonated by cybercriminals, during an attempted email conversation hijacking, the inbox defence blocks the attack.

Again, gateways have none of that visibility and can create false positives. To clarify, when a conversation is hijacked, the gateway in fact delivers the email. As a result, the gateway is unable to protect against conversation hijacking.

12. Lateral Phishing

In order to spread the attack, hijackers can use what’s called lateral phishing. This is where the already hijacked account is used to send phishing emails to the persons contacts both internally and externally. In other words, because the phishing email comes from a legitimate email account, a trusted person, the attack has a greater chance of success.

Impact of lateral phishing

According to a recent study done by a team of researchers from UC Berkeley, UC San Diego, & Barracuda, 1 in 7 organisations have experienced a lateral phishing attack. Lateral phishing attacks go out far and wide, and have severe consequences for businesses as they tend to spread through partnering relationships.  In other words, attackers target recipients with some work or personal connection to the hijacked account. More than 55% of attacks come from people already known with an 11% success rate of continuing to compromise even more accounts. As a result, these lead to more lateral phishing attacks, hence the far and widespread. Above all, they are extremely damaging to a business’s brand reputation.

Figure 1 – 1 in 7 organisations have experienced lateral phishing

Strengthening email defence against lateral phishing

For the most part, lateral phishing stays as an internal attack on an organisation.

To strengthen your defences, firstly, API’s for inbox defence provide visibility to the internal communications. Secondly, API’s can also detect lateral phishing threats, and even fix them post-delivery. However, email gateways can’t stop internal attacks, with zero visibility.

13. Account Takeover

Account Takeover or account compromise is the most complex type threat and is a form of identity theft and fraud. This is best described a malicious takeover, a third- party gains access to your account credentials.

To try and steal your login details cybercriminals typically use brand impersonation, social engineering or phishing attacks. All to takeover your account. Once the hacker is in, they learn company secrets monitoring how it does business. For instance, noting the email signatures and the procedures around financial matters and authorisations. In addition, it helps them launch other successful attacks, including gaining access to even more company accounts.

Impact of account takeover

In March 2019, after data analysis of account takeover attacks it found that over 29% of businesses had their Office 365 accounts compromised for that month alone.  In that 31 days, 1.5 million malicious and spam emails were sent from those hacked accounts.  In other words, almost one third of businesses. That’s frightening.

Email defence against account takeover

As we know API-based inbox defence can monitor messages and detect account takeover before it is used to commit any fraud. In addition, it can avert an attack by locking malicious users out of the account that’s been compromised. But gateways are not in- a position to see or monitor malicious behaviour. In other words, API based inbox defence is the best solution as it connects to the users inbox, and can recognise changes to inbox rules, unusual login activity, and malicious messages.

In Summary, both the traditional email gateway security and the API-based inbox defence are important security measures for business especially against these 13 type attacks.

Traditional email gateway security;

  • is designed to filter inbound and outbound email messages for malicious content.
  • use technologies like reputation filters to look for low-reputation IPs
  • evaluate email content for signs of malicious intent, scan for viruses and malware, authenticate the sender, and analyze URLs, blocking any that will lead to phishing sites or sites designed to distribute malware.
  • effective at detecting and blocking zero-day attacks and ransomware.
  • includes advanced threat protection technologies, such as sandboxing, which evaluates new, never-before-seen variants of malware in a controlled environment.

API-based inbox defence;

  • integrate directly with your email environment, including individual inboxes
  • provides visibility into both historical and internal email communication for every individual in the organization.
  • create an identity graph for each user that reflects their communication patterns.
  • it understands (based on historical data) which locations each employee is likely to log in from
  • When something abnormal happens, the AI within your inbox defence flags it as potential malicious and removes it from the user’s inbox before they can interact with the message.

At a glance

Since attackers are able- to bypass a businesses traditional defence like gateway, it now even more important to add in the second layer of security called API-based inbox defence. Every business needs to think carefully about having effective email protection and that second layer is now vital.