Introduction

Email continues to be a major method of communication in both personal and professional contexts. The sheer proliferation of information transmitted via email every day makes it an appealing target for hackers. 

  • 30% of phishing emails bypass default security systems
  • One out of every 25 branded emails is a phishing email 
  • The average employee receives 4.8 phishing emails per day
  • 35% of professionals don’t know what “phishing” is 

(Source: Avanan)

While these statistics are certainly alarming, there are people out there like Evan Reiser, CEO of Abnormal Security, to stop email attacks in their tracks. Recently, Reiser joined Infosec’s Cyber Work podcast to explore the future of email attacks in 2020 and beyond. 

What are the types of phishing and email attack vectors?

Reiser breaks email attacks down into three groups: link-based attacks, attachment-based attacks and payload-less attacks. Reiser’s company, Abnormal Security, specializes in payload-less attacks. 

Like the name suggests, a payload-less attack isn’t carrying a viral load. There are no sketchy links or malicious attachments. Instead, the attack is geared towards tricking the recipient into disclosing sensitive information or willingly giving up money. Since they rely on an emotional response, they’re very clever and constantly changing. 

Payload-less attacks are also tough to detect. Traditional spam filters are taught to hunt for red flags like links and attachments, but payload-less emails don’t have those, so they can slip past filters undetected and hide amongst the innocent emails in a recipient’s inbox. 

What are some of the major shifts in email attack tactics you’ve seen since 2018 and 2019?

Gone are the days when attackers relied on simple spam emails from long-lost Nigerian relatives. As anti-spam technology evolved to effectively identify and filter spam emails, attackers had to step up their game. The result? A major rise in phishing tactics like business email compromise and supply chain compromise. 

Phishing tactics differ from spam because the attacks are targeted and better-researched. Think of a logger taking the time to search the forest for that perfect tree to cut down, instead of chopping down the whole forest and hoping for the best. In this case, instead of trees, attackers are looking for ideal targets. They take the time to research specific companies, figure out the names of people in key positions–like payroll or corporate leadership — and leverage that information to build the perfect snare. 

  • Business email compromise: For this attack, a hacker will gain entry to an employee’s email account and impersonate them. Usually, attackers target someone in an executive or leadership position because employees are more likely to trust them and follow the attacker’s instructions. According to the FBI, the attacker’s goal is usually financial, which led to BEC scams accruing $12 billion in losses from 2013 to 2018.
  • Supply-chain compromise: It’s getting harder for hackers to attack companies directly, so the clever ones are targeting third party vendors as a stepping stone. Typically, the hacker will gain access to a vendor’s email account and hijack a purchase order or invoice, which they trick the company into paying. 

A lot of work goes into it, but according to Reiser, it pays off. “Rather than spamming out millions of emails and hoping that one in a million work, they’re […] doing a bunch of research to really personalize these email attacks and hoping that one out of ten work. And if it does work, it’s gonna be a one-hundred-thousand dollar win for them.”

What are some real-life email attack scenarios?

Reiser has seen tons of email attacks in action, and he says they vary in complexity from impersonating an executive to elaborate OneDrive schemes. 

Executive impersonation is one of the most prevalent forms of email attack. It falls into the business email compromise category of attack and usually involves an attacker masquerading as an executive. Once they’ve gained the trust of someone at the company, the attacker will ask them for money in the form of an invoice payment or gift cards. Instead of using malware to harvest money, the attack instead preys on an employee’s natural inclination to trust their higher-ups.

Reiser also recounts a complex, multi-step OneDrive scheme that tricked a company into sending money to an overseas bank. The attack revolved around the company’s treasurer. After researching the individual on LinkedIn, the attackers sent them an email spoofed to like it was coming from Microsoft OneDrive. The email itself looked like it was coming from the treasurer’s boss and included information about the Q4 budget, which lent credibility to the email. The link led to a fake login page followed by a fake two-factor authentication page, which supplied the treasurer’s real password and mobile number to the hackers. 

In the second part of the attack, the hackers logged into the treasurer’s account and searched for the keyword phrase “wire transfer.” They found an email regarding the most recent wire transfer sent by the treasurer, including the Excel document used to issue cash transfers. The attackers then plugged in their own information and sent it to the finance department for approval. From there, the money ended up at a bank in China! 

… People still fall for that?

Not all email attacks are elaborate or clever. But don’t let that trick you into thinking they’re any less insidious. Reiser is surprised by how many people fall for a scam that starts with an email declaring, “Your car has been broken into!” To figure out what the heck happened to your car, you need to sign into a form. The form harvests your personal information and forwards it to an attacker. Meanwhile, your car is safe and sound — unlike the data you’ve just lost!

Are people getting more savvy about not opening phishing emails? 

Yes, according to Reiser, and employee training programs are to thank for that. Companies are moving away from exclusively relying on technology to combat email attacks, which puts their employees on the front lines. 

Basic cybersecurity training is a critical part of a protected workforce. When employees know how to spot phishing attacks and report them to IT, they’re helping keep the entire company safer and more secure. 

Where do you see email attacks going in five or ten years? 

Cybersecurity is an ever-changing field, so predicting where it’s going to be in a few years is a puzzle, but Reiser has some ideas. 

He thinks there’s a future for software that dynamically predicts new and emerging attacks. As machine learning improves, so will the effectiveness of dynamic anti-spam systems. Plus, the cost and computational power of running such a system will be greatly reduced. This will make it easier to combat future generations of email threats. 

We can see where cybersecurity is going by looking at its recent past. As anti-spam technology evolves, attackers have adapted to rely more on social engineering and manipulation to get what they want. Reiser doesn’t see that changing anytime soon. In fact, he thinks that as anti-spam technology advances, hackers will only double down on exploiting human judgment as the weakest link in the cybersecurity chain. 

The future of email attacks

As email attacks become more sophisticated, the key to defending the workforce against them lies in training and preparation. Employees at all levels, from interns to executives, should know how to quickly identify a malicious email and report it to IT. Infosec will make sure your employees are prepared to work on the front lines of cybersecurity!

To hear and see the complete interview and all of Ben’s answers, check out the episode at our YouTube page!

 

Sources

  1. Email attack trend predictions for 2020, Infosec
  2. How Email Became the Weakest Link and What Can Be Done About It, Avanan
  3. BUSINESS E-MAIL COMPROMISE THE 12 BILLION DOLLAR SCAM, ic3.gov