What You Need to Know About Email Threats | Total Security

As email threats are increasing in popularity, what can you do to protect your business or personal account from attacks?

Email is such an integral part of everyday life that we tend to ignore it, which is the biggest threat to cybersecurity. However, almost all cybercrime relies on or uses email as part of the process.

Criminals play on our emotions, especially worry, fear, love, trust, and greed, seasoned with a hint of urgency. For every national or international disaster, there will be a thousand criminals trying to exploit it. Consider the spread of the coronavirus. Within days of a serious outbreak in Italy, 10% of all Italian organizations had been the target of a phishing email that (translated) read: “Due to the number of cases of coronavirus infection that have been documented in your area, the World Health Organization has prepared a document that includes all the necessary precautions against coronavirus infection. We strongly recommend that you read the document attached to this message. "

This is an example of standard theft and sentence phishing - the attack is simply targeting as many people as possible, knowing that some will be duped. It should not be confused with phishing where a single person or a small related group of people are targeted in a victim-centric manner.

The emotions at stake in Coronavirus phishing are worried, fear, trust (in the World Health Organization), and urgency (protect yourself before it's too late). The attractive attachment was titled "Coronavirus: Important Precautionary Information." Reading it leads to the Ostap  Trojan-Downloader which has been used elsewhere to download the TrickBot banking Trojan.

The coronavirus is being used as a 'decoy', the bait that tricks you into replying to the email. Decoys change based on current circumstances and targets. General lures, as in this example, are used in large-scale phishing campaigns. More specific lures based on the known interests of the target are used in targeted phishing known as spear-phishing. But phishing is not the only threat that arrives via email.

Statistics behind the threat

Email threat statistics vary slightly depending on their source and how the details are measured. However, we can confidently say that 90% or more of all company breaches involve emails; 90% or more involve successful spear-phishing activities, and 90% of all malware is delivered by email.

On the consumer side, the latest  FBI figures for the US, released in February 2020, highlight Business Email Compromise (BEC), Senior Fraud (highlighting that the elderly are particularly targeted in all forms of email scams  ), tech support fraud, and   'Hot Topics' ransomware. The former no longer affects just companies, but can also target anyone who is considered to have resources. The latter, although it now affects businesses, is still delivered to consumers via email. The other two are or often involve email correspondence.

An example of BEC fraud against a person (even though she has a small business) was Barbara Corcoran's loss of $ 380,000 from 'Shark Tank' in February 2020. Apparently, an email from Barbara's assistant told your accountant to send $ 388,700.11 to a company in Germany. Barbara commented, "At first I was upset, but then I remembered it was just money. a comment that would only come from someone who could afford to lose $ 400,000.

The FBI report puts some numbers on other threats (but remember the reality is probably worse since this only covers crimes reported to the FBI). Some examples include $ 475 million lost to trust and romance fraud victims; $ 160 million lost to identity theft; $ 111 million for credit card fraud; $ 100 million for advance fee fraud (the so-called Nigerian fraud); $ 54 million for tech support fraud; and so. This is in the single year, 2019.

Attack and defense

The attack

Scams come in three basic formats: an attempt to engage the victim in a conversation with the attacker (such as romance scams, advance-fee scams, lottery scams, and more); an attempt to make the target click on a link and visit a malicious site; and a malicious (armed) attachment.

To some extent, common sense can protect us from the former, but the elderly, the lonely, the confined, and the anxious are at risk. If we have a relative or neighbor like this, we can help simply by caring and being supportive.

The malicious attachment and malicious link are the most widespread general threats that affect us all. The body of the email will contain a social engineering message designed to entice us to click a link in the message or open an attached armed document. The link could lead to a malicious site that could persuade us to enter personal data or bank account passwords, while the assembled document could try to directly install malware, from an information thief or bank fraud to ransomware.

More advanced email attacks will 'spoof' the source. They appear to come from legitimate or genuine sources. For example, if you know or work with JoeBloggs @ xyz.com, criminals may try to register JoeBloggs @ gmail.com and send you an email that looks like that. Similarly, they can register similar domains, such as bankofamericaco.com (currently available) for bankofamerica.com, and develop the site maliciously. The intention is to get you to trust both the sender and the destination of the link.

The future

If you think things are bad today, they will only get worse in the future. Artificial intelligence and machine learning are touted as great security solutions. But they are also excellent attack tools.

Machine learning is a technology in which actions are learned by examining and analyzing large amounts of data, today known as big data. Criminals have access to the algorithms used in machine learning. They also have access to vast amounts of data to teach their machines.

At some point, criminals will use machine learning against the billions of stolen credentials available on the dark web to learn targets and attack consumers at scale and automatically. The targeted attacks that we currently call phishing will be launched on the scale of current 'spray and pray' phishing campaigns.

Technological solutions

Email and browser filters

The major email providers and browsers try to filter out threats. Built-in 'spam filters' will quarantine and then remove obvious attacks. This is great for removing much of the junk that arrives via email, but cannot be trusted to remove all phishing or even any spear-phishing attack.

Similarly, major browsers will prevent us from visiting known malicious sites. But remember that criminals can produce new malicious sites faster than good ones can find them. So again this is a help but not a solution.

Antimalware

Anti-malware is essential. Ignore claims that it cannot detect all malware. That may be true, but it can and does detect the vast majority of malware. A good updated and modern mainstream anti-malware product will protect you from all but the most advanced attack technologies with the latest unknown malware.

But you can't trust it for total security. Antimalware is just the important starting point for your defense against the email threat.

DMARC and BIMI

DMARC (Domain-based Message Authentication, Reporting, and Compliance) and BIMI (Brand Indicators for Message Identification) are technologies that should be implemented by all companies operating online. DMARC is a business-to-business and email provider technology that will detect brand counterfeiting attempts. If fully installed, DMARC will block all fake emails that appear to come from legitimate companies.

The use of DMARC is growing, but only a small percentage of companies have adopted it. Consumers are left with a problem: while it stops counterfeiting from those companies that are using it correctly, the end-user could falsely believe that received emails are legitimate when they are not (because the sender is not using DMARC).

A solution to this can be found at BIMI. Companies that have installed DMARC can use BIMI with the email provider to add a company logo adjacent to DMARC-protected emails. If this logo appears with the delivered email, it is a strong indication that the email is genuine.

Personal solutions

While technology can reduce the threat of email, it doesn't come close to eliminating it. The final defense must be ourselves and our behavior: we must be aware that we are all constantly under attack. All emails should be reviewed from the point of view of the initial skepticism.

The first tip is to reverse the Russian proverb, "Trust but verify": now we should verify before trusting. If there's something in the email that's not working: misspellings, grammar errors we wouldn't expect, or an attachment from someone we don't know or who doesn't normally send us attachments, pause and take a closer look. A good tip is to hover over the sender's name and see the email address that is being used.

The same process can be used with links embedded in the body of the email. What you see could be just 'Click here'. If you hover over the link, without clicking, you will see the actual address. It can obviously be malicious, or it can disguise itself via a bitten-style link shortening service. If the latter, ask yourself if it is reasonable for the sender to use bit.ly.

But a word of caution: be very careful if you do this on a mobile phone or laptop with a touchpad. Some touchpads are so responsive that a link is easy to click, while all you have to do is hover over it.

In the final analysis, the best advice for handling email threats is to adopt Benjamin Franklin's comment, "Don't put off until tomorrow what you can do today", to "Don't do now what you can do so easily later." Inserting a delay between receiving an email and reacting to that email will make it easier for you to see inconsistencies and hidden threats in the message.