Mail

Email Security Education: Top Two Trends

26 March, 2020

Please note: For privacy reasons, the identity of the hacked accounts in the examples used for this blog have been changed or hidden.

Email remains the key way cybercriminals get into your business. It’s also the productivity tool most businesses rely on to get jobs done. With around 68% of email traffic within organizations believed to be spam or malicious in natureⁱ, it’s crucial to understand email attacks and tactics to combat these threats. Understanding cyber threats also puts managed services providers (MSPs) in a position to educate customers and provide them with tactics to educate their employees. Today, we look at the top threats we’ve seen for email so far this year.

Trend 1: Phishing continues to dominate

Phishing attacks have dominated the email security landscape with 93%ⁱⁱ of breaches resulting from phishing attacks and pretexting, and 84%ⁱⁱⁱ of social attacks involving phishing emails. Looking at the top threats we’ve seen so far, it’s likely this will continue into 2020.

Cybercriminals use this tactic, because it works. These campaigns are carefully developed to trick users into believing the sender is legitimate and prompt them to click on links and provide information such as credit card details.

PayPal phishing emails are still making the rounds. Hackers pretend to be PayPal with the aim of getting users to confirm their personal details. In the example, the email looks legitimate from a glance. But, if you take a closer look at the recipient, notice the sender is not a standard address. Hovering over the “Log In” link also shows it’s not a legitimate PayPal URL. Another popular campaign going around is Apple phishing emails. In our example the hackers are trying to retrieve sensitive billing information from recipients.

The top three tips users can employ to verify the legitimacy of emails of this nature, are:

Look at the email “From” field
Hover over the links within these emails (e.g. “Access my account”) to ensure it redirects to a secured link (“https:” and not “http:”)
Look at the language. These emails are normally crafted to create a sense of panic or urgency to act in the recipient.

Trend 2: Malicious email attachments

Emails with malicious email attachments are designed to get viruses, malware, Trojans, and more onto their victim’s computer—and ultimately into the company’s network, so they can either destroy data or steal information. Some of these threats can even enable hackers access to take control of a user’s computer. As such, they pose a serious threat to businesses.

Cybercriminals use different techniques to cloak malware in file attachments with the intent of tricking email scanning technologies and users. They typically send attachments with email content that convinces users to believe it’s legitimate. In this example, the hackers use Maersk—one of the world’s largest logistics companies—to try to infiltrate a Maersk customer’s account by prompting the user to download shipping documents.

Initially, the HTML attachment seems legitimate. It’s also a commonly used file type. While many users may recognize that .EXE and .PDF files are potentially malicious, many won’t think twice about opening an HTML attachment. However, HTML attachments are often used to deliver malware code to endpoints through embedded JavaScript. There is also an uptick in cybercriminals using HTML attachments to embed URL redirects that aim to trick antivirus scanning software or deliver the recipient to non-legitimate web pages. Once again, users should hover over the links to ensure it redirects to a secure URL. In the case of attachments, industry experts advise to first save the attachment to a downloads folder from where the true file type can be viewed. Finally, a generic greeting should also spark concern—legitimate companies often address the recipient by name.

Reducing your risk

Three things you can start doing today to help reduce your risk and that of your customers are:

Practice strong in-house security—including patching, putting up firewalls, running backup, and adding a professional email security solution. It also includes investing in advanced endpoint protection. Make sure to monitor for threats with advanced threat detection tools and use a password management tool.
Help customers establish and maintain a culture of security.
Teach users how to spot malicious emails. Share simple tips like the ones we discussed above—check the URLs in email to ensure it redirects to legitimate web pages, be on the lookout for malicious email attachments, and save the attachment to a downloads folder from where the file type can be viewed first before opening it. File types such as .JS, .EXE, .COM, .PIF, .SCR, .HTA, .vbs, .wsf, .jse, or .jar are malicious file types you shouldn’t open, though as we’ve seen above, HTML files can also be malicious.

One malicious email can cause a lot of damage to you and your customer’s businesses. Employing professional-grade email protection to prevent malware from getting into yours—and your customers’—networks, can help stop and mitigate damage by: