Email phishing has progressed from spoof emails sent by gamers to a very profitable practice for hackers all around the world.
In the reality, AOL was hit by some of the first major email phishing attacks in the early to mid-1990s. Hackers exploited
random credit card generators to obtain user passwords, allowing them to get access
to AOL's entire database.
AOL's
security measures were updated to avoid additional harm, and the attacks were
stopped. This led to the development of increasingly complex assaults including
impersonation techniques, which are still extensively employed today.
Moving
ahead to present, the impersonation assaults that recently targeted both the
White House and the WHO demonstrate that any institution is vulnerable to email attacks at some time.
According
to Verizon's 2019 Data Breach Investigation Report, email phishing and social engineering were involved in about 32% of
data breaches in 2019.
With
that in mind, let's look at the many forms of phishing attempts and why they're
such a serious danger to your company today.
1. Phishing (Email Spoofing)
When
a hacker forges an email header and sender address to make it appear as though
the email came from someone they know, this is known as email spoofing. The goal of
this type of attack is to persuade the receiver to open the email and perhaps
click on a link or start a conversation with the attacker.
In
comparison with traditional hacking tactics, these assaults are mostly based on
social engineering technology.
This
may appear to be a fairly crude or "low-tech" approach to a
cyberattack. In truth, they're really good at enticing individuals in by
sending persuasive emails to naïve staff. Social engineering makes use of the
inevitability of human mistakes rather than weaknesses in a system's security
infrastructure.
Take a look:
In September 2019, Toyota lost $37
million to an email scam.
The
hackers were able to spoof an email address and convince an employee with
financial authority to alter account information for electronic funds
transfer.
Resulting
in a massive loss to the company.
2. Business Email Compromise (BEC)
BEC
(Business Email Compromise) is a form of fraud that targets firms that execute
wire transfers and have international suppliers. Executive or high-level staff
email accounts connected to finance or engaged with wire transfer payments are
either faked or compromised using key loggers or phishing attacks to make
fraudulent transfers, resulting in hundreds of thousands of dollars in losses.
BEC attacks cost businesses around the world an average of US$140,000 in 2016.
BEC
scams led to more than $1.7 million
and accounted for more than half cybercrime losses in 2019, according to the 2019 internet crime reports of the FBI.
BEC
attacks, often known as Man-in-the-Email scams, depend largely on social
engineering techniques to mislead unsuspecting employees and executives. They
frequently spoof the CEO or any other executive with the authority to make wire
transactions. Fraudsters also do extensive investigation and monitoring of
their potential target victims and organization.
3. Vendor Email Compromise (VEC)
Vendor an email compromise is a particularly insidious variant of BEC. Someone you know
is a vendor or supplier with whom you have a business tie in these assaults.
Fraudsters gather information on possible targets, such as you, by using a
hacked business email account from one of your vendors. A well-designed,
psychologically compelling, and well-timed e-mail may be arriving in your inbox
any day now.
Here
is how a typical vendor email compromise attack unfolds:
•
Compromise a
Vendor’s Email Account –
The fraudster will first get access to one of your vendors' business email
accounts. They usually accomplish this by sending phishing emails
that seem to be from Microsoft Office 365, Google, or other cloud services. The
aim is to get someone who works in finance or accounts receivable's email
credentials.
•
Gather
Intelligence — and Wait –
Once
a user's account has been hacked, the fraudster begins gathering information to
organize the next assault. This type of information gathering is fraudulent.
They'll set up email forwarding rules to keep track of the user's messages.
They may also target coworkers in order to gain a better understanding of the
vendor's procedures, such as your AP mailbox, billing conditions, or invoice
status. They will wait for the right opportunity to attack when they are ready.
•
Execute the VEC
Attack –
The fraudster would perform their attack with startling detail by sending a
flawless account or updating the bank account number of the vendor to someone
on your AP team using the hijacked account. In many situations, victims are
unaware that they have been scammed until genuine suppliers contact them to
inquire about payment status.
Nikkei
Inc., Japan's largest media company, lost $29
million in September 2019.
What about DMARC?
Worldwide
companies increase their cyber security spending in order to limit the
aforementioned examples. Global security expenditure is projected to reach $133.7 billion in 2022 according to
IDC.
However,
the fact is that email security
solutions like DMARC are not readily available.
DMARC technology was launched in 2011 to avoid targeted BEC
assaults which are well known to threaten companies across the globe.
DMARC
works with SPF or DKIM to identify whether measures should be done to safeguard
the integrity of your domain from unauthenticated emails.
Also Read: - How
Does DMARC Help With Email Security?