Email fatigue among users opens doors for cybercriminals

Given the mass migration to remote work, more critical business data is being shared by email than ever before. Users can now receive hundreds of emails a day, and sifting through them is time-consuming and exhausting.

Faced with that skyrocketing volume, it’s no wonder that there’s a growing email fatigue. Unfortunately, that fatigue makes it more likely users will click on a malicious email without knowing it – which explains why 94% of malware is now delivered via email.

Examining recent examples of email attacks not only ensures you’re aware of the different ways criminals are exploiting employee inboxes, it’s the first step to combatting the rising threat.

While spam is now considered an old-school tactic, cybercriminals still use it for malicious purposes. The fake unsubscribe spam email is a tactic used by criminals to refine their mailing lists and verify email addresses. When a user clicks on a fake link in a spam email, they are confirming to the spammer that their email address is correct, active, and checked on a regular basis. From there, the user can be targeted to receive more email attacks with more malicious payloads.

Phishing accounts for more than 80% of reported security incidents. A prime example happened this past May when Nobelium (the group behind the infamous SolarWinds attack) used phishing attacks to drop backdoor malware on 150 different organizations. Other recent phishing attacks include Five Rivers Health Centers in Dayton, Ohio, where 155,000 patients had their protected health information exposed for two months due to an email phishing attack. In 2020, Her Majesty’s Revenue and Customs (HMRC) in the U.K. was investigating more than 10,000 phishing scams that exploited public fears of the coronavirus.

Ninety-five percent of all attacks on enterprise networks are the result of successful spear phishing. In November 2020, the co-founder of Australian hedge fund, Levitas Capital, was a victim of a whaling attack, which is a form of spear phishing. While the attack cost the company $800,000 – quite a bit less than the $8 million originally targeted – it also resulted in the loss of the hedge fund’s largest client. In the end, the business was required to permanently close.

In 2019, a cybersecurity survey revealed that 26% of organizations worldwide were targets of one to 10 business e-mail compromise (BEC) attacks. According to the FBI’s Internet Crime Complaint Center (IC3), BEC scams were the most expensive of cyberattacks in 2020 with 19,369 complaints and adjusted losses of approximately $1.8 billion. Recent BEC attacks include spoofing attacks on:

• Shark Tank Host, Barbara Corcoran, who lost $380,000;
• The Puerto Rican government, which amounted to $4 million;
• And Japanese media giant, Nikkei, who transferred $29 million based on instructions in a fraudulent email.

Cybercriminals continuously perfect their email strategies by playing on a victim’s emotions: creating fear, exploiting greed, taking advantage of an individual’s curiosity, asking for help, or enticing users to feel empathy or sympathy. This approach is often used by ransomware-as-a-service attackers.

In the ransomware-as-a-service model, a malware gang gives these attackers, called distributors, the tools to spread ransomware, while the distributor’s goal is to infect as many computers as possible. It is the same distribution model that SaaS biggies like Salesforce.com use. To improve their effectiveness, cybercriminals now use artificial intelligence (AI) and automation to scale their email attacks

Unfortunately, users do not necessarily know that their systems are infected. Malware can lay dormant for a period or go undetected. Advanced persistent threats (APTs) go undetected an average of 71 days in the Americas, 177 days in EMEA, and 204 days in APAC.

Given its success, we can expect cybercriminals to continue making email a star in their attack strategies.

Stopping email cyberthreats

To stop or mitigate the risk of an attack, a business has three defenses that must be used in parallel:

1. Continuous user education on what new attacks look like
2. Advanced anti-malware that provides a multi-layer approach to stop attacks in their tracks.
3. An incident response plan to respond and manage an attack, mitigate the damage, and recover as quickly as possible.

When it comes to email security, a one-and-done approach never works. Malware will get through a single defense, so a solution must offer multiple layers of protection. That way, if malware bypasses one defense, a subsequent layer will stop it. Consider the following multi-layered protection program:

• An anti-spam engine that reduces risks by preventing unwanted spam
• Anti-evasion technology that prevents advanced evasion techniques that use embedded files and malicious URLs
• Threat intelligence to prevent emerging threats from infiltrating your emails
• Anti-phishing engines to prevent any type of phishing attack before it reaches users
• Anti-spoofing technology to keep users protected against social engineering, payload-less attacks
• Antivirus software for emails to minimize the risk of being infected by malware through email
• Detection to prevent advanced attacks, such as APTs and zero-day attacks that conventional defenses miss

Using a multi-layered approach combined with solutions like Acronis Cyber Protect, which includes URL filtering, can help block malicious domains and downloads of malware, preventing systems from being infected in the first place.