A cyberattack can affect your business in many ways, depending on its nature, scope, and severity. According to the FBI’s Internet Crime Complaint Center (IC3), cybercrime cost $3.5 billion in losses in 2019 alone, with business email compromise (BEC) causing the most damages. That doesn’t include unreported losses, which are significant. IC3 received 467,361 complaints last year—more than 1,300 per day—with phishing responsible for 93 percent of email breaches. There can be a variety of indirect and intangible costs from attacks, too, such as legal fees, regulatory fines, operational disruptions, a damaged brand reputation, and other severe consequences.
This edition of our Technology Tips takes a look at the top email threat types, including their risks and impact on businesses.
Top 13 Email Threats You Should Know About: The email and phishing threats faced by organizations today vary greatly in complexity, volume, and the impact they have on businesses and their employees. Here’s a look at the top 13 email threat types.
- Spam – Spam is an unsolicited bulk email message, also known as junk email. Spam comes in various forms. Some spam emails push scams. Others are used to conduct email fraud. Spam also comes in the form of phishing emails that use brand impersonation to trick users into revealing personal information, such as login credentials and credit card details.
- Malware – Cybercriminals use email to deliver documents containing malicious software, also known as malware. Typically, either the malware is hidden directly in the document itself, or an embedded script downloads it from an external website. Common types of malware include viruses, Trojans, spyware, worms, and ransomware.
- Data Exfiltration – Data exfiltration is the unauthorized transfer of data from a computer or other device. It can be conducted manually via physical access to a computer and as an automated process using malicious programming on the internet or a network. Attacks are typically targeted, with the objective of gaining access to a network or machine to locate and copy specific data.
- URL Phishing – In phishing attacks, cybercriminals try to obtain sensitive information for malicious use, such as usernames, passwords, or banking details. With URL phishing, cybercriminals use email to direct their victims to enter sensitive information on a fake website that looks like a legitimate website. URL phishing is also known as: fake websites and phishing websites
- Scamming – With email scamming, cybercriminals use fraudulent schemes to defraud victims or steal their identity by tricking them into disclosing personal information. Examples of scamming include fake job postings, investment opportunities, inheritance notifications, lottery prizes, and fund transfers.
- Spear Phishing – This is a highly personalized form of email phishing attack. Cybercriminals research their targets and craft carefully designed messages, often impersonating a trusted colleague, website, or business. Spear-phishing emails typically try to steal sensitive information, such as login credentials or financial details, which is then used to commit fraud, identity theft, etc.
- Domain Impersonation – Domain impersonation is often used by hackers as part of a conversation-hijacking attack. Attackers attempt to impersonate a domain by using techniques such as typosquatting, replacing one or more letters in a legitimate email domain with a similar letter or adding a hard-to-notice letter to the legitimate email domain. In preparation for the attack, cybercriminals register or buy the impersonating domain.
- Brand Impersonation – Brand impersonation is designed to impersonate a company or a brand to trick their victims into responding and disclosing personal or otherwise sensitive information. Common types of brand impersonation include: Service Impersonation and Brand Hijacking.
- Extortion – In extortion attacks, cybercriminals leverage usernames and passwords stolen in data breaches, using the information to contact and try to trick victims into giving them money. The scammers claim to have a compromising video, allegedly recorded on the victim’s computer, and threaten to share it with all their contacts unless they pay up. Extortion is also known as: sextortion.
- Business Email Compromise – In BEC attacks, scammers impersonate an employee in the organization in order to defraud the company, its employees, customers, or partners. Attackers focus their efforts on employees with access to the company’s finances or personal information, tricking individuals into performing wire transfers or disclosing sensitive information.
- Conversation Hijacking – With conversation hijacking, cybercriminals insert themselves into existing business conversations or initiate new conversations based on information they’ve gathered from compromised email accounts to steal money or personal information.
- Lateral Phishing – With this attackers use recently hijacked accounts to send phishing emails to unsuspecting recipients, such as close contacts in the company and partners at external organizations, to spread the attack more broadly. Because these attacks come from a legitimate email account and appear to be from a trusted colleague or partner, they have a high success rate.
- Account Takeover – This is a form of identity theft and fraud, where a malicious third party successfully gains access to a user’s account credentials. Cybercriminals use brand impersonation, social engineering, and phishing to steal login credentials and access email accounts. Once compromised, hackers monitor and track activity to learn how the company does business, the email signatures they use, and the way financial transactions are handled.