Thought leadership. threat analysis, news and alerts.
You have a backdoor to your business, and it's Email
Email is the most widely used form of business communication today. It’s inexpensive and fast. This form of communication, however, exposes businesses to cyber criminals.
Malicious cyber criminals consider the email as businesses’ backdoor – a vulnerable feature of a computer system that calls for exploitation. Failing to protect your business emails is like fortifying your house with the latest alarm systems and then leaving your backdoor wide open.
Symantec in its 2016 Internet Security Threat Report estimated that nearly 190 billion emails were in circulation each day in 2015 alone, with an average of 42 emails sent and received by each business user every day – a growing number of users reading their emails on their mobile devices.
Symantec reported that in 2015, email spam rate increased by 53%; phishing rate at one in 1,846 emails; and malware rate in one in 220 emails. “For cybercriminals who want to reach the largest number of people electronically, email is still the favored way to do it,” Symantec said.
3 Ways Cyber Criminals Exploit the Vulnerabilities of Emails
Cyber criminals exploit the vulnerabilities of emails in a number of ways. Here are 3 ways cyber criminals exploit emails:
1. Business Email Compromise (BEC) Scams
The cyber threat called business email compromise (BEC) relies on the oldest trick of con artists: deception. In BEC, con artists zero in employees who have access to company’s finances, deceiving them into making wire transfers to bank accounts thought to belong to business partners – when in fact, the money ends up in the accounts of cyber criminals.
BEC is one form of phishing – a form of identity theft that tricks people to reveal their Social Security numbers, bank account numbers and other valuable details – by making an email looks like it came from a legitimate source such as a bank, a partner company or government agency.
The Federal Bureau of Investigation (FBI) reported that since 2013, organized crime groups, employing the business email compromise scam, have targeted small and large organizations and companies in every U.S. state and more than 100 countries around the world. According to the FBI, since January 2015, there has been a 1,300 percent increase in BEC, with losses now totaling over $3 billion.
Tech giants such as Google and Facebook are not spared by BEC scammers. In March 2017, the FBI arrested Evaldas Rimasauskas for scamming multinational internet companies of over $100 million via email compromise scheme. While the FBI didn’t name the companies, a Fortune investigation revealed that the multinational internet companies referred by the FBI as victims of Rimasauskas were tech giants Google and Facebook. In the Rimasauskas case, Google and Facebook thought they were communicating via email with a legitimate staff of Quanta – supplier of the tech giants’ computer servers.
Business Email Compromise (BEC) Scams Prevention
BEC scams can be prevented in the following manner:
Phishing Scams Prevention
Here are some of the ways to prevent phishing scams in general:
2. Malware Spread
Email is one of the oldest ways to spread malware – short for “malicious software” – software designed to damage or infiltrate computers without the users’ consent. In May 2000, the malware called “ILOVEYOU” infiltrated millions of computers. The ILOVEYOU malware comes in a form of an email from someone the receiver know, with a subject "ILOVEYOU" and the body of the message reads "kindly check the attached LOVELETTER coming from me."
An enormous number of people – probably out of the universal need to be loved – opened the ILOVEYOU email and downloaded the attached file. Once run, the malware overwrites all computer files and then send an identical email to all the contacts of a victim's Outlook address book. As a result of the ILOVEYOU malware, a number of mail systems worldwide were overloaded causing a meltdown of electronic communication among businesses and governments.
Malware Spread Prevention
Here are some of the ways to combat the spread of malware sent via emails:
3. Denial of Service (DoS) Attack
A denial-of-service (DoS) attack is an attempt by cyber criminals to prevent legitimate users from accessing online services like email. Spam email messages can be used by attackers to prevent your customers from emailing your company.
Email accounts, whether supplied by a paid service or free services such as Yahoo or Gmail, are assigned a specific quota. This quota limits the number of emails that your business account can receive at a given period of time. When attackers bombard your business account with too many or large email messages, this can consume your quota and prevents your company from receiving legitimate messages.
DoS Attack Prevention
To prevent DoS attack.
When you have questions, connect with us and get the answers you need.
Why do we fall victim to email phishing attacks?
Cyber criminals are crafty when it comes to email phishing attacks. Judging by the results of the most recent Google email phishing campaign, they are succeeding. Cyber criminals are smart, knowledgeable and won’t stop at any means to achieve their goals, which is to acquire your personal information and use it against you and the people on your contact list.
Almost daily, people receive fake emails asking for their personal information, such as user IDs and passwords. These phishing emails can be disguised as if they came from your bank, your email provider, a government agency or even your employer. Cyber crime gangs often prey on our own cybersecurity illiteracy and laziness.
Let me ask you a few questions:
Since cybersecurity illiteracy is what cybercriminals use as an advantage, cybersecurity literacy and awareness would be a good antidote.
The easiest way to spot a phishing email
Most fake emails can be spotted by simply looking at the “from” email address. An email from a fake sender would look something like this: Google Support <firstname.lastname@example.org>. This is definitely a fake. It might not be obvious, but that an email from Google would most certainly come from email@example.com.
In any event, here is the easiest way to spot a phishing scam. Please remember it, print it out and share with others:
If you receive an email whereby someone is asking for your personal information, including your user ID and / or passwords with a sense of urgency, most likely it’s a phishing scam.
Why? Because you bank, your email provider, or your employer WILL NEVER ASK FOR YOUR PERSONAL INFORMATION VIA EMAIL.
For example, you received an email that appears to be from your bank, and it looks something like this:
This is to inform you that due to suspicious activity, your savings account has been locked. Please click here to change your password immediately to re-gain access to your account.
Customer Service Manager”
While it appears legitimate, your bank will never ask to provide any personal information via email. In most cases, they will call you, and will ask you to go to the nearest branch to address any account security related issues.
Even when someone calls you and introduces him or herself as a banking specialist asking for your personal information, you don’t have to provide it. Hang up, call your bank using the number on the back of your bank card, and tell them that you were contacted, and if there are any issue they could help you address. Same goes to calls from any government agency, including the IRS.
A Sophisticated Phishing Attack
As reported by several cyber security researchers, and the mainstream media, cyber criminals unleashed a new, sophisticated phishing campaign targeting both individuals and corporate Gmail users. In fact, it’s so sophisticated, that even savvy users are being tricked by it.
An email arrives with a link, and when clicked, it asks for your Gmail user credentials. The trick is that the page looks exactly like the original Gmail sign on page. When you enter your user ID and password, the attackers automatically log into your Gmail account. When they are in, they immediately begin gathering additional information to support further attacks. Appears that they are looking for the attachments you’ve previously shared with others, and gather email addresses from your contacts.
The contacts they gather, inevitably become new targets. Now rogue emails are coming from someone the victim knows.
It's very hard to notice foul play since the URl in the email is disguised very well. In most cases, victims won't even look at the address bar at the top to validate the website's authenticity.
How to protect yourself against phishing attacks?
Fortunately, you can protect your account almost instantly by enabling 2-step verification for your Gmail account. Even if you don’t use Gmail, and use another Cloud email service, we recommend that you enable a 2-step verification without delay.
When 2-step verification is enabled, unless cybercriminals have direct access to your smartphone, it would be nearly impossible for them to use your password, even if you have fallen victim to a phishing attack.
Instructions on enabling 2-step verification for Gmail (personal use):
Instructions on enabling 2-step verification for Gmail (corporate accounts). Note that for corporate accounts, you need to share these instructions with your IT department, and Gmail administrator will be able to add the extra security centrally:
Have questions? Please contact us and we will be more than happy to assist.
Steve E. Driz, I.S.P., ITCP