Understanding Email Attacks

Business emails are one of the main targets for hackers and scammers. Since emails can be sent freely to business addresses, they represent an easy avenue for a number of cyberattacks. Email provides quick and easy communication between employees. Unfortunately, the convenience of email is often what hackers rely on.  

The risk of email cyberattacks goes down drastically by following even the most basic email best practices. Knowing how to protect your business email is important. This blog will outline some common types of email attacks and provide some of these best practices to get you up to speed. 

Is Email Secure? 

In its most basic form, email is one of the most easily exploitable attacks surfaces on a network. Since every business uses email, it is a reliable and predictable method to commit cyberattacks. Hackers have been exploiting email for years now, so it is also one of the most tried and tested cyberattack routes. 

Email is by design an open format. This means that there are no real security measures in place to stop people from reading emails. This is convenient as it allows employees with accounts on the email server to quickly access incoming emails. It also represents a treasure trove for hackers who can potentially read intercepted emails just as easily as the intended recipient. 

In the past, sensitive data has been stolen by intercepting emails. Over the years email security awareness has improved, and most people know by now not to put sensitive data in the main body of emails. This does still happen from time to time however. 

In general, files attached to emails are encrypted when transferred. This prevents hackers from intercepting attachments as easily. This generally doesn’t concern hackers though, as most email attacks target low hanging fruit. The sheer volume of emails sent in a business means someone will inevitably make a mistake. 

Common Email Attacks 

Even though intercepted emails are a concern, they actually represent a surprisingly small portion of email attacks. Most of the time hackers make use of the open format of email in other ways. The vast majority of email attacks are carried out using social engineering techniques. Here are some examples of email attacks: 

Phishing 

Phishing attacks are the most common social engineering attack. This is when hackers send out spam emails to numerous addresses, this is known as ‘spraying’. These emails will contain links to scam websites, or files containing malware. Phishing is not targeted specifically, instead the hacker hopes the volume of emails sent means someone will take the bait. 

Spear Phishing 

Spear Phishing is another social engineering trick. Much like regular phishing, spear phishing involves sending phoney emails to bait people. Spear phishing usually requires more thought from the hacker however. Spear phishing emails will target specific people rather than use a scattergun approach. Hackers will pretend to be business associates or other employees within a business to target specific employees with well-crafted scam emails. 

Business Email Compromise 

Business Email Compromise (BEC) attacks involve the hacker impersonating a corporate email address to look more convincing. Scam email addresses usually look very close to the address of a standard corporate email, and will target employees of that corporation. In some cases, BEC attacks use hacked corporate accounts to send scam emails from an official email account to do more damage. 

The results of email attacks vary in severity. Generally, these attacks all have one goal however – to get the victim to download something. This something could be adware used to spam the victim with ads, or it could be malware that steals business data from the inside. 

With attacks like spear phishing and BEC, malicious emails can be very hard to discern, no matter how savvy you are. Generally, hackers will put the most effort into the email attacks that cause a lot of damage. Because of this, it is important to adopt email security measures to minimise the risk of receiving these malicious emails to begin with. 

Protecting Against Email Attacks 

Email is the largest attack vector in a business. Basic spam filters put in a lot of work to hide the constant barrage of spam emails from the user. While the majority get blocked out, it is inevitable that some will slip through the cracks. When dealing with email security as a business, educating employees on email safety is usually the best practice. Even so, some cybersecurity work is required to make sure as little damage can be done as possible. Here are some techniques to consider: 

• Spam Filters – Anti-spam techniques can be implemented on email servers to filter out unsolicited emails. Third party email server providers often implement basic anti-spam which can be configured to suit your needs.  
• Secure Email Gateway – This is a feature used to monitor incoming email traffic. Monitoring emails can help identify common traits of unwanted emails. Secure email gateways can also be configured to filter out these unwanted emails, acting as an additional layer of anti-spam. 
• Antivirus Software – Malicious emails usually provide links to phishing websites or malware downloads. Antivirus software installed on computers stops users from downloading harmful software from these emails, and protects computers from harm. 
• Email Encryption – Email encryption solutions protect your information in the case an email gets stolen. Email encryption hides the contents of your emails under layers of encryption, which are then decrypted on the recipient’s end. This is done to make sure people can’t ‘wiretap’ email servers and snatch emails as they are sent off. 

About Securiwiser 

Securiwiser is a cybersecurity vulnerability assessment tool that can help you better understand your organisation’s cybersecurity. 

Securiwiser takes a look at many aspects of your cybersecurity profile, including email security. It will check for any security flaws and provide information on how to improve your defences. Alongside this, Securiwiser provides a scoring system that allows you to track improvements you make over time. 

Click here for a free cybersecurity report.