Cybercrime continues to rank as a top risk for businesses of all sizes in Asia and across the globe, costing organisations in ASEAN a whopping S$3.6 million (US$2.62 million) on average per breach, according to the IBM Security: Cost of a Data Breach Report.
In Singapore, online crime has continued to rise, which according to Singapore’s Cyber Security Agency (CSA), now accounts for almost a fifth of all crime in the city-state, a trend, which prompted the Singapore Government to allocate $1 billion in its 2020 budget to build up the country’s cyber and data security capabilities over the next three years.
But how can organisations defend against these costly and disruptive attacks? In today’s rapidly evolving environment, traditional email gateway solutions aren’t enough to keep businesses protected. Defending against today’s sophisticated email threats is no easy feat, as criminals continually bypass defences, often using backdoor techniques, including spoofing, social engineering, and fraud, to penetrate networks and wreak havoc.
As lockdown in Singapore and the rest of Asia continues, with more employees than ever before working from home, it’s never been more important to remain vigilant and informed of the threats that exist. People are your first-line of defence when it comes to staying protected, so we have put together a list of the top 13 email threats, to make sure that you and your employees don’t become easy prey for cybercriminals keen to exploit the current situation.
Unsolicited, high-volume messages generally of a commercial nature, which are sent without regard to the recipient’s identity.
Software specifically designed to cause damage to technical assets, disrupt operations, exfiltrate data, or otherwise gain access to a remote system. Malware is usually distributed through email attachments or URLs leading to malicious content.
3. Data Exfiltration
Attacks occur when data is copied or retrieved from a remote system without the owner’s consent, which can occur maliciously or accidentally.
4. URL Phishing
Email attempts to trick an end user into believing the message is from a trusted person or organisation to get them to take an action like disclosing credentials, wiring money, or logging into a legitimate account on an attacker’s behalf.
Cybercriminals use fraudulent schemes to defraud victims or steal their identity by tricking them into disclosing personal information. This can include fake job postings, investment opportunities, inheritance notifications, lottery prizes, and fund transfers.
6. Spear Phishing
Also known as ‘whaling’ and ‘laser phishing’, spear phishing is a highly personalised form of email phishing attack. Cybercriminals research their targets and craft carefully designed messages, often impersonating a trusted colleague, website, or business. These attacks typically try to steal sensitive information, such as login credentials or financial details, which is then used to commit fraud, identity theft, and other crimes.
7. Domain Impersonation
Domain impersonation is often used by hackers as part of a conversation-hijacking attack. Attackers attempt to impersonate a domain by using techniques such as typosquatting, replacing one or more letters in a legitimate email domain with a similar letter or adding a hard-to-notice letter to the legitimate email domain.
8. Brand Impersonation
Brand impersonation is designed to impersonate a company or a brand to trick their victims into responding and disclosing personal or otherwise sensitive information. This can include service impersonation, where cybercriminals impersonate a well-known company or commonly used business application, and brand hijacking, where an attacker appears to use a company’s domain to impersonate a company or one of its employees.
Scams, including sextortion, are increasing in frequency, becoming more sophisticated, and bypassing email gateways. Often cybercriminals leverage usernames and passwords stolen in data breaches, using the information to contact and try to trick victims into giving them money.
10. Business Email Compromise
Scammers impersonate an employee in the organisation in order to defraud the company, its employees, customers, or partners. Often attackers focus their efforts on employees with access to the company’s finances or personal information, tricking individuals into performing wire transfers or disclosing sensitive information.
11. Conversation Hijacking
Cybercriminals insert themselves into existing business conversations or initiate new conversations based on information they’ve gathered from compromised email accounts to steal money or personal information.
12. Lateral Phishing
Attackers use recently hijacked accounts to send phishing emails to unsuspecting recipients, such as close contacts in the company and partners at external organisations, to spread the attack more broadly. As these attacks come from a legitimate email account and appear to be from a trusted colleague or partner, they tend to have a high success rate.
13. Account Takeover
Account takeover is a form of identity theft and fraud, where a malicious third party successfully gains access to a user’s account credentials. Once the account is compromised, hackers monitor and track activity to learn how the company does business, the email signatures they use, and the way financial transactions are handled. This helps them launch successful attacks, including harvesting additional login credentials for other accounts.
So, what can you do to help protect your organisation against ever evolving and increasingly sophisticated email attacks? Firstly, having a good email gateway to filter inbound and outbound email messages for malicious content will be key, helping to detect malicious intent across your emails. But while this is a great start, no gateway solution is watertight, so having a good API-based inbox solution as a secondary defence, can help to significantly strengthen your security posture overall. In addition to this, making sure your team receives regular security awareness training and is aware of the latest threats. Continuous spear-phishing stimulation training will help them to minimise online behaviours which could leave your business vulnerable, while allowing them to recognise and report malicious content, as an additional line of defence.