March 20, 2018
Email is the preferred means of business communication for 86% of professionals, according to HubSpot research. While the average office worker receives 121 emails a day and sends around 40 business emails, 269 billion emails are sent every day by just over 3.7 billion email users around the world, according to a 2017 study by Radicati Group. Unfortunately, email-based cyber attacks are sky-rocketing too.
According to the Internet Security Threat Report 2017, there’s been a resurgence of malicious email as a favored attack method for cyber criminals. The report showed that 1 in 131 emails sent was malicious, the highest rate in 5 years.
While every workplace device should have up-to-date IT safeguards including spam and virus filters, firewalls, and other endpoint security, security awareness training is also critical so that employees know how to identify suspect email and avoid becoming a victim.
Disguising malicious attachments as fake invoices is the most favored type of phishing lure, according to Symantec 2017 Internet Security Threat Report. In phishing, criminals send a legitimate-looking email asking the receiver to click a link or download an attachment. One in every 4 major malware spam campaigns used this approach in 2016. Tell-tale signs of a phishing scam include unrealistic threats, poor spelling and grammar, and requests for personal information.
Malicious Email Attachments
Emails can include dangerous attachments that when opened install keylogger software, ransomware, and other malware. According to Verizon’s 2017 Data Breach Investigation’s Report, 66% of malware was installed via malicious email attachments in 2016.
Email spoofing is when headers are forged so the email looks like it came from a recognized person or place. This tactic is often used in phishing and spam campaigns. Often the address or domain is misspelled by one letter – for example, email@example.com instead of firstname.lastname@example.org.
Cyber criminals often do extensive research on social media websites, for example, to collect personal information they can use to make emails appear legitimate. In an attack, the criminal pretends to be a trusted colleague (from IT, for example, or an outside contractor) and tries to deceive the victim into sharing IDs, passwords, and sensitive information or performing a fraudulent transaction. ZDNet reported that almost 25% of users will click a malicious link if they think the email is from a friend.
Ransomware, which is most commonly delivered via email, encrypts a victim’s data and demands a fee to restore it. According to CNBC, ransomware spiked 6,000% in 2016, and most victims paid the ransom in an attempt to recover their data. Malicious emails disguised as routine correspondence (invoices or delivery notifications) or spam, were the favored means of spreading ransomware. To avoid becoming a victim and easily recover from an attack, back up critical data regularly.
Embedding secure processes into the workplace will help to emphasize the importance of security too. For example, partner with a document destruction company so all confidential information is securely destroyed when no longer needed.