Email phishing is a popular way hackers can attack organizations. With thousands of emails sent virtually for free, email attacks can be automated to a large degree.
Email attacks can also prove to be very effective. Hacking attacks account to around 80% of all hacking attempts. This is done through social engineering to get humans to make mistakes.
Hackers know that emails can bypass firewalls or other technical controls. Many companies now invest in email security systems to scan emails and attachments for malware and links that lead to malicious websites.
These systems are not perfect. Some emails can be sent with great writing. It doesn’t suffice to tell people not to click on suspicious links in email. To educate users more effectively, these attacks can be explained.
The Taxonomy of Email Attacks
To describe the different types of attacks in email attacks, a vocabulary was created.
Here are some common definitions.
Business Email Compromise (BEC)
BEC is a general term that refers to the misuse of business emails to scam victims. These emails may not contain malware, or links to malicious sites. These emails appear to be genuine and are intended to get the recipient to take action (mostly urgently).
These emails are often sent from compromised email accounts in order to appear as though they were sent by an insider user. These emails could be used by accounts payable to ask them to pay an unpaid invoice or to refund a customer who is angry. They can also be used to direct a bank routing number, account holder, or to reroute an order. The email is tailored to your situation and includes the appropriate terminology, names, and references. The email often includes a sense that frustration is common among executives and a chance of a lawsuit.
This term is reserved to broad-based attacks on email where attackers send thousands of messages at once. An attacker may steal or purchase email addresses to launch phishing emails. They use scripts to automate this process.
Attackers know that one in a thousand recipients won’t open an email, and even fewer will click on the link. This is a game of numbers.
If they send 100,000 emails, they may get 100 responses. Recent research has shown that attackers may intentionally include misspellings, poor grammar, and other defects in phishing email to avoid more sophisticated victims responding and taking up their time. Only to lose out later. Instead, attackers seek to find careless and naive victims.
This is a phishing email designed for a specific recipient and not sent in bulk.
Attackers will use information about the victim to establish credibility. To obtain this information, attackers may search victim’s social media pages looking for references to schools, groups or associations. They may also be able find the contact information and names of senior executives within an organisation.
Spear-phishing emails target emotions such as fear, greed, or fun. Sometimes, it can even be pity.
An email may try to exploit fear by telling the victim they are in trouble with law or that they are responsible for a large debt. Spear phishing attacks might make use of well-known hobbies to offer discounts or prey on the fun. They might ask the victim to review a document about a topic that interests them in order to flatter them.
Spear Phishing uses greed and deceit to promise victims large (or small) sums of money. payoff. People are suspicious of the “Nigerian Prince” fraud, which promises millions in cash. They won’t reply. But, would they be willing to accept a $5 Starbucks gift card offer?
Finally, victims often feel compelled to give to fake charities out of pity.