Some of the most dangerous types of email attacks are phishing, waterholing, and Business Email Compromise. Read on to learn how to defend against them.
Some of the most prevalent—and dangerous—forms of cybercrime involve an essential technology to businesses: email. Cybercriminals glean personal information through targeted types of socially engineered email attacks to steal from protected accounts, hold data hostage, or commit complicated fraud schemes.
Per Verizon’s 2022 Data Breach Investigations Report, 82% of breaches involved a human element last year, and 28% involved attacks on email servers specifically.
These figures are part of a troubling pattern. Per Verizon, social engineering comprised 25% of attack patterns in 2016. Since then, social engineering has been on an upward trajectory. Unfortunately, it’ll likely worsen, and businesses need to safeguard email channels.
In this article, we’ll focus on email attacks across four primary attack vectors:
- Phishing, one of the most common types of email attacks
- Spear phishing and whaling, leveraging or targeting high-profile executives
- Watering hole and pharming, operating in tangent to email attacks
- Business Email Compromise, potentially the most dangerous type of attack
The key to defending against all four is securing all users and assets across email environment(s).
Most cyberattacks that involve the human element fall under the umbrella category of social engineering. Unlike hacking or brute-force attacks, these schemes use deception to make people comply with requests and surrender personal information. The most basic version of these attacks is phishing.
Phishing attacks comprise fraudulent messages enticing recipients to click on a link or download content onto their devices. The messages appear to come from legitimate sources, and the call to actions (CTAs) can install malware on the victim’s computer.
Other forms of phishing include:
- Angler Phishing: Attackers may choose to victimize your personnel via social media in “angler phishing” schemes. These typically do not involve email directly; instead, the attackers use direct messaging functionality on social media platforms such as Twitter.
- Vishing: Fraudulent phone calls in which the attacker solicits personal information—such as credit card information—often by posing as a representative of a bank, the IRS, etc.
- Smishing: Fraudulent SMS (text) messages in which attackers solicit data like user login credentials or other sensitive information, often by posing as a professional connection.
In many cases, these attacks are one phase within a broader, multi-leveled social engineering scheme. For example, attackers may solicit personal information from a vishing or smishing attack, then use that information in a spear phishing email attack.
Spear Phishing and Whaling
On another level are the more sinister, targeted phishing scams that feed on precision and trust rather than unlikely user errors. These attacks are sent out at a lower volume, with greater attention to detail exercised by the attackers. As a result, they look more believable than basic phishing attempts. And they hit only select inboxes, often with few (if any) easy indicators.
In particular, there are two main kinds of targeted phishing to watch out for:
- Spear Phishing – Emails sent to specific individuals within an organization with details designed to gain trust, such as information only an actual acquaintance would know. The email’s CTA may also be cleverly disguised, coaxing out information insidiously.
- Whaling – Spear phishing targeted directly at “big” targets within an organization, like department heads or c-suite executives. Stolen login credentials provide greater access to higher-sensitivity data, so even a single conversion can be devastating to the company.
Whaling is closely related to Business Email Compromise (BEC), which we’ll cover below. However, targeted phishing schemes are likely the most dangerous variety of business email attacks outside BEC proper.
Preventing them requires staff-wide diligence.
Watering Hole and Pharming Attacks
The next variety of email attacks focuses less on the email itself as an attack vector, although attackers may still harvest information from intercepted or stolen emails. Instead, these attacks revolve around cybercriminals learning which sites personnel visit often, whether for work purposes or personal ones. Once they have this information, the attack moves forward.
Both watering hole attacks and pharming trick victims into using corrupted sites that seem normal:
- In a watering hole attack, cybercriminals will attack the actual site your staff visit. They find vulnerabilities in the site’s code and insert malware, then wait for victims to visit the site as usual and divulge sensitive information. Prime targets are small, private websites used for proprietary messaging, payroll, or other work purposes.
- In a pharming scheme, similar tactics are used to learn about the sites employees frequently visit, but attackers create spoofed sites masquerading as the originals. Like phishing, these spoofs may be low-effort, with easy tells like graphic design or URL flaws.
The way attackers lure victims onto the site may also leverage email. For example, these attacks may be paired with a phishing scheme, where a link embedded in an email goes to a corrupted site.
Business Email Compromise (BEC)
The most dangerous email attack your company can experience is Business Email Compromise (BEC). BEC is a reversal of the “whaling” attack outlined above. However, rather than targeting big fish targets such as the CEO, a BEC attack involves attackers impersonating those high-level stakeholders to target other employees throughout the company.
According to the FBI’s tactical guide on BEC, there are four main stages in the attack timeline:
- Identification – Cybercriminals create profiles of organizations they hope to target, including specific individuals and weak points in lines of communication between them.
- Grooming – Initial emails are sent to eventual targets, planting the seeds of deception by convincing victims that they are talking to actual executives or other key stakeholders.
- Exchange – Once attackers establish trust, victims are then given instructions for providing sensitive information or transferring funds into the attackers' accounts.
- Transfer – Upon receipt in an account controlled by the hackers, the funds or pieces of information are siphoned out to their nefarious ends. In some cases, the grooming process continues.
A common misconception about BEC is that attackers can only impersonate the CEO for the attack to be successful. Although these are among the most common instances, attackers can also take on personas such as lawyers, vendors, or third parties.
The best way to defend against BEC attacks is to integrate a full-service security architecture that accounts for all email and messaging platforms. For more information and best practices for preventing and mitigating BEC attacks, consult our Definitive Guide to BEC.
Partner With Armorblox to Defend Against Email Attacks
Businesses depend on secure email for streamlined internal and external communication. Unfortunately, a single email attack – such as BEC – can do irreparable damage to your company, and defending against them can drain valuable resources. Armorblox provides email security solutions to safeguard your email communication channels and cloud office inbox, with seamless integration across all environments via API.