Email: Today’s No. 1 Cyberthreat Vector

The greatest cyberthreat to your organization’s IT infrastructure is lurking in your email inbox or your employees’ email inboxes.

Even as other methods of communication have grown, email continues to see strong use, not just as an interpersonal communication tool, but as a business tool as well.

Number of Worldwide Email Users

Radicati and Statista estimated that in 2017, the number of worldwide email users reached 3.7 billion – half of the world’s population. This number is set to grow to 4.1 billion users in 2021, according to the 2 organizations.

Radicati, in particular, estimated that in 2017, the total number of consumer and business emails received and sent each day reached 269 billion.

According to Proofpoint, 91% of targeted cyberattacks start with email.

Phishing Attacks

One of the ways that cyberattackers sabotage the email is through the process called “Phishing”. In phishing, the malicious email received is disguised as routine notification, such as invoice or receipt. This malicious email includes an attachment, typically a JavaScript file or Office file containing malicious macro. Once this attachment is opened, it executes PowerShell script to download malicious software (malware).

The malware often downloaded in a phishing email is a ransomware – a type of malware that restricts computer access until a ransom is paid.

The ransomware called “Locky” is an example of a ransomware that spreads via phishing email. A malicious document is attached to this phishing email. Once the document is opened, it executes PowerShell script to download the Locky ransomware. The Locky ransomware encrypts files in the victim’s computer and demands a ransom, specifically asking for Bitcoin as a mode of payment.

Phishing emails aren’t personalized emails. They’re sent randomly to masses of people at the same time. AppRiver reported that on August 28, 2017, over 23 million phishing emails were sent to random people – mostly workers returning to work on Monday. The subject lines of these phishing emails were purposely made vague, including “please print”, “documents”, “scans”, “photo”, “pictures” and “images”. Each email comes with an attachment that once clicked initiates a downloader, downloading the Locky ransomware.

Some phishing emails don’t contain attachments. Instead of attachment, an attacker provides a link on the email. Once the victim clicks on the link, a malware is downloaded, allowing the cyberattackers free access to the victim’s computer, including financial account information or passwords.

Phishing emails capitalize on human weakness – the weakness to click on links or attachments. According to Proofpoint, 23% of people will always click on a link, making humans the weakest link in an organization’s cybersecurity chain.

Released in 2000, the oldest phishing email, containing the malware called “ILOVEYOU”, comes with a subject line “ILOVEYOU”. The body of the email reads “kindly check the attached LOVELETTER coming from me.”

Out of the universal need to be loved, millions of people clicked on the “LOVELETTER” attachment, enabling the download of the ILOVEYOU malware which overwrites all files on the victim’s computer and then sends an identical email to all the contacts found on the victim’s Outlook address book.

According to Symantec, malware-laden phishing emails increased significantly in 2016, from 1 in 220 emails sent containing malware in 2015 to 1 in 131 emails in 2016.

Spear-Phishing Attacks

Unlike phishing emails which are sent to random large number of people, spear-phishing emails are personalized and sent specifically to certain individuals. An example of a spear-phishing email is the Business Email Compromise (BEC) scam, also known as “CEO Fraud”. In BEC, a bogus email purporting to be from the CEO or senior management official is sent to the organization’s financial staff by scammers. The scammers then request the financial staff a large money transfer.

According to the U.S. Federal Bureau of Investigation (FBI), BEC scam targets not just large businesses but small and medium businesses as well. Between January 2015 and December 2016, FBI reported that BEC scams increased by 2,370% and has been reported in 131 countries.

Between October 2013 and December 2016, the FBI said, businesses worldwide lost over US$5.3 billion. In May 2016, an Austrian aerospace company fired its CEO after the company lost nearly US$50 million to BEC scammers.

Many BEC victims have reported being a victim of ransomware prior to the BEC incident. The plausible explanation for this is that the victim may have received a spear-phishing email in which the victim clicks on a link, downloads a malware, allowing BEC scammers access to the victim’s computer, specifically passwords or financial account information.

“Ransomware has been drawing much of the attention in the security world lately. However, a threat that’s not nearly as high-profile is raking in far more for its creators than ransomware: Business email compromise, or BEC,” Cisco said in its 2017 Midyear Cybersecurity Report.

Preventive Measures

According to Proofpoint, less than 1% of email-based cyberattacks are caught by traditional security solutions like antivirus. Ninety-five percent of malware-laden phishing emails are missed by gateway antivirus solutions, Proofpoint said.

Here are some best practices to prevent email-borne cyberthreats:

• Use an email security protection solution that blocks email-borne threats.
• Delete any suspicious-looking emails especially if they contain attachments or links.
• Open Microsoft Office email attachment that asks you to enable macros to view its content only when you’ve no doubt that the email is from a trusted source. If you’re unsure, immediately delete the email.
• Keep your anti-virus software, operating software and other software up-to-date. Software updates fix newly discovered security vulnerabilities that are exploited by cyberattackers.
• Be extremely wary of emails that ask for specific action, such as transfer of money, that deviates from the normal procedures of your organization.
• Instead of clicking on the Reply button, draft an email reply using the corporate address book. This process pushes out the scammer out of the reply thread.
• Never click on the links provided in an email, unless you’re absolutely sure they’re genuine links. To make sure that you’re connecting to a legitimate site, type the site’s URL directly into the address bar.

At GenX, we offer the following email services: migrating company e-mail systems to cloud-based services for reduced company server load, and moving company mailbox systems to newer, more efficient and safer platforms such as Office 365.