10 Apr Cyber security trends for 2020: Email still the most common attack vector
Email based threats have been a part of the cyber security landscape for a long time, and they will remain a part of that landscape for the foreseeable future. From Q2 to Q3 of 2019, incidents of phishing and scam emails reported in New Zealand rose by 27%, according to CERT-NZ. Cyber criminals know that lack of user awareness is a common exploitable weakness in most NZ small to medium enterprises, so understanding this cyber threat, and how to combat it, are vital for NZ business owners. This blog will give you a valuable overview of the cyber attacks that use email as an attack vector.
Using fear to create uncertainty
Before we look at specific types of email threats, it’s important to point out the email threats are generally designed to follow certain patterns to improve the chances of fooling the recipient. A criminal actor knows that they are more likely to get the type of response to their deception that they want by having the following elements in their attack:
1. Fear – using content to play off the fears of the recipient. If you can trigger a sense of fear (e.g. “You are being watched,” “Please report your coronavirus status,” “You’re being sued for tax fraud.”), you can take advantage of the primal human response of fight or flight. A little adrenaline can sometimes lead to a poor decision.
2. Urgency – coupling fear with a sense of urgency is very typical in email attacks. By playing on fear, and then giving recipients a very short time frame to respond or make a decision, hackers have great chances of duping recipients into poor decisions. (E.g. “You have 24 hours,” “You will be reported today.”)
3. Isolation – the final piece of the puzzle is to put the recipient in a position where they cannot easily seek outside help. Often the use of a threat is the most common way to do this, e.g. “If you do not keep this quiet we will target your family next.”
An effective email attack in the past 12 months has been a phishing email advising the recipient that they have been recorded viewing pornography on their device, and that they will have to pay a sum of money to prevent the hacker from sending the videos to their friends, family and contacts. The attack was given an additional sense of legitimacy by showing a know password of the recipient in the email – clearly the originator of the attack was leveraging a database of known good passwords to get the recipients’ attention, then used extortionate practises to get some quick cash, rather than go through the actual technical effort of gaining access to laptops and phones, and recording dubious videos of the user… but your average recipient doesn’t know that. Instead, they’ve been hooked by the three elements we discussed:
- Fear that their device has been compromised, their password recorded, and embarrassing private activities had been recorded.
- Urgency as the email gave the recipient “24 hours” to respond.
- Isolation due to the sensitive nature of the allegations being a difficult topic for most people to mention or admit to others who could help.
Note that these are subjective observations only, but they generally align with elements of coercion and extortion in a legal sense. Most email based threats utilise these elements to good effect – let’s look at the most common forms of email attacks.
It’s embarrassing to have to mention these, but they are part of the continuum of threats, and they still catch victims. Scam emails are a type of phishing email attempting to dupe users into unwitting transactions. For example, the cliched emails advising that your great aunt has passed away and left her $10,000,000 fortune to you. These scams try to persuade recipients of their claim, and to gain a smaller sum of money from the recipient (compared to the promised amount to the recipient) as a ‘bond’ to secure the promised transaction (which never happens). They fall into a category of their own because they are generally targeted a individuals and only seek financial gain.
Phishing emails are characterised by their generality; they are not targeted at a specific person, rather they are written and constructed to appeal to, potentially, anyone. They aim to dupe recipients into a certain action. That action might be entering usernames and passwords into a fake website (called ‘credential harvesting’), clicking a link to a malicious website, or downloading and executing a malicious software to attempt to get unauthorised access into a business network. Phishing is a numbers game for cyber criminals – the more emails they send out, the more likely they are to find someone who gets tricked into taking the action.
One example that we see regularly is a simple message advising the user that their email mailbox is full and that they will not receive any further emails unless they click on a fake link and enter their credentials in the website that opens. It’s a simple concept that most recipients will be unsure about, and is used to quietly harvest credentials from victims.
Spear phishing is more targeted that phishing (hence the name). This strategy utilises publicly accessible personal information to make the phishing email more acceptable to the recipient, or at least harder to detect the scam than it would be in a general phishing email. As an example, consider the fact that most professionals put their occupational details on LinkedIn. A cyber criminal can quickly match a known good email address to a LinkedIn profile. They can then target an email to the recipient by their first name and reference, say, their position in the business to feign a prior knowledge of the person targeted. From there, the goal is the same – to get recipients to perform some action. It will depend on the hacker’s objectives, but that will be either to secure some sort of payment for a fake invoice, credential harvesting, or executing malicious software attachments.
As the name suggests, whaling is basically spear phishing aimed at the big targets in a business – CEOs, CFOs, account managers, and the like. Anyone with some authority is a potential victim, and the objective is almost always large financial pay-outs. This approach requires more work from the criminal’s perspective; gathering intel, selecting their targets, social engineering, and timing their attack accordingly.
We saw a business recently getting targeted for a USD$250,000 payment. The hacker posed (with an external email address) as the CEO, asking the accounts controller to put the sum through to an overseas bank account, “urgently.” The accounts controller jumped to action immediately, believing they had received legitimate instructions from their CEO. What saved this company from a huge financial loss, was the limits they had put on their bank accounts. The amount requested was so far over their imposed limit that it required direct authorisation from the CEO. When they were called by the accounts controller to authorise the transaction, the ruse was discovered. That’s a very near miss though!
So, that’s an overview of how small and medium enterprises in New Zealand are going to be targeted in terms of cyber attacks in 2020. Keep an eye out for my next blog, where we will discuss methodologies to mitigate these threats and help keep your business safe from cyber crime. To help protect your business in 2020, we’ve designed a simple, secure, online cyber check-up. It’s a 5-minute questionnaire, if you fill it in, we will send you a summary report to give you a good idea of how to improve your cyber security position in 2020.
Take our FREE cyber risk check up now.