Did you know that 95% of cybersecurity breaches are caused by human error? Insider attacks remain the largest threats to organizations today. According to Cybersecurity Insiders: 68% of organizations feel moderately to extremely vulnerable to insider attack. That’s a pretty high number.
Does your SMB fall into this category? Have you given your team an extensive cybersecurity awareness training? Are you unsure if your company’s cybersecurity efforts hold a strong enough defense against today’s sneaky, malicious attacks?
Of course, your employees are doing the best they can to be diligent and practice cyber safety – but they are human after all and we make mistakes! So much is at risk when a business suffers from a cyber attack: company data, client data, confidential documents, financial loss, and of course, a massive hit to your reputation.
There are a few key ways to prevent a cyber disaster from striking and to stop hackers in their tracks. The first solution is implementing reliable, cutting-edge cyber security tools. The other equally important solution is education – for business owners and their teams to learn as much as possible about recognizing and avoiding these threats.
“Human error is the most widespread type for security incidents, and the results of such incidents caused by human error generally cost the least to mitigate. Examples of human error are sending sensitive data to the wrong recipient, misconfiguring an environment, and using unsafe work practices. Detecting and remediating an incident caused by employee or contractor negligence costs an average of $310,000.
User training and awareness is a purely administrative activity that increases employees’ awareness of threats. Efficient user training helps to reduce the number of incidents caused by negligence and gives users enough knowledge to recognize and report threats.” Ekran System
Ransomware attacks are becoming more sophisticated. Phishing has evolved. Malware continues to show no mercy. With all of these email threats stacked against SMBs today, it can feel daunting. You’re not alone!
Computers Nationwide is here to help shed some light on common email threats that companies encounter and how your business can dodge cyber attacks. The more we know about our enemies, the better prepared we can be…
Our partners at Barracuda Networks have published a series of helpful educational blogs specifically about this topic: 13 email threat types to know about right now
Email threat type #1: Email scamming. Email scamming is a type of spear-phishing attack designed to steal the identity of the victim or by tricking them into disclosing personal information. Many of these scams include fake invoices, charities, and other schemes meant to lure the victim into sending money to the attacker.
Email threat type #2: URL phishing. A URL phishing attack is an attempt to obtain sensitive information such as usernames, passwords, and other details. In this type of attack, the criminal relies on a “phishing website” to capture these details. These attacks are successful when a victim follows a link to a website and provides whatever information is requested. Normally these links are disguised as password resets or identity confirmations for legitimate services. The website is also disguised so that the victim does not notice that it is a fake website.
Email threat type #3: Extortion. Extortion and sextortion attacks are increasing in frequency and sophistication. The criminal contacts potential victims by email and claims to have compromising video or information that will be released to the public if the victim does not pay to keep it quiet. As ‘proof’ that the criminal has access to this material, the email includes sensitive information that only the victim should know, such as passwords.
Email threat type #4: Lateral Phishing. A recent study revealed that 1 in 7 organizations has experienced a lateral phishing attack. In this type of attack, criminals use recently hijacked accounts to send phishing emails to the victims’ contacts. Lateral phishing tends to have a high success rate because the attacks come from a legitimate email account that is familiar to the victim. Lateral phishing is usually an internal attack, which means that email gateways will not detect this threat. An email security gateway can only stop an attack that passes through it.
Email threat type #5: Brand Impersonation. Brand impersonation is an attack that impersonates a company or brand to hide the malicious intent of an email. The idea behind it is that a recipient will respond and provide sensitive information on the assumption that the email is from a trusted sender.
Email threat type #6: Account Takeover. Account takeover, also known as an ATO or an account compromise attack, is a type of identity theft where criminals gain access to a legitimate user account in order to steal money or sensitive information. Hackers use a variety of tactics to gain access to the account: brand impersonation, social engineering, phishing, credential stuffing, and brute force hacking.
Email threat type #7: Conversation Hijacking. In its simplest form, this attack involves a criminal communicating with a potential victim while impersonating a trusted source. The recent attack on Norfund used multiple instances of this tactic. Once the attackers understood the patterns of Norfund’s communications with potential clients, they were able to impersonate both sides of a conversation. Norfund was receiving fake communications and documents from the client, and the client was receiving fake communications and instructions from Norfund.
Email threat type #8: Domain Impersonation. Domain impersonation, also known as typosquatting, is often used as part of a conversation hijacking attempt. Attackers target legitimate domains, such as Barracuda.com by creating domains that appear similar. Such a domain might be accessed by a user typing the legitimate domain incorrectly, either with a misspelling or incorrect top-level domain.
Email threat type #9: Spear Phishing. Spear phishing is one of the most common attacks today. This personalized email attack targets anyone who has access to sensitive information or the ability to send payments, and no company is too small or too large to be a victim. Many people thinking of phishing and spear phishing as the same thing. To be clear, phishing involves sending a generic email message to as many recipients as possible. Spear phishing is a much more personalized attack and normally has a greater payoff if it succeeds.
Email threat type #10: Business Email Compromise. Business email compromise (BEC) has been one of the most damaging email threats in the past few years. Put simply, a BEC attack is an attempt to trick a company or individual into sending money to the criminal. This is done by assuming the identity of a trusted source and crafting an email message with an invoice or other payment request.
Email threat type #11: Data Exfiltration. Data exfiltration, sometimes referred to as data theft, is the unauthorized transfer of data from your computer, network, or other devices. The stolen data is transferred from the victim to a control server or some other device that is controlled by the attacker. This data is often sold on the dark web and used by other criminals for spear phishing, identity theft, and other advanced threats.
Email threat type #12: Malware. Email attacks often come in the form of a harmless-looking email with malware attached as a .zip file or embedded in an email attachment. This malware could install ransomware, spyware, and other damaging programs. Malware is short for ‘malicious software’ and is a general term for many different types of threats to a computer system or network. Viruses, spyware, rootkits, keyloggers, and exploits are all examples of malware.
Email threat type #13: Spam. Spam is unsolicited bulk email messages, also known as junk email. Spammers typically send an email to millions of addresses, with the expectation that only a small number of recipients will respond to the message. Spammers gather email addresses from a variety of sources, including using software to harvest them from address books. The collected email addresses are often also sold to other spammers.