In its latest quarterly report, Agari Cyber Intelligence Division (ACID) substantiated how business email compromise, consumer-targeted brand impersonation scams, and other advanced email threats continue to mutate. The report detailed how cyber criminals switch up tactics to throw targets off-guard and retrofit tried-and-true tactics in inventive new ways.
The 4 Types of Email-Based Attacks
Another name for email-based attacks is phishing, i.e. a fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising oneself as a trustworthy entity.
According to ACID, phishing attacks fall into 4 categories: emails that impersonate a brand (accounting for 42% of all attacks); emails that impersonate an individual (22%), emails that mimic a well-known domain (22%), and emails from accounts that have been compromised (14%).
- Brand impersonations. These are emails where the cybercriminal pretends to represent a well-known brand, e.g. an email from “Chase Support <firstname.lastname@example.org>” with the subject line “Account Disabled”. Brand impersonations have long been a favored tactic of cybercriminals, although their share of all phishing attacks has fallen from 54% to 44% in the last year.
- Individual impersonations. These are emails where the cybercriminal pretends to represent a person, e.g. an email from Patrick Peterson <email@example.com> with the subject line “Follow up on Invoice Payment”. This is by far the fastest-growing type of phishing attack, growing from 8% to 22% in the past year.
- Look-alike domain. These are emails where the cybercriminal mimics a well-known domain, e.g. an email purporting to be from LinkedIn, using an email like <firstname.lastname@example.org> with the subject line “Diana has endorsed you!”. It appears this tactic is falling out of fashion, dropping from 35% of all phishing attacks to 22% in the past year.
- Compromised account. These emails are the least frequent but the easiest to fall for, because they involve a cybercriminal sending something from an email account you recognize. First, the cybercriminal breaks into the email account of someone known to you. Then, the cybercriminal sends you an email from that person’s account.
The 3 Ways Fraudsters Try to Steal Your Money
Cybercriminals want to steal 1 of 2 things from you. One is sensitive information, such as a Social Security number, that they can use to impersonate you. The other is a cash-out, which can come in 3 forms: gift card (accounting for 56% of cash-outs), payroll diversion (25%), and direct transfer (19%).
- Gift card. Gift cards are the preferred method of stealing your money because they are more anonymous and less-easily reversed than other methods, according to ACID. Although gift cards account for a majority of all cash-outs, their share dropped from 65% to 56% in the last quarter.
- Payroll diversion. This is a tactic in which the cybercriminal uses phishing to steal your business email login credentials, then changes and redirects your direct deposit information to their own bank account. The FBI warned about the growing use of this tactic in 2018, and ACID has confirmed the tactic is on the rise.
- Direct transfer. This is another type of tactic that targets business email accounts, whereby the cybercriminal impersonates a company executive or business contact and requests that you wire money to an account under the cybercriminal’s control. According to ACID, direct transfer and payroll diversion scams have collectively risen nearly 10% in the past quarter.
5 Tips to Protect Yourself
This is all pretty scary stuff, but the good news is there are many things you can do to protect yourself from email-based attacks and becoming a victim of identity theft.
- Be alert. The number one form of defense against email-based attacks is to be aware of what these attacks look like. If someone asks you for sensitive information or money, double-check the email address and the body of the email to make sure it’s legit. If in doubt about an email sent to your business address, check with IT before proceeding. If in doubt about an email sent to your individual address, your options are to ignore it or to reach out to the business/person the sender claims to be.
- Strong password. It’s not for nothing that most websites make you create a strong password when you sign up. One of the ways cybercriminals hacks into people’s accounts is by trying common number-letter combinations. Passwords that are longer and involve a combination of numbers, letters, and symbols are harder to break in.
- Change your password regularly. For the same reason as above, it’s a good idea to change your password from time to time.
- ID Theft Protection service. An estimated 16.7 million people in the United States fell victim to identity theft in 2018, according to cybersecurity consultancy Javelin. Top ID theft protection services act to alert and reimburse you when your identity is stolen via an email-based attack or any other form of cybertheft.
- Regularly check your credit report. Your money isn’t the only thing at risk from cybercriminals; so too is your credit score. If a thief uses your ID to take out a loan or credit card, your credit score could fall as a result. The major credit agencies (Equifax, Experian, and TransUnion) are legally obligated to share your credit history with you once every 12 months upon request. Some ID theft protection services will check your credit report more regularly. Either way, if you see something suspicious on your credit report, notify the relevant agency immediately to have the problem corrected.
Email-Based Attacks: You Can Be Prepared
Email-based cyber attacks are just another risk we have to deal with in life, like traffic accidents, floods, or losing your job. You can’t prevent cybercriminals from trying to steal from you, but you can take the necessary precautions to prevent these criminals from ever succeeding.