Sixty-three percent of companies surveyed by CSO Online in March 2020 indicated that they had experienced a cyberattack over the past 12 months. Cyberattacks often capture or manipulate data to compel the user to release the undesired software actively. Of the malware linked to the data breaches, the survey found that a massive 94 percent came through email. Since then, remote work has increased because of COVID-19, while the Internet of Things (IoT) continues to connect increasingly more smart devices. These cyberattacks cost companies millions of dollars each year, continuously increasing the importance of protecting data. As a result, data security is more important than ever. Here, we’ll describe the causes and prevention methods of email cyberattacks, and two new forms that are gaining popularity.
A cyberattack sent through email might look like this, sent from the address of a company executive:
“Internal audit discovered an error you caused during the monthly financial roll-up. Please move $175,000 back to our management M&A account located here by EOB today to rectify the mistake.”
Several warning signs reveal something is off with this note:
- The recipient does not know of the event.
- The message offers only a vague description of the issue.
- The email includes a warning despite appearing to be from a company executive. An executive would not address an actual financial error directly with an employee; finance would handle it.
- The message asks the recipient to do something he would not do under standard practice (such as move money to an unfamiliar account).
Cyberattacks prey on the recipient’s fear of making a critical mistake; the sender uses this fear to trick him into following a link or visiting a website that they use to extract personal information. Following any link in a cyberattack email usually provides a direct path for the sender to extract information.
Phishing is a type of email attack. These emails come from a third party, such as a lawyer or consultant, and often appear to copy a company executive’s email address in the cc: line. The receiver of this type of message believes he or she has made a critical error visible to an executive, leading to a panicked response.
Spear Phishing and Whale Phishing
Spear phishing and whale phishing are more advanced types of targeted phishing attacks. A person within a company who has access to pertinent information, such as trade secrets, new products, or financial insight is a spear-phishing target. Whale phishing targets C-level executives with apparent access to critical information. Neither target of these types of phishing attacks wants to jeopardize their position, so the urgency level rises when the phishing email arrives.
Malware and Trojans
Malware and trojan cyberattacks have been around for a while, but they are among the hardest to prevent. Malware is software downloaded onto the user’s computer or phone that can spread to other connected devices and networks. It can get onto a user’s computer if it is connected to the internet.
As the name suggests, trojans are disguised as a useful program. Typical examples are Adobe, Microsoft Office, or even a company-specific program. They compel the user to click a dangerous link using an icon that looks like a program he or she uses.
New Types of Cyberattacks
Smishing is gaining favor among data thieves because of the personal and convenient nature of smart devices. This type of cyberattack comes through text messages (SMS), WhatsApp, or social media. They prey on victims who might have their guard down. One method of smishing is by a user sending a text message addressed to someone else, containing what appears to be confidential information:
“Stacy, I can’t believe they passed on purchasing that pharma stock. Look at the new vaccine they just developed!”
The recipient (not named Stacy for this example) thinks he has just lucked into a great stock tip. The link could lead him to the company (incidentally not mentioned in the text). That stock tip he thought he found will put his personal information at risk.
Vishing is an especially devious form of a cyberattack. The caller leaves a voicemail while impersonating a company executive or employee. Voicemails can come from phone numbers that look familiar. If the voice is also familiar, that is usually enough to trigger the victim to act according to the instructions they receive.
In the IoT age, information is an increasingly valuable commodity. Many types of cyberattacks are all aimed at becoming data-rich. Some easy ways to avoid email and message attacks are:
- Be very skeptical of cryptic, urgent electronic messages that contain links or attachments, and do not click unless you are sure the media is safe.
- Avoid inputting personal information online. Although it is nearly impossible to withhold phone numbers and email addresses for gated content, shopping, or other purposes, the risk goes up for a breach each time this information is submitted.
- Block email addresses or phone numbers you suspect are malicious. It’s to avoid one specific instance, but blocking the address or number informs the platform or data provider of an attack. This action allows them to flag the sender in the future.
- Be deliberate about clicking on ads and external links, often on the periphery of webpages. Some ads might contain malware on an otherwise perfectly safe site.
Cyberattacks pose an ever-present, ever-evolving challenge to businesses and individuals. They often result in data breaches that cost companies millions of dollars in lost revenue each year and individuals with their identities compromised. As a result, implementing robust cyber data security strategies is more important than ever. Staying abreast of the more common types of cyberattacks—such as email, malware, trojans, smishing, and vishing—and practicing current data securities measures will go a long way in helping to safeguard your valuable data and information.