In June of this year, cyber risks were increasing. According to this, cyber-attacks are already one of the most significant business risks for many companies. Email attacks and phishing, in particular, are dangers that are being warned louder and louder – sometimes by the FBI in a report on cybercrime, which is increasing worldwide. In today’s post, we go into the details of this report, look at a Stanford University and Google study on the subject, and share tips to help protect yourself from email fraud.
Table of Contents
Email Fraud – Phishing, Malware & Ransomware Increasing Via Email
A few months ago, the Internet Crime Complaint Center (IC3; Complaints Office for Internet Crime ), run by the FBI, published its annual Internet Crime Report (PDF). This report explains the impact of attacks on organizations worldwide and relates to the past year, 2020. The figures mentioned are likely to be alarming: 791,790 complaints were received last year, with more than 4 billion US dollars in total annual losses. The report also shows which risks companies should specifically address:
BEC / EAC & Phishing
In addition to business email compromise, email account compromise (EAC) caused the highest losses, which the IC3 puts at over 1.8 billion US dollars. BEC / EAC and phishing are more significant threats than ransomware. According to the report: Financial losses were 64 times higher than ransomware attacks. These attacks account for a whopping 44% of the total loss! Completely different from the complaints: Overall, they only accounted for 2.4% of all complaints.
The supply chain ecosystem appears attractive for cybercriminals to attack companies indirectly. In particular, imitating and compromising providers turns out to be risky for companies since many organizations unfortunately hardly have an overview of the risks of their providers. There is an increasing number of different BEC / EAC variants:
- Redirecting salary payments,
- Gift card fraud after providers have been compromised,
- Fraud related to acquisitions or mergers,
- Redirecting deliveries or also
- Fabrication with invoices from suppliers/partners.
There were significantly more complaints when it came to phishing: Almost a third of the complaints received by IC3 related to phishing. The fact that the number of complaints almost doubled from 126,640 reports in 2019 to 241,342 complaints in 2020 can prove that the targets of the attack are less the infrastructure weaknesses than the people in the company. With targeted employee awareness-raising, criminal actors can be prevented from successfully exploiting human weaknesses. In our article on phishing protection, we go into different types of phishing and give you tips on how to protect yourself against phishing.
Email Fraud – Criminals Take Advantage of The Corona Crisis
The IC3 report shows that criminals were able to take advantage of the pandemic for their attacks. The year 2020 with the corona crisis was a hit for cybercriminals – that’s why we issued warnings in March and again in December 2020. Pandemic topics were used for general phishing or targeted social engineering attacks: vaccines, aids for companies, or new COVID19 variants spurred the creativity of cybercriminals. Please expect that pandemic topics will continue to be used for attacks in the future.
Malware Like Ransomware Is Gaining Traction.
Email fraud – more specifically, email phishing campaigns – is one of the most common ways of getting infected with ransomware; this is also evident from the IC3 report. There were 2,474 incidents, according to the information in 2020. The losses are put at more than 29 million US dollars. Explosive: The report emphasizes that ransomware losses were kept “artificially low” in the account. The number given does not include information about lost business, wages, lost time, failed devices, or lost files. Reports from FBI field offices were also not taken into account. Accordingly, it can be assumed that the actual numbers related to ransomware are significantly higher.
Not only ransomware but also other malware is relevant to the field of email fraud. In our article “Identity theft on the Internet: What is malware?” We look at different types of malware and give you tips on malware detection.
Study: Pattern Recognition in Email Fraud
In collaboration with researchers from Stanford University, Internet giant Google has looked at patterns that make users the preferred victims of email fraud. Based on data from more than a billion malware and phishing emails, the investigation aimed to find out whether attack victims become targets for any reason. As a result, it could be possible to optimize protection strategies. Indeed, the researchers succeeded in identifying various factors that can increase the likelihood of attack:
The origin of potential targets of attack could already be the first characteristic. After all, 42% of all email attacks target victims in the US, followed by 10% in the UK and 5% in Japan. The researchers found that attackers do not necessarily localize their emails. Instead, the same email template with an everyday linguistic basis is used so that English-speaking users are preferred victims for this reason alone. With these identical templates, criminals try to contact small groups of between 100 and 1,000 recipients for two or three days.
Users whose email addresses were already traded in one of the numerous data leaks in recent years were written to five times the probability of average users.
For the researchers, the age of potential victims also increased the risk: Email fraud occurs almost twice as often in people between the ages of 55 and 64 as in the 18 to 24 age group. These figures could also go hand in hand with mobile devices: If people only used emails on their mobile devices, the risk of attack compared to people who access emails on different devices was 20% lower.
Overall, the study shows that one could hardly speak of an indiscriminate approach, but there is usually no specific targeting. Therefore, choosing specific targets as attack victims is more likely with BEC / EAC attacks than with phishing and malware attacks.
Protect Yourself From Email Fraud
Knowledge is power – this philosophy also applies to your email security! Therefore, the first way to protect yourself against email fraud is to learn as much as you can about various attack vectors. This is why the study carried out by Google and Stanford University is valuable: it helps to assess how at-risk you as a user are. It is also helpful to know where you stand – and you can quickly test that: With our phishing quiz and our S / MIME test, you can measure yourself against colleagues and test your knowledge. You can also use the following tips to protect yourself efficiently against email fraud:
- Up-to-date: Stay up to date by learning about email scams. It’s straightforward with our support: We report on current developments in our blog and our newsletter.
- Stay Skeptical: Keep your healthy skepticism about your emails. That means: If you receive an email with links and attachments, don’t just click on it, but check the message. Email fraudsters are becoming more and more professional so that fraudulent emails are not always easy to detect. In addition to the origin, check the sender of the message; the source text of your emails provides further information. However, it would help if you also considered the possibilities of email spoofing, i.e., concealing the sender’s true identity and simulating a different identity. If in doubt, call the alleged sender to find out whether the message came from there. Also, keep in mind
- No direct replies: If you find an email suspicious, ideally, do not reply directly. Instead, start a new communication using one of the communication channels used by your company.
- Strong logins: Rely on solid passwords for your email account – and ideally also on two-factor authentication (2FA). We have put together helpful tips for you in the article “Secure passwords: Strong passwords increase security” for creating strong passwords.
- AV Suite: Good antivirus programs also warn you about email scams. It is advisable to read reviews of AV suites regularly because the numerous antivirus programs differ massively in their functions and malware detection.
- Updates: Your AV suite, your email client, your operating system, and all other programs you use should receive regular updates. Ideally, you should apply security patches immediately to prevent published vulnerabilities from attracting cybercriminals.
- Encryption: encrypt your emails! In this way, you not only create confidentiality, integrity, and authenticity but also create competitive advantages for yourself: Industrial espionage is a genuine threat that you can prevent with email encryption and eavesdropping or manipulation by cybercriminals.
- Awareness: We cannot emphasize it enough: The most significant security gap in companies is people. Employees who do not know what types of email fraud naturally cannot protect themselves against it. Therefore: Train your employees because a sensitized team is a safe team.