However, as businesses recognise this and defences get better, criminals have to develop ever-more sophisticated ways to get around the protections. This means traditional attack methods such as phishing, where scammers send out large volumes of email hoping for a response, are being refined and personalised in order to stand a chance at success.
Many types of attack now fall into the category of ‘spear phishing’. As the name suggests, this is like regular phishing, only more targeted. Instead of throwing out a wide net and hoping someone responds, they’re tailoring their emails to a specific individual.
Because these emails seem personal and relevant to the recipient, without any of the vagueness of traditional phishing emails that people know to look out for, every employee needs to be aware of their risks and be on the lookout for suspicious communications at all times.
While there are a wide range of email attacks firms may face, there are a few common attack patterns that everyone should know about. Here are three you need to familiarise yourself with.
1. Brand impersonation
One of the most common types of spear-phishing attack are emails that purport to be from brands that an individual already does business with. For example, they may appear to be from a retailer asking you to rearrange a delivery, or from a financial services firm asking you to update crucial details.
Increasingly, they can also appear to come from software providers like Microsoft. As more businesses depend on cloud applications from such firms, employees may be more susceptible to being fooled by these.
2. Executive impersonation
A related, but distinct form of email attack is executive impersonation. In this case, instefad of posing as a brand, the scammer makes it appear as if the email is coming from a senior executive at the company who is asking for sensitive information.
These are typically aimed at junior employees who are more likely to respond quickly and without fully checking the legitimacy of the email, as they don’t want to upset senior personnel.
Both brand and executive impersonation emails can often have a couple of telltale signs to be aware of. They commonly come from domains that may look right at a casual glance, but may have a single incorrect letter, for example. In cases such as executive impersonations, hackers will often be relying on the employee being so focused on meeting the request of their boss they simply don’t notice these errors.
The above two types of attack are typically looking to extract information, either by getting the recipient to send it directly or having them enter login details on a fake site. But firms also need to be aware of attacks that seek to infiltrate the network with malware.
Whether by opening malware-laden attachments or directing the user to a site from which a ‘drive-by’ download can be performed, these threats can cause a wide range of issues. One particular danger to be aware of is ransomware, which is increasingly popular among hackers and can be very hard to deal with if it’s not stopped quickly.
How to keep your business email safe
To avoid falling victim to these threats, it’s vital you have a layered email security system. This should cover employee education to ensure they’re able to spot threats, as well as technical solutions to block malicious emails before they have a chance to do damage.
Download the Essential Guide to Email Security
We have released an Essential Guide to Email Security where you can learn how to defend your firm from email threats.
With over 20 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.