Email-borne cyber-attacks continue to plague businesses worldwide. In 2023, 94% of companies were victims of phishing attacks. Organizations need email. Without it, communicating with people internal and external to the company would be more challenging. But, since the inception of electronic mail (email) back in 1971 by Ray Tomlinson, the medium has been exploited by malicious actors. Here, TitanHQ explores five of the most common types of email scams and how to prevent these insidious attacks.
What is an Email Scam?
An email scam is any nefarious activity that relies on email to perpetrate the attack. A cybercriminal will use email communications to commit fraud, steal money and data, and infect networks and devices with malware. An email scam is often multi-part, with email being used to penetrate a corporate perimeter and the communication method exploiting the recipient in some way.
Did You Know?
cyber attacks begin with phishing
to seamlessly install PhishTitan
estimated global cybercrime cost
to stop & spot a phishing attack
What are the Results of an Email Scam on a Business?
Email scams are ubiquitous. At home or work, malicious emails and spam enter our inboxes daily. Emails are typically part of a longer attack chain, including login credential theft and social engineering. If you were to engage with a scam email, then a variety of outcomes could occur, including:
Theft of Company Funds
BEC scams are the pinnacle of social engineering, often utilizing email scams during the attack. Business Email Compromise is human-centric, manipulating behavior to trick employees into moving company funds into a hacker’s bank account. Social engineering is at the heart of a BEC scam. BEC attackers use email impersonation or compromise to build trust with employees and supply chain vendors.
Credential Theft
Having a set of legitimate login credentials is like having the keys to a company’s bank vault. Cybercriminals use a variety of email scams to harvest credentials. The most common is phishing emails. These emails typically contain links to spoof websites that look just like a trusted brand’s login page. Enter login credentials into the page, and they will go straight to a cybercriminal who will use them to log in to the real app. Sometimes, a scam email will contain an attachment that contains a malicious link; this is an attempt to evade detection by anti-phishing tools.
Data Theft
Email scams can result in data theft. A scam email may be used to steal administrator credentials that are then used to access sensitive areas of a network, allowing a cybercriminal to exfiltrate data. This often occurs by stealth and over many months, so it can be difficult to detect. Installation of ransomware via scam emails can also cause data theft. The loss of data results in non-compliance fines and lost customer confidence, which can also lead to further scam emails sent to customers who have had their personal data compromised.
Malware (Including Ransomware) Infection
Ransomware (and other malware) infection is often propagated through email scams. Ransomware installation may be caused by the theft of login credentials, which leads to unauthorized access. Alternatively, a scam email may contain an infected attachment or link to a website that exploits software flaws on a device to load the malware.
In 2023, 94% of companies were victims of phishing attacks.
Five Common Email Scams (and Some Real-World Examples)
Email scams may have common cybercrime outcomes, but they use various techniques. The following five email scam tactics are some of the most common:
#1 QR Code Phishing (Quishing)
QR codes are popular because they are quick to create and use. The convenience of scanning and using a QR code saw 89 million smartphone users in the USA use a QR code from a mobile device in 2022. Cybercriminals love popular technologies, so there has been a parallel increase in QR code phishing. QR codes contain instructions, like a link to a website. A smartphone camera or specialist scanner is used to scan the QR code, and then the user can click the link. Cybercriminals are using the QR code process, embedding malicious links in the QR code.
QR codes, including tax and car parking machine scams, are now used in email scams. The UK's HMRC has been a victim of QR code-based email scams. Spoof HMRC emails containing a malicious QR code were sent to customers. If scanned and the person follows the link, they are taken to a spoof web page requesting bank details and other personal data.
#2 Business Email Compromise (BEC)
BEC scams are complex, often multi-part scams that make use of emails. The emails are frequently spoofed to look like they are sent from a C-level executive in the company. Email compromise is also used to hijack CEO or CFO email accounts. The scam emails are part of a cyber-attack that involves building trust with employees who oversee payments. BEC scammers will intercept company emails to find supplier details and look for invoices. The fraudsters then create new scam emails or modify legitimate emails to change bank details on an invoice to the fraudster's own. The payment will then be sent to the hacker's bank account.
According to a 2023 FBI report, BEC email scam losses are up almost 58% since 2020.
A recent BEC-related tactic has worried Microsoft, with fraudsters circumventing a common authentication process. The fraudsters, part of a Russian hacking group, were able to gain access to senior executives’ accounts at Microsoft. This hijacking of a senior-level account is the basis for Business Email Compromise and many other potential cyber-attacks.
#3 Email Impersonation (Spoofing)
If fraudsters cannot easily hijack an email account, they use email spoofing or impersonation instead. Spoofed emails are made to look like they are from a known individual, like a CEO. The fraudsters will create an email with the person's name and use wording that makes it sound like it is from that person. Email spoofing is an email scam that involves spoofing a high-level executive or other relevant employee, which is often used in Business Email Compromise attacks. Credential theft is also often associated with email spoofing attacks.
In 2022, the United States Department of Labor (DoL) was a victim of an email spoofing attack. The fraudsters spoofed the department’s domain, so the spoof emails looked like they came from the DoL site; an example is dol-gov[.]com. The spoofed email looked exactly like it was from the DoL. An attachment in the spoof email contained a PDF with a malicious URL. If clicked, the email recipient was taken to a site created to steal login credentials.
#4 Spear Phishing Emails
Cybercriminals often target specific employees, such as system administrators. If a scam email helps to steal the login credentials of a targeted individual, like an admin, the fraudsters will have privileged access to sensitive network areas and apps. Spear phishing email scams are organized and often involve intelligence gathering on the part of the fraudsters. This allows spear-phishing emails to look highly realistic.
In late 2023, a U.S. aerospace firm was the victim of a spear phishing attack. The targets were sent a phishing email tailored to them. The email contained a weaponized XML file containing a remote template injection exploit and malicious VBA macro code.
#5 M365 Targeted Phishing
Phishing scams targeting Microsoft 365 users are on the increase. The trust inherent in M365 makes this phishing attack more likely to succeed. The advent of GenAI has now seen AI tools such as WormGPT and FraudGPT used to generate realistic-looking email content. Business Email Compromise and credential theft are two of the common outcomes of M365-targeted phishing attacks. Malware infection is another.
A recent spate of M365 phishing attacks involved HR-themed messages containing a malicious attachment. These were sent out to targeted employees working at enterprises using M365. The emails contained malware. According to researchers, Microsoft Teams security, such as Safe Attachments, could not detect or block the attack.
How to Stop Email Scammers
Email scams are complicated, often multi-faceted, and can be targeted. This mix means that stopping email scams is not straightforward. To stop email scammers, you must use multiple layers of protection. The following are recommended for businesses wishing to create a secure environment for employees, customers, and the supply chain.
- Train your employees about email scams. When developing your security awareness campaigns, make sure you cover email scams. Use interactive training material and behavior-led training that tailor’s content to individuals. Check out SafeTitan to see how effective security awareness training is performed.
- Use good password policies and MFA. Enforce robust passwords throughout your organization. Set up multiple factor authentication wherever supported. However, don’t rely on MFA as there are circumstances where MFA is circumvented by fraudsters.
- Deploy advanced anti-phishing tools. Email scams are often designed to evade detection by conventional anti-phishing tools. Modern cyber threats need intelligent technologies to identify them as they emerge. AI-powered email security and anti-phishing technologies, like PhishTitan, use multiple layers of increasingly granular and advanced protection to identify complex phishing and email scam threats. PhishTitan uses Natural Language Processing (NLP) to identify email-based social engineering threats.
- Have checks and balances in place. Set up a system of checks to ensure that any emails asking for large money transfers or that are suspicious are double-checked by another member of staff. This helps prevent email scams that are used to carry out BEC attacks.
Susan Morrow
- DATA PROTECTION
- EMAIL PHISING
- EMAIL SECURITY