Email Fraud and Phishing
by: Yahya Eid
Changes to online activity have been accelerated by the COVID-19 pandemic, both for personal and professional uses. A keynote difference is a shift in the attack vectors utilised by malicious parties, from IT systems to the end users themselves. The focus placed on the human element as a target has allowed these bad actors to tap into the power of social engineering - whereby the vulnerability in the system becomes exploitable human psychology, rather than technological barriers. Businesses are evolving people-centric approaches to counter this expanding threat, providing security awareness training to combat email fraud or phishing attacks.
Figure 1. Business Email Compromise - source: Interpol
Proofpoint's global survey on 'understanding email fraud' revealed that just 40% of 2,250 IT decision makers said they have full visibility into the incoming email fraud in their environment, and even fewer have controls in place to stop them. The most common effect of email fraud was business disruption: a third of email fraud attacks lead to the manipulation of the receiver to transfer money, 50% lost sensitive data and 1 in 4 attacks lead to someone being dismissed from their position.
Figure 2. Common effects of Email Fraud
Phishing is a well-known social engineering attack that is still effective despite its widespread use and growing awareness. In 2019, Proofpoint discovered that 83 percent of those polled said they had been the victim of a phishing attack in 2018. These have become more prevalent over time, with a 17 percent increase in compromised accounts in 2016 and a massive 65 percent increase in 2018. Links, data entry, and attachments have been identified as the primary source of these threats.
To combat these attacks, businesses use a variety of methods. Email/spam filters, URL rewriting, and advanced virus analysis are among the capabilities available. Phishing management tools are an effective barrier to assist in neutralising these threats because they often allow for corrective monitoring and control of emails, as well as filtering through inboxes to block potentially malicious emails/accounts and any embedded malware. To get the most out of such a platform, there exists a monetary barrier that must be considered while revaluating the budget.
However, the effectiveness of these instruments can easily be undermined by human error. Phishing efforts with subjects like 'Toll Violation Notifications', 'Invoice Payment Required', and 'Urgent Attention' are the most successful in carrying out the attack, as they play off human psychology and emotive responses. Therefore, to reduce the odds of a successful breach, it is critical to teach employees about various types of scams so that they know what to do if they come across a malicious link, attachment, or other type of threat. Testing employees and periodically reminding them about the dangers of these threats is also imperative in ensuring that security outcomes persist.
Figure 3. Business Email Compromise Red Flags - source: Interpol