7 Reasons why email is the weapon of choice for cyber criminals
Trying to do business – and be good at it – without email today might just be impossible. Your business, like millions of others, runs on email.
Cyber criminals are well aware of the ubiquity of email and the critical role it plays at your company. This is why it’s a primary method by which they seek to attack businesses. Over 90% of successful cyber-attacks begin with a malicious email.
What’s more, Lloyds Bank have now revealed that the average loss from a “Business Email Compromise” incident is £27,000. That’s a nice little payday for cyber criminals, especially if you’re making life easy for them. However, by looking at why they’re targeting your mailboxes, you can start taking steps to protect them!
Why do cyber criminals target businesses via email?
- It’s easy
First of all, it is a relatively easy tactic for criminals to utilise, compared to the sophistication of many cyber-attacks. Setting up a fake domain and email address to go with it, and maybe a fake website to steal passwords or stealthily land malware on a victim’s computer requires little effort.
- It’s high-volume
Once they have done this groundwork, it is simply a case of spamming out as many emails as possible. This is opposed to focusing on single-target attacks that require effort and concentration.
- Email users are vulnerable
The success rate of an email-borne attack is roughly 1 in 10, however, with potentially thousands of email addresses targeted at once, the number of victims can still be high. Those users who do fall victim are deceived due to the nature of the tactics and the lack of awareness – 1 in 3 users cannot identify a malicious email. Cyber criminals know this and deliberately seek to exploit vulnerable targets with their scatter-gun approach.
- It can be high-value
Email attacks can be designed to impersonate high-level individuals within organisations in order to trick those who answer to them into carrying out instructions. This tactic is known as whaling and normally involves cyber criminals impersonating CEOs or other directors, and authorising urgent bank transfers to supposed “clients,” which are actually just bank accounts belonging to the attacker.
This attack is normally carried out by attackers who have researched the target in question and created an uncannily similar email address, or by those who have successfully hacked into the legitimate email account of the CEO in question.
- Email is everywhere and often very similar
Because almost everyone uses email, and there is a great deal of uniformity across the solutions people use, such as Exchange Online, or Office365, a one-size-fits-all approach to attacks can work well. Once an attack has compromised one Office365 account with a particular tactic, the hacker can replicate that across other accounts, such as how to construct an email to bypass spam filters and so on.
- Email security cannot keep up with evolving attack tactics
The inbuilt security across many standard email solutions does not adapt quickly enough to evolving threats to adequately protect the users and businesses that rely on them to function. Cyber criminals are constantly searching for ways to circumvent established security measures and the aforementioned uniformity of email solutions mean that once they have the beating of one, they can begin to exploit others too.
- People don’t always notice
Rather frighteningly, business email compromise can go unnoticed for extended amounts of time whilst the cyber criminals rummage around in your mailboxes. This means they can target your contacts for the biggest payday, or move up the chain by impersonating the compromised user to break into other accounts.
Think like cyber criminals, stop the cyber criminals.
As you can see, it’s pretty clear why hackers target mailboxes. It’s relatively low-effort, and they stand to make an awful lot of money without exerting much effort. The problem is, businesses tend to make it easy for them.
On average, business email compromise leads to a cost of £27,000 – and it could happen to anyone. You should be taking steps to protect your users and their mailboxes with a layered approach that includes training, security, archiving and continuity.
Unless, of course, you’ve got a spare few thousand pounds lying around, and you’re saving it for a cyber criminal’s rainy day!
 Emma Bordessa, “4 reasons why phishing is so successful,” IT Governance, https://www.itgovernance.co.uk/blog/4-reasons-why-phishing-is-so-successful/, accessed 11/09/18.
 John E Dunn, “Feel the shame: Email-scammed staffers aren’t telling bosses about it,” The Register, https://www.theregister.co.uk/2018/09/07/scam_business_emails_on_the_rise/, accessed 11/09/18.