Published: April 4, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
Are you ready for another article preaching about the risks associated with emails? Well, I will make you a deal with you. I will only talk about the stuff you probably already know for just one second and then I’ll spend the rest of the time talking about some crazy new ways on how criminals are having success with malicious links in emails. I know, I know, phishing scams are old news and only your grandparents and Millennials are still falling victim, but you have to remember, criminals are not known for giving up. And just when you think you have it all figured out, they change the game.
First, let's cover the stuff you have probably been told more than once. According to a recent study conducted by IRONSCALES, over 90% of all successful cyberattacks can be directly tied back to a phishing email. That means that phishing scams are clearly working. That said, the amount of breaches has begun to decline, which seems to indicate that people are starting to figure it out. The most obvious lesson that has been learned is simply when you receive an unsolicited email, don’t click the link and don’t open the attachment. By following the basic advice, you can all but eliminate the risks associated with email. Just to be clear, there can also risks that are tied back to phone numbers that may be sent in emails as well. In those cases, the criminal may attempt to trick the recipient into giving personal or private information over the phone. So really it just comes down to not trusting anything in an unsolicited email.
Now, the term “unsolicited email” is interesting because it turns out that it can mean many things to many people. For example, if I am a customer of a bank or credit union and I receive monthly statements via email. Technically that is not unsolicited, because even though it was not a response to an immediate request, it was still something that I had expected. LinkedIn is another example where you may receive an email letting you know someone has requested to “Join your network.” This too is technically not unsolicited, as you are expecting to receive these emails from time to time.
But this is where things start to get complicated, because there are literally thousands of examples where you could receive an email that though unsolicited, they still technically make sense that you received them. Unfortunately, criminals are on to this and have begun to really zero-in on these types of attacks.
Now an argument could be made that in order for a criminal to have success with one of these attacks, they would need to know, or at least be able to guess what services and companies you work with. And while that may be true to a point, the reality is that if they send out 100,000 emails pretending to be from main stream organizations such as LinkedIn, Amazon, or a large bank or credit union in your region, they are likely to have a high success rate in finding people that do business with that organization. That said, if you are even a little tech savvy you might be able to look at the link in the emails and realize that they are pointed to domains that are different than where the email claims to be sent from. For example, an email claiming to be from LinkedIn may have a link that goes to something like linkedin.sec-update.com. This would obviously not be a real link to LinkedIn and that might be enough to keep you from clicking the link.
But things are starting to get even more complicated. Recently criminals have begun using legitimate third-party services to send malicious emails. For example, if a criminal is targeting employees at a specific organization, they will do some research to get a list of the employees at that organization. Often this can be done through LinkedIn. Now, with the help of Facebook or one of the many other social networking sites, it isn’t so difficult to find an employee who has an upcoming birthday. Next, they go to the website evite.com, a service designed to send out invitations to parties and events, and create a new invitation. They will make the invitation look like it is being sent from one of the employees at the organization and announce that there is a surprise birthday party for the employee who has an upcoming birthday. Because real names are being used and because a real service is being used, the email sent is technically 100% legitimate.
Now, to pull off the scam, the criminal will add one more small detail in the message of the evite. They will include a link to either a blog about the upcoming birthday party or perhaps a link to a funny video about the birthday boy or girl. Obviously there are a number of reasons one may want to include a link and the evite.com company will send that link as part of the evite. So, to complete the attack, the criminal sends the email to as many of the employees of that organization as possible.
Please note that getting email addresses to employees is incredibly easy and no longer a deterrent of any kind for most cyber criminals. So when an employee receives the email, it is actually sent from evite.com; a legitimate company. This means that technically it is a legitimate email that will make it past any spam filters and other security that’s designed to screen emails. In addition, the email will be talking about a specific employee that is known within the organization and ultimately it will contain a link to more information. If the user follows the link in the email, they are taken to the evite.com website, which is safe and completely ok. The problem is that once there, if they follow the link inside the message, they will be compromised.
While this may sound a little complicated, the reality is that it is very simple for the cybercriminal to pull off and very difficult for the potential victim to detect. Simply put, it means that even legitimate organizations like evite.com can be manipulated into becoming malware-spreading websites.
So, what can you do? Well, first you need to continue to be cautious about clicking links, opening attachments, or calling phone numbers that you receive in unsolicited emails. Next, you need to make sure you understand the concept of an unsolicited email. It is important to remember that emails sent as part of mailing lists, online bills, account status updates, social media notifications, etc. can all be forged by a cybercriminal and therefore need to be viewed with an additional level of scrutiny. Before ever clicking the link or opening the attachment in these types of emails, stop. Be extremely cautious about opening any attachment and if there is a link attached, confirm the domain that the link is directing you to is legitimate and truly goes to a website that you trust.
And last but certainly not least, if you receive an email from a legitimate organization such as evite, PayPal, Amazon, or eBay and it contains a message that can be provided by a third party, be extremely cautious about following the links in those messages. Again, to be clear the email itself will contain a legitimate link to the sender's website, but once at the website, there will be a message with an additional link. That is the link that you should avoid.
As usual, when in doubt stop and pick up the phone and contact someone in your organization. Detecting malicious emails can be difficult and unfortunately it seems to be getting harder. It’s up to you to remain vigilant to stay one step ahead of the cybercriminals.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org