Genisys Linkedin

Imagine a CEO requesting an employee to transfer money to a client, a business partner requesting invoice clearance from the IT team, and an employee requesting clicking on a link in an ongoing email thread. You may agree that these situations do not raise any suspicion at first, since these are normal activities for the everyday functioning of the business.

Unfortunately, these are also real-life examples of how targeted email attacks are conducted. Impersonating as a trusted authority, hackers take advantage of the trust and look-alikes of known people to make the victim comply with their request.

Given the nature of this crime, it’s relatively easy for hackers to employ these tactics, but it costs businesses disastrous losses.

For example, a recent study by IBM shows a BEC (business email compromise) attack costs businesses an average of a whopping $5.01 million per breach.

So, how can you ensure that you’re protecting your company against such crimes?

Let’s begin by understanding what exactly is target email phishing, its types, and how to mitigate the same.

What Is Target Email Phishing?

Targeted email phishing, or business email compromise, is a type of phishing attack that’s targeted towards an organization or individual. These cyber ploys are based on the principles of social engineering, where they use trust and familiarity to succeed.

Hackers use techniques like spoofing, impersonation, or email account takeover. Since these emails look legitimate, the receiver is more likely to comply with the request, making it one of the most disastrous cyber crimes.

Moreover, unlike regular phishing attacks that use spray-and-pray techniques, targeted attacks are carefully fabricated to imitate legitimate personnel.

 

How Do Targeted Phishing Email Attacks Work?

As discussed, email phishing attacks are targeted towards a specific individual or organization.

 

Threat actors take their time to identify and research the person they will imitate. Then, the hackers investigate these people to further understand their communication patterns to use them later during the crime.

 

The hackers often take over an email account but lurk in the backend until they fully grasp communication styles, to make the malicious email look legitimate.

 

Finally, hackers looking-alike CEO, business partner or vendors, request HR, finance teams, or employees for sensitive information. While the request is mostly a payment demand, it could also be encouraging clicking on a malicious link to infect the target’s computer or network.

 

In more sophisticated crimes, the hackers take over the email account and start engaging in an ongoing email thread, making it nearly impossible for the receiver to detect the threat.

 

In another study by GreatHorn, it’s seen that 43% of organizations have experienced a security incident in the last 12 months, with 35% stating that BEC/phishing attacks account for more than 50% of the incidents.

 

Apparently, email phishing is quite common, yet catastrophic. Let’s understand how real-life targeted email phishing attacks look like.

Learn more about our services.

Examples of Targeted Email Phishing

The same report by GreatHorn shows that 39% report that their organization now experiences spear phishing on a weekly basis.

In examples of targeted:

Toyota Boshoku Corporation Scam of over $37 million
A distressing crime victimized Toyota Boshoku Corporation, a major supplier of Toyota auto parts, in 2019.

 

The attackers posed as a legitimate business partner and contacted the finance team to request payment. The email created a sense of emergency by stating the payment needed to be made urgent, or the company would suffer a slowdown.

 

Unfortunately, the payment was released, and the company suffered a loss of a whopping 4 billion yen or $37 million, making it one of the most drastic BEC attacks in history. This is a definitive example of how email fraud can take place.

 

Xoom Corporation, $30.8 million scam
Xoom, a money transfer company, suffered a loss of $30.8 million due to spoofed emails sent to the finance department requesting the transfer of the said amount to be made to a fraudulent overseas account. Not only did the company suffer monetary loss, but its shares also dipped by 17%.

 

COVID-19 borne attacks

Amidst the pandemic, the hackers took advantage of the fear that had crippled the world.
Disguising as authorities like the World Health Organization, companies and individuals were tricked into sharing sensitive information.

 

Moreover, working from home exposed vulnerabilities in the security infrastructure, making it even more lucrative and easy for a hacker to exploit them.

 

Generally, in targeted attacks, hackers could either spray-and-pray (that is, target a large group of people and pray it works) or employ a whaling attack (targeting higher authorities in an organization). During the pandemic, hackers pulled both strings, taking advantage of these vulnerabilities, e.g., fear and impersonation.

 

Now that we’ve gotten a gist of these attacks, let’s see what different types of targeted email phishing attacks are.

Types of Targeted Email Phishing

1. False invoice scam

In this type of attack, phishers feign as the company's suppliers and request clearance on the invoice.

Often they use the same template as the legitimate supplier's to appear more authentic but change the bank details to fraudulent ones. Once the money is transferred, it's then dispersed in various accounts to avoid traceability and recoverability.

Types of Targeted Email Phishing

This trick makes use of power dynamics within an organization by impersonating the company's CEO.

The supposed CEO sends an email to the company's employees to take action. This could be sharing confidential information with a partner or transferring funds to close a deal. Whaling is also a similar crime, where the hackers target higher authority personnel (or whales) in the organization to act or compromise under pressure.

3. Data theft

Besides stealing money, the other motive could include stealing confidential data from the company. By faking as a trusted person, hackers send an email to the HR or finance teams to share confidential information or data about the company or employees.

This allows hackers to either sell that information on the dark web or carry out future targeted attacks.

4. Email account compromise

This attack hacks the individual's email address and communicates with stakeholders appearing to be legitimate.

Hiding behind the genuine name, email address and company name gives hackers access to stakeholders and makes it easy for them to extort information or finances.

What's more worrisome is that hackers often break into the account but lurk around for months to understand communication patterns to then attack.

5. Lawyer impersonation

In this trick, the hackers use time sensitivity to put the target under pressure and get the work done.

In this attack, the hackers appear as legal authorities on behalf of the client to make a request. Furthermore, the hackers imply time sensitivity to put the target under pressure and give in.

Apparently, threat actors leverage various tricks and techniques to achieve their sinful motives. Since the emails are coming from a seemingly legitimate source, it's only natural to respond to these emails. But, it doesn't have to be this way. With a couple of simple steps and precautions, it's possible to navigate these threats. So let's understand them.

How to Mitigate Targeted Business Email Attacks

  1. Employee training and compliance

As we’ve seen, targeted phishing attacks rule on the principle of familiarity and trust. That’s why it’s pretty easy to give in to the request on the received email. However, there are usually signs that tell the tale of a malicious email. Hence, employees must be educated about the risks and consequences involved with adequate and recurring trainings.

Moreover, these attacks target low or mid-level employees who may not be comfortable contacting the higher authority to validate the genuineness of the email.

Therefore, it’s vital to empower employees to learn, mitigate, and report anything that seems “off.”

  1. Employ multifactor authentication

Multifactor authentication (MFA) drastically reduces the chances of email account takeover or compromise. MFA essentially requires a person to cross multiple layers of security before accessing a particular application.

A common example would be a situation where you’re prompted to enter a one-time password (OTP) after entering your account sign-in password.

At the bare minimum, companies should implement MFA for higher authorities like the C-level executives, HR, finance, and anybody in a position to make the payments or share confidential information.

  1. Read emails cautiously

Often malicious emails could be sensed a mile apart with an altogether different tone and wording of the email. Other times, especially in more advanced attacks, the line is blurred between corporate email and an outsider’s email, making identification more complex.

However, everyone in your organization must be trained and spot a malicious email from its symptoms. For example, a report by KnownBe 4 shows the most common subject lines (including general and actual emails) of 2020 were:

  • COVID-19 Remote Work Policy Update

  • Touch base on meeting next week

  • Scheduled Server Maintenance — No Internet Access

  • You have been added to a team in Microsoft Teams

  • Zoom: Scheduled Meeting Error

  • Google Pay: Payment sent

When you take a closer look, you’ll realize that the hackers utilized the relevance of the situation by writing remote working and COVID-19 related subject lines.

Moreover, these emails use persuasion to trick users into responding immediately by using specific words like urgent, or immediate. So be always skeptical of emails requiring an urgent deposit or requiring confidential data.

Finally, if you’re prompted to make an urgent payment, it’s always a good idea to call the concerned person and ask them to verify. A couple of extra minutes spent on verification are always better than the loss of millions.

Final Takeaway

The threat landscape is constantly evolving, making it more difficult than ever for companies to identify and mitigate risks. While this blog wrapped the essentials of targeted email phishing along with its mitigation tips, it's always a good idea to stay abreast of the changes.

Finally, investing in employee training and technology can go a long way in protecting your business from reputational and financial losses.

Learn about our solutions that can help your organization strengthen its security posture, and empower your employees to work safely from anywhere.
The Current Scenario And Understanding The Need Gap The Covid-19 pandemic has compelled small and medium businesses (SMBs) to relook their business models worldwide. While some companies are sailing through or remaining stagnant, a few are struggling to stay afloatRead More

Final Takeaway