Intelligent CISO Issue 55 | Page 37

In 2021 , just under one-in-ten ( 9 %) of all email-borne threats were BEC attacks and they were as likely to attack smaller businesses as enterprises .
FEATURE
The first email phishing attacks were reported in 1995 . Almost three decades later , email-based threats are as potent and prevalent as ever . This is due in no small part to their ability to evolve . Email threats have become more sophisticated and stealthier . Attackers are applying Machine Learning to launch credible impersonation attacks and to bypass security detection . They ’ re introducing new ways to ruthlessly exploit human trust , anxiety and frustration – for example through Multi-Factor Authentication ( MFA ) spamming – and turning their attention to users of cloud platforms such as Microsoft 365 .
The email threats that are hardest to detect
We have identified 13 different types of email threat . The three that are the most challenging for users and security systems to detect are Business Email Compromise ( BEC ), conversation hijacking and brand impersonation .
Business Email Compromise ( BEC )
BEC attacks happen when someone impersonates an individual – often someone in authority – within or connected to an organisation to obtain something of value . Most often these types of attacks are hoping to dupe the victim into handing over money , login credentials , or other sensitive data . According to our research , in 2021 , just under one-in-ten ( 9 %) of all email-borne threats were BEC attacks and they were as likely to attack smaller businesses as enterprises .
Such attacks are hard to detect because emails are crafted to look like they come from someone ’ s personal email account – we found that Gmail accounts were abused most often – and include an urgent request . They want the recipient to think ‘ this person is in a rush and they need my help ’. Adding an indicator that the message was sent from a mobile device makes it more likely that the recipient will overlook typos or abnormal formatting . Often , individuals don ’ t know the legitimate personal email addresses of their co-workers or managers , so if the name looks correct in the header and signature , they don ’ t question it .

In 2021 , just under one-in-ten ( 9 %) of all email-borne threats were BEC attacks and they were as likely to attack smaller businesses as enterprises .

Conversation hijacking
This type of attack happens after a bad actor has already gained access to an internal account . They insert themselves into a legitimate conversation thread by spinning up a lookalike domain and effectively remove the compromised party , isolating the email thread to just the hacker and their new victim . Our research shows that in 2021 , conversation hijacking grew almost 270 %.
Such attacks are hard to detect because the victim has already established a rapport with a legitimate recipient – this might be someone they email on a regular basis , maybe even someone they ’ ve talked with over the phone or met in person . Sometimes the only clue will be a very subtle difference in the email address and / or domain of the compromised party . If the recipient of the conversation hijacking email is on their mobile device , distracted , or not in the practice of double-checking an email sender ’ s FROM address , they can easily fall victim to this type of attack .
Brand impersonation
There are two types of brand impersonation : Service impersonation and brand hijacking . Service impersonation is when a hacker www . intelligentciso . com
37