David Papp Blog

How Email Attacks Have Evolved In 2021

The damages of email attacks have been costly this year and more than you can imagine. Hundreds of thousands of dollars have been lost and some of these events have harmed people on an emotional level as well.

Compared to ransomware, email attacks don’t often get a lot of attention compared high-profile hacks. The reason for this is that these attacks are simple. Instead of cybercriminals having to develop malware and infect systems, these attackers send an email – usually mimicking a coworkers email account. They then con their victims to wire transfer money.

The problem that we’re facing now is the people who are performing these email attacks are “growing up” – they’ve become more sophisticated and use different techniques. We can already see this as these attacks (categorized as Business Email Compromise attacks or BEC), have increased in 2020 from $48,000 in the third quarter to $75,000 in the fourth.

BEC Attacks During COVID-19

With the pandemic, a lot of how we do business has changed. We’ve opted for working remotely for instances. However, that also changes the security front too. Because everyone is remotely working, things like email security are higher on the list since people may not rely on their business email and instead use personal.

Paired up with BEC rising little by little, scammers are realizing it’s just easier to get someone to click on a piece of ransomware or to agree with something without asking.

Scammers are in a situation now where they can mimic an employee or a manager and target the CEO or CFO of a company by sending them a simple email like “Hey, can you wire something for me?” And their target agreeing.

This also notes the low barrier to entry for these types of attacks. Yes, there are more sophisticated attacks that can occur, but even a lack of sophistication isn’t a huge requirement on the part of a cybercriminal.

Common Email Attack Lures

The pandemic has also brought rise to more themes in attacks. For example, a group called Cosmic Lynx, a cybercriminal group working out of Russia, has used vaccines as a means of building a rapport with businesses before asking for money.

They use a typical romance scam which has been getting so much traction lately because attacks can play on people’s fears. It’s easy for these attacks to send emails like “I need to go ahead and do this, or I’m gonna get fired” which plays on the urgency of things.

In the case of Cosmic Lynx, they’re using legal and law firms as part of their lures. These businesses add a layer of confidentiality to it. It makes it easier for people to follow the don’t tell anyone about this directive.

Money Wire Transferred from BEC Attacks are on the Rise

Outside of the activities of Cosmic Lynx, these attacks are growing little by little due in part of cybercriminals learning what they can get away with. In the past, BEC attacks were small with attackers asking for $10,000 here or $5,000 at another time.

In terms of BEC threat landscape, the amounts were much smaller. Part of that was for attackers to test the waters and see how successful they can become through this.

As time went on, they figured out they can do more damage. Especially once more data was gathered. For example, IC3, the Internet Crime Complaint Center, released numbers on the costs of these attacks. Going back to 2019, IC3 stated that BEC was responsible for over $26 billion in losses.

These were just attempts, these were actual dollar amounts and a victim was tied to the losses. But what’s worse is expanding on those numbers those don’t consider the things like romance scams, check fraud, gift card fraud, or any of those types of scams.

Now that these attackers know they can get away with more, they’re bound to be occurring more frequently as these types of attacks are only in their infancy at the moment.

How To Better Protect Yourself Against BEC Attacks

What is going to help us in protecting ourselves against these attacks moving forward is to understand how this system works. The reason this will be so helpful is because in the past, we’ve dismissed these kinds of attacks.

It’s easy to say don’t respond to these emails and delete them. However, when you look deeper at these attacks, you begin to realize something: that the bank account those emails direct you towards is either a romance victim or a money mule for the actor.

What’s also worth noting is that these types of scammers don’t just rely on BEC attacks. They do money laundering, forging documents, performing check frauds, unemployment fraud, and many other things.

These things often pass through that information and create common connections that can be tracked down.