CATEGORY: Phishing and its impact on legitimate senders

Phishing and its impact on legitimate senders

Phishing and Business Email Compromise

Business email compromise is a cyberattack that is designed to gain access to critical business information or extract money through email-based fraud.

Cybercriminals send email that appears as though it’s coming from a member of your trusted network – someone in an important position at work, such as your manager, the CFO or the CEO, a business partner, or someone that you otherwise trust. These emails are an attempt to convince you to reveal critical business or financial information or process a payment request that you would never have done otherwise.

In many cases, this attack can also involve an attempt to compromise your email account through a credential phishing email. Once the account is compromised, the criminals use the unlawful access to obtain information about trusted contacts, exfiltrate sensitive information, attempt to redirect bank payments, or use the account to further support or facilitate more cybercrime.

Phishing and its impact on legitimate senders 

With news about data breaches and ransomware attacks hitting the headlines daily, cybersecurity continues to be in the spotlight. Phishing is THE most common attack vector used by cyber criminals, so as an email communicator you need to understand both how to protect yourself and your organisation from phishing attacks – but also the impact phishing and spam mitigation measures might have on your legitimate campaigns.

Types of phishing

Phishing has different forms. Here are the most common forms, according to Norton security:

For the purpose of this article, we are using the term in a broad sense to encompass all socially engineered email attacks, regardless of the specific malicious intent (which could include directing to a dangerous website, distributing malware, collecting credentials and so on).

Most phishing emails are sent at random to large numbers of recipients and rely on the sheer weight of numbers for success. (The more emails are sent, the more likely they are to find a victim who will open them.)

We talk to Jeremy Rogers from SEROCU (The South East Regional Organised Crime Unit) about phishing and how significant its impact is as part of organised crime operations and how to protect yourself and recognise a potential attack.

The impact of the pandemic

With hybrid and remote working increased and employers using digital means to keep employees connected and collaborative and the collective consciousness focused on the threat and urgency of all things COVID related giving malicious senders a topic that was more effective. A theme resonating almost universally on an audience that were, in many cases, feeling burnt out, emotionally drained and distracted, according to the Society for Human Resource Management in their paper ‘Ongoing Pandemic takes toll on workers’ mental health’ published in August ’21.

In Proofpoint’s 2022 state of the phish report they talk about attackers ‘cashing in on covid‘.

‘Coronavirus-related email lures now represent the greatest collection of attack types united by a single theme that the Proofpoint Threat Research and Detection team has seen in years, if not ever. We’ve observed credential phishing, malicious attachments, malicious links, business email compromise (BEC), fake landing pages, downloaders, spam, and malware, among others, all leveraging coronavirus lures.’

According to Proofpoint, in 2020 57% of organisations globally, experienced a successful phishing attack.

Spotting Phishing

Cyber threats continue to evolve and exploit end users, and with remote and hybrid working on the rise, no industry or company size is out of target. According to Proofpoint, in 2020 57% of organisations globally, experienced a successful phishing attack.

By empowering you to identify and report suspicious attacks, you become part of the first line of defence.

More information on the following advice can be found on the NCSC website.

How to spot a phishing email (or text)

Scammers try to quickly gain your trust. They aim to pressure you into acting without thinking.

If a message or call makes you suspicious, stop and consider the language it uses. Scams often feature one or more of these tell-tale signs.

Authority

Is the message claiming to be from someone official? For example, your bank, your ISP (e.g., Microsoft), doctor, a solicitor, or a government department (e.g., HMRC). Criminals often pretend to be important people or organisations to trick you into doing what they want. Check the sending email address – are there any anomalies in the address?

Urgency

Are you told you have a limited time to respond (such as ‘within 24 hours’ or ‘immediately’)? Criminals often threaten you with fines or other negative consequences if you don’t act quickly.

Emotion

Does the message make you panic, fearful, hopeful, or curious? Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more.

Scarcity

Is the message offering something in short supply, like concert tickets, money, or a cure for medical conditions (Pandemic)? Fear of missing out on a good deal or opportunity can make you respond quickly.

Current events

Are you expecting to see a message like this? Criminals often exploit current news stories, big events, or specific times of year (like tax reporting) to make their scam seem more relevant to you.

How we can help you?

If you are an e-shot customer, we have built a template that includes this advice that you can easily forward to your team – take a look at it in more detail in the template showcase or find it in the template library.

What this means for genuine senders

The bulk nature of the sending patterns and the increased level of media attention on email security, cyber attackers and COVID related ‘scams’ are changing the email landscape for legitimate email communicators.

Your audience is more informed, more sceptical, and generally more aware. Cyber security software continually attempts to be able to counter the increased sophistication of email threats. No one would deny that these measures are necessary and caution from recipients’ is sensible, but these two can have a significant impact on engagement and deliverability for genuine senders.

Universally the advice from cyber security is ‘if you don’t trust it, don’t open it’. In our article Building a relationship with your audience we look in detail at the following elements:

Requested

Whilst it remains legally acceptable to send communications to data lists acquired from reputable permission-based suppliers, the success of these campaigns – to a cold audience – will continue to decline significantly.

The consent of your recipient to receive communications from you, and initial engagement with a double opt-in email and welcome campaign teach their inbox that they are interested in your emails. Their engagement helps build your reputation with ISPs and security software as a genuine sender (assuming that your authentication is also in order – find out more about that in SPF, DKIM and DMARC demystified).

By providing a preference centre, further allows your audience members to control the emails they receive and ensure that they are…

Relevant

By sending to an audience that have requested to receive information on topics or themes they are interested in, they are more likely to engage when they receive the emails.

Triggered automation is another great way to ensure that emails are sent at the point that the recipient would be expecting to see it and it is relevant to them.

Recognised

If a recipient has requested an email from you, they will recognise you. Build on that by ensuring that your communications are consistent using the same from name for example. Who the email is from is one of the key determining factor for someone to open the message – make sure they recognise you, make it easy for them to identify your emails.  For more information take a look at our from name help article where we also talk about dynamic from names (so the email can appear from a key contact i.e., their account manager or key worker).

Regular

Cyber criminal tend to work in attacks, one-off large sends. Sporadic and inconsistent in terms of numbers and timings. By maintaining a consistent sending pattern i.e., monthly newsletters, ISPs also get used to seeing it, and this can have a positive impact on your reputation as well.

For more information and advice for genuine senders to build the best processes and practices to ensure that your email communications both make it to your recipients’ inbox and get engagement have a look at our ‘Why do my emails go into spam’ article.

 

If you are an official body, or the type of organisation that is likely to have your brand and comms copied as part of a phishing attack, there is no harm in setting out your stall from the off with any new subscribers. We have developed a template that you can use as a basis to confirm the key things that you will never do in your emails i.e., Ask for personal information or security credentials and things that you will do i.e., always personalise firstname and never use the email address as a personalisation field. Take a look at the template showcase for our ‘We will never:’ email or view it in the template library.