Email is one of the most used communication methods in the world. It is amazing to me that in the 25 years of my use of email, it is still one of the most vulnerable methods that bad actors have to compromise you or your business. Hackers can easily access email accounts and use them for spamming, phishing, or other malicious activities. In this 2-part series, I will discuss some of the most common ways attackers use to compromise email systems (Part 1) in 2023 and then tactics that you can use to protect your email ecosystem from hackers (Part 2). While these tips aren’t revelational or methods new, I find that we sometime need to be reminded of the basic things. Let’s first talk about five of the most common ways email systems are compromised.

Common Email System Compromises

1. Phishing Attacks:
   • It is estimated that 90% of successful cyber-attacks start with email phishing, which continues to be very lucrative for attackers. Hackers often use deceptive emails that mimic legitimate sources to trick users into revealing sensitive information, such as login credentials. These emails may contain malicious links or attachments. (ref. https://blog.cloudflare.com/2023-phishing-report/)
2. Credential Stuffing:
   • A low cost, low risk type of cyberattack, credential stuffing relies on automation – typically via bots – to test hundreds of thousands of username-password pairs against new targets. What makes credential stuffing possible, however, is users’ habit of reusing the same password across multiple online services. Cybercriminals leverage lists of stolen usernames and passwords (usually obtained from previous data breaches) to gain unauthorized access to email accounts. This happens to large and small organizations. In March 2023, Chick-fil-A reported that over 71k accounts were affected in this type of attack (ref. https://www.securityweek.com/over-71k-impacted-by-credential-stuffing-attacks-on-chick-fil-a-accounts/). United HealthCare reported almost 400k accounts were affected through two separate attacks this year. (ref. https://www.hipaajournal.com/credential-stuffing-attack-exposed-united-healthcare-member-data/)
3. Business Email Compromise (BEC):
   • In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request. Hackers target employees with access to financial transactions, posing as company executives or suppliers to trick them into making fraudulent wire transfers or disclosing sensitive information. BEC is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional. (ref. https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/business-email-compromise)
4. Malware and Ransomware:
   • Malicious attachments or links in emails can infect systems with malware or ransomware, allowing hackers to encrypt data or control systems until a ransom is paid. This attack is detrimental to a business, not only in lost business, but also in reputation. It does not matter your size; all businesses are vulnerable. See the list of companies this year and some major ransomware attacks from last year here: https://heimdalsecurity.com/blog/companies-affected-by-ransomware
5. Man-in-the-Middle (MitM) Attacks:
   • A man-in-the-middle (MitM) attack is a hacker’s attempt to steal information by inserting themselves between victims and their legitimate, expected destination. Hackers intercept email communications between parties, eavesdrop on sensitive information, or manipulate email content without the knowledge of the sender or recipient. It is on the rise and given Microsoft’s recent compromise in Azure, could be even more prevalent than previously thought. (ref. https://securityboulevard.com/2023/05/man-in-the-middle-mitm-attacks-reaching-inboxes-increase-35-since-2022/ , https://www.darkreading.com/cloud/microsoft-365-breach-risk-widens-millions-of-azure-ad-apps )

These examples are just as prevalent today as they have been in years past and with it being so lucrative and easy to do, it is crucial for you to make sure your security is strong and your employees educated to help protect your company from bad actors. Look out for Part 2, coming Friday, for ways you can start protecting your systems.