Emails are the most widely used method of communication within a company. They also happen to be the favoured method of starting a cyberattack. A total of 91 per cent of cyberattacks in companies start with an email. Almost all of these attacks via email require the recipient to actively open an attachment, click a link or transfer money.
These malicious emails can be divided into two categories: those with malware and those without malware.
A total of 10 per cent of email attacks contain malware. These attacks usually come in the form of an email with an infected attachment ,which can be any file type. If the recipient opens the attachment, the computer is infected. Ransomware can take down a company’s entire IT network by encrypting all of the infected computers. The hackers then demand a large ransom payment to decrypt the computers.
Emails without malware are much more common, making up around 90 per cent of all attacks. For these attacks, the cybercriminals use a fake identity in order to obtain company information or data. Phishing attacks, where the victim is tricked into entering sensitive information (such as their password) on a fake website, are quite common. Once the hacker has obtained the password, they try using it on various different online services. This is why it is critical that you never use the same password for several different websites. A better option is a password vault that generates individual passwords.
One example of an email attack without malware that has caused significant losses in recent years is CEO fraud. According to an FBI report, cybercriminals generated over USD 26 billion (CHF 25 million) through CEO fraud from 2016 to 2019. CEO fraud attacks involve hackers impersonating a company CEO and asking employees to make financial transactions or send confidential documents. The hackers hope that the employees won’t sufficiently verify the authenticity of the request due to stress and pressure from managers. In most cases, the money transferred is permanently lost, as it is immediately siphoned off to a number of different accounts after the initial transfer. This means the money cannot be traced quickly enough, so the transaction cannot be reversed.
How can companies and their employees ensure that this doesn’t happen with the huge amounts of emails they receive every day? New attack methods emerge on a regular basis. IT security departments need time to adapt their company security systems to each new type of attack and ensure that the emails don’t make their way into the inboxes of the employees. This is why employees should check the spelling of the sender’s address and refrain from clicking on any links or attachments. If the sender of the suspicious email appears to be a line manager or colleague, it is essential to call that person to verify that they did actually send the email. “In these situations, corporate culture makes a huge difference. Employees shouldn’t hesitate to double-check or report suspected cases to the IT helpdesk,” says Marc Etienne Cortesi, Chief Information Security Officer at Baloise. The IT team can only make the necessary changes to the security systems if they are informed about the emails.