Email has been around for decades, but that doesn’t mean it’s safe. Email scams are among the most common types of cybercrime. According to this 2021 report by TrendMicro, 90% of data breaches in 2021 were caused by a phishing email. That makes protecting yourself and your business against cyberattacks a top priority of our time. Understanding some common types of email scams can make it easier to know what you are up against and how you can protect yourself.
In this article, we will therefore be discussing five common types of cyberattacks that are carried out by email. These include phishing, whaling, spear-fishing, spoofing and business email compromises. We will also share our advice on how you can best protect yourself and your organization against these types of attacks.
How do phishing attacks work?
Phishing is a common type of cyberattack. In phishing attempts, hackers will pose as a reliable source in order to trick victims into sending them money or disclosing personal information. An average individual will likely somewhat often encounter phishing emails in their personal inbox. For example, hackers can pose as an e-commerce store or package delivery company and ask you to log in to your account or confirm an order through a link in their email. Actually, what happens then is that you will be redirected to a fraudulent website, through which the hackers will intercept your password or payment information.
What is the difference between phishing and spear-fishing?
Spear-fishing is a type of cyberattack that falls under the umbrella of phishing, but works in slightly different ways. While “regular” phishing emails will mass-target large amounts of people at once, spear-fishing involves hackers trying to attack specific people. Spear-fishing attempts usually target people who perform a particular role within a company that would give hackers access to large amounts of confidential data. This usually takes place within a business environment. In order to create a credible personalized attack, hackers will first gather information about you as a target through internet searches and social media accounts. This makes spear-fishing attempts more difficult to spot than regular phishing emails.
What is the difference between phishing and whaling?
Just like spear-fishing, whaling falls under the general phishing umbrella. Whaling is similar to spear-fishing, in the sense that it concerns a personalized attack. However, whaling attempts differ from spear-fishing because they are specifically targeted to “big fish”: CEO’s, high-level executives and government officials. As whaling attempts are aimed at individuals with a lot of power, hackers will have to use the most advanced social engineering techniques in order to trick their victims.
What is email spoofing?
Spoofing can be considered a cousin of phishing. While phishing emails usually pretend to come from a (fictitious) company or organization, or from a fictitious person, spoofing attempts involve hackers actually posing as someone you know from your company or network. For example, they might try to masquerade as a client or manager you are familiar with. Or as someone from your IT department, who “just” needs you to send them some files with confidential information. Again, the goal here is for hackers to get access to sensitive personal data or payment information.
How does a business email compromise work?
The business email compromise is a particularly dangerous type of email scam. In this tyepe of scam, cybercriminals will try to gain access to a high-ranking executive, tricking them into transfering them money. They may pose as a vendor, a company lawyer or even as the CEO, who urgently needs money transfered to them. As these types of emails don’t contain malicious links or attachments and rely on the executive choosing to make these transactions, they are much harder to catch.
How to recognize these email scams
Always check for the following signs if you receive an email that seems suspicious:
- Check the email address of the sender. Is the email sent from a legit address and domain? Sometimes, this is obvious right away. Many times, however, scammers pretend to be sending emails from a domain that appears to belong to a credible company. However, there will actually be a spelling mistake in the domain name that alerts you that this email cannot be trusted. An email supposedly sent from LinkedIn might actually be sent from “Linkedln”. That’s a small difference that makes all the difference when you spot it.
- Check the company logo. Logos of large companies are almost always trademarked. Scammers might use logos that are slightly different from the original. Look closely: does something look different?
- Check the links within the email. Hover over the hyperlinks in the email with your mouse (don’t click them!). Does the URL you see lead to a credible website or does it lead to an unknown one?
- Check what the company is actually asking from you. Companies will never ask you to give your password or payment information to them through an email. If you are not sure if an email is fraudulent or not, contact the “company” you received an email from in a different way (for example by phone or chat) to verify if the email you received is safe.
Business email compromises are harder to spot. They appear to come from trusted people within your network and don’t contain any links or attachments. If you receive an unexpected email in which someone you “know” asks you to transfer money to them, always check with this person first whether the email is legit or not.
How to protect yourself against email scams
If you receive an email that seems in any way suspicious, don’t click on any of the links and don’t open any of its attachments. Mark the email as spam and delete it from your inbox. If you work in a larger organization, you should also report a potential attack to your security officer.
There are also many tools out there that can help protect you and your organization from email scams. SpamExperts is a recommended spam filter tool. It scans and filters incoming email with a 99.98% accuracy rate, keeping email scams from reaching you. Meanwhile, EasyDMARC is a useful tool when it comes to outgoing email. It protects your outbox, making sure that hackers cannot gain access to it and use your domain to send out fraudulent emails.
Lastly, if you run a small business or are a manager, it is important to make sure that everyone in your team is aware of the importance of security. Teach your employees how to recognize potentially fraudulent emails and what they should do in case a data leak occurs, and facilitate a space for open conversations about security within your workplace. If you want to learn more about this, our article on building a security-friendly culture within your company includes a lot of useful information.