Top Email Security Hacks to Avoid in 2023 – Part II
Top Email Security Hacks to Avoid in 2023, Part I, we described four major email security hacks.
- Simple use of malicious URLs or executable code in the body of the email.
- Sharp rise in the use of HTML and PDF attachments that SEGs do not block.
- Cybercriminals use indirect and multi-step methods to lure in the end user, making the experience more natural.
- Expect more “personalized” phishing attempts. –> [Read the Article]
This blog outlines the following four new and most effective email hacks you can expect to see in 2023.
5. Fake Voicemail Alerts — another common type of personalized phishing attempt.
Faking voicemail email alerts is popular because, with so many different voicemail and transcription services available on the market, it’s harder to distinguish real from fake. Even legitimate notifications tend to be fake. As before, the malicious payload is pushed into an attachment, so most email protection systems will largely ignore it.
6. No-text emails can slip through the Secure Email Gateway (SEG).
To the recipient, these phishing emails might appear standard, but in reality, the entire body of the email is an image. That’s right – in a simple yet clever attempt to get through Secure Email Gateways (SEGs), black hats are attaching a screenshot of their phishing message to an empty email. Most email clients will display the image file directly to the recipient rather than delivering a blank email with an image attached. As a result, what’s shown looks like a regular email.
In most cases, the recipient is aware of an expensive phony charge or fake issue. They are instructed to call a phone number to dispute the purchase or resolve the problem. Then, once recipients call the phone number, an operative will try to extract valuable information from them.
7. Phishers are now taking over cloud infrastructure to send emails, adding additional steps to look more legitimate.
Attackers can then send emails on behalf of someone in their system, hiding behind another layer of authentication.
In this example, phishers hijacked a legitimate mailing list to send phishing emails that impersonated the United States Supreme Court.
The message was a fake Notice of Summons, threatening arrest if the recipient didn’t appear in court. Victims were asked to click a big orange “ATTACHED FILE” button to view or print their petition letter.
8. Hackers use legitimate cloud services like Google forms to temp you to click.
Many email hackers have taken to the cloud, using legitimate survey options on Google Forms. They include wording that appears to have been taken from a previous communication to help make the email hack look legitimate. Ultimately, however, this combines brand impersonation and exploiting cloud services (like Google Forms) to harvest the user’s credentials.
Why does this work?
Many email recipients are familiar with messages from government agencies. Even though we’re dealing with brand impersonation, that familiar feeling is one reason posing as the SBA (in this case) works. These cybercriminals also set this scam up to have more than one step so that it would feel more authentic. Finally, to help seal the deal, phishers used a legitimate Google Forms survey to harvest credentials – another familiar element.
Want to secure and protect your email from hackers?
Blue Fox Group can help. In addition to advanced email security monitoring and protection, we provide the following services:
- Review of your security posture and gaps
- Review any regulatory compliance activity and requirements
- Determine how to store and safeguard large amounts of sensitive data through Detection & Response and Encrypted backup services.
- Build a Remote Employee Security Checklist
- Implement Multi-factor Authentication & Phishing Security 3.0
