If organizations thought that cyber criminals have mainly moved on from email exploits to other more lucrative points of attack, they are, unfortunately, mistaken. In fact, email exploits remain a significant contribution to account takeover attacks. This article will discuss some of the stats surrounding email attacks, and ways in which cyber hackers like to exploit email users, and it will also outline some steps organizations can take to combat this persistent security threat.

Stats 

When hackers do attack email accounts, 78% of them do so without the help of any applications outside of email. This overwhelming percentage shows that the use of email alone remains a powerful potential source of unwanted cyber-attacks. Another interesting statistic centers around the length of time that hackers stay undetected while exploiting an email account(s). Researchers show that data thieves were able to linger undetected for an entire week on over one-third of all hacked email accounts. For organizations working with confidential data, this is particularly disturbing, as a week’s worth of email correspondence is often significant.

Other email hacking attempt stats include:

• 31% of email hackers focus solely on compromising email accounts.
• 20% of single email attacks affect other email accounts, including personal accounts. 

 If one thinks it is comforting to learn that only 31% of hackers are interested in gaining access to an email account and assume that’s the end of their exploit, it is a false assumption. While the stats show that some hackers only focus on gaining access to the accounts, their next step often involves selling the information they observed to other cyber criminals, who then use the data for blackmail or other criminal purposes. Of course, the other stat which shows that 20% of successful email exploits also involve the exploitation of multiple user accounts, meaning hackers are gaining access to a password for one account and are able to use that same password to exploit multiple accounts.

How They Do It

We’ve already learned that it’s not uncommon for hackers to gain access to multiple accounts, merely by trying to re-use an employee’s password.  Some hackers will research a company to find details about employees who hold significant positions within the organization. They then impersonate a person in power by sending an email to a first-line employee, who in turn gives up confidential corporate information, since they assume they’re interacting with a corporate representative in a position of significant responsibility. 

Hackers may also do online research, looking for clues about a company such as what clients they serve and/or what vendors with which they interact. They then use this information to impersonate employees from these companies and send spear-phishing emails to key members within a targeted organization.

Data thieves may also employ brand impersonation tactics throughout an email and send it to unsuspecting employees. When employees open up the email it looks like it is from a trusted source such as Microsoft, Apple, or Google. The body of the email may state the employee needs to reset their password with a specific company, only to steal the employee’s “new password” after they click on the reset link.

How to Combat Cyber Criminals

Certainly, training staff members on how to spot phishing and other hacking attempts should be part of every organization’s strategy to combat exploits. Computer security specialists have multiple tools at their disposal to help them with early detection and mitigation of compromised emails. Computer security professionals also use software apps that include forensic tools, advanced detection techniques, and incident-response resolutions.

Summary

If the idea of trying to ward off data thieves and hackers seems daunting, there is help available. Third-party computer security specialists are thoroughly trained in providing comprehensive security packages for all sizes and types of organizations. If you would like to know more about how to develop a complete strategy to thwart security exploits, including how to effectively secure an organization’s email accounts, please contact us.