Tessian Recognized as a Representative Vendor in 2021 Gartner Market Guide for Data Loss Prevention — Read more.

Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.

Types of Email Attacks Every Business Should Prepare For

  • 01 April 2021

Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.

Email remains the number one tool of business communication. The email network is open to practically anyone—and its flexibility, reliability, and convenience mean it’s not going away any time soon.

But for all its benefits, email can also be a vector for serious cyberattacks. Social engineering attacks like phishing can lead to data breaches, malware attacks, and billions of dollars in losses for businesses worldwide.

This article will explain the major types of email attacks, provide some data on how common they are, and consider the devastating impact that email attacks can have on your business.

Types of email attacks

First, we’ll walk you through some of the most common types of email attacks.

Phishing

Phishing can mean one of two things:

  • An “umbrella term” meaning any social engineering attack that takes place via email.
  • A type of email attack where the attacker sends a lot of malicious emails in an untargeted way.

When we use “phishing” as an umbrella term, it refers to the most common type of email attack. Any malicious email that tries to trick you into clicking a link, opening a file, or taking any other action that causes harm, can be part of a phishing attack. 

All of the other types of email attacks we’ll look at below are forms of phishing, if we use the term in this broad way.

When we use “phishing” as a specific term, it means a “bulk” or “spray and pray” email attack, where the malicious email is sent to many unnamed recipients.

Here’s an example:

This is an example of a phishing email.

What makes this a phishing email?

  • There’s no addressee: It says “Hello,” not “Hello Rob.”
  • The “update account now” button leads to a credential phishing page.
  • Most importantly — Netflix didn’t send it!

Further reading:

⚡  What is Phishing?

Spam vs. Phishing: The Difference Between Spam and Phishing

How Easy is it to Phish?

How to Avoid Falling For a Phishing Attack | 6 Useful Tips

Spear phishing

Spear phishing is an email attack targeting a specific individual. So, whereas bulk phishing uses a net — sending emails to as many potential victims as possible — spear phishing uses a spear to target one specific victim.

Again, spear phishing is can also be an umbrella term, in that there are lots of different types of phishing attacks. Some of the examples below, including Business Email Compromise (BEC) and CEO fraud, are almost always spear phishing attacks.

Why? Because whenever a phishing attack targets a specific individual, it’s a spear phishing attack.

Here’s an example:

This is an example of a spear phishing email.

What makes this a spear phishing email?

  • It targets a specific person.
  • The “click here” link leads to a credential phishing website.
  • Most importantly — you guessed it — DHL didn’t send it!

Further reading:

⚡  What is Spear Phishing?

What’s the Difference Between Phishing and Spear Phishing?

Spear Phishing: Screenshots of Real Email Attacks

Business Email Compromise (BEC)

Business Email Compromise (BEC) is any phishing attack where the attacker uses a hacked, spoofed, or impersonated corporate email address.

In the sense that the attacker is impersonating a business, the Netflix and DHL examples above are both BEC attacks. But we normally use “BEC” to refer to a more sophisticated form of email attack.

For example, one of the biggest cyberattacks of all time is an example of BEC. Between 2013 and 2015, a Latvian cybercrime gang headed by Evaldas Rimasauskas scammed Facebook and Google out of around $121 million by impersonating their suppliers and sending fake invoices via email.

Further reading:

⚡ What is Business Email Compromise (BEC)?

⚡  5 Real Examples of Business Email Compromise

CEO fraud

In a CEO fraud attack, the attacker impersonates a company executive and targets a less senior employee.

Here’s an example:

This is an example of CEO Fraud.

What makes this a CEO fraud attack?

  • The sender’s email address impersonates a real company executive (note the method here is email impersonation — ”microsott.com” — but other methods such as email spoofing are also common).
  • The sender (“Leon”) puts a lot of pressure on the recipient (Tess). Stressed people make poor decisions.
  • The attack involves wire transfer fraud. While not all CEO fraud attacks involve wire transfer fraud, this is a very common tactic.

Further reading:

⚡  What is CEO Fraud?

CEO Fraud Prevention: 3 Effective Solutions

How common are email attacks?

Email attacks are on the rise, and are now extremely common.

  • According to the FBI’s Internet Crime Complaint Center (IC3), phishing incidents more than doubled from 2019 to 2020, costing victims over $54 million in direct losses.
  • Verizon says 22% of breaches in 2019 involved phishing.
  • Around 75% of organizations around the world experienced some kind of phishing attack in 2020.

Want more data on phishing and other email attacks? See our article Phishing Statistics (Updated 2021).

Consequences of email attacks

What are the main consequences of email attacks on businesses and their customers?

  • Data breaches: Attackers use techniques such as credential phishing to exfiltrate your customers’ personal information. Data breaches can attract investigations, regulatory fines, and class-action lawsuits. IBM estimates that the average data breach costs a business $3.86 million
  • Malware: Some email attacks aim to deposit a malicious payload on the recipient’s device. This payload is normally some form of malware, for example:
    • A virus, which can infect other devices on your network
    • Spyware, which can log your keystrokes and online activity 
    • Ransomware, which encrypts your valuable data and demands you pay a ransom to get it back.
  • Wire transfer fraud: Spear phishing attacks—particularly if they involve BEC or CEO fraud—often attempt to persuade the target into transferring funds into a bank account controlled by the attacker. And it really works—that’s why the FBI calls BEC “the $26 billion scam
[if lte IE 8]
[if lte IE 8]