Phishing, which involves tricking people into divulging sensitive information online, has been on the rise.
Attackers recently started sending spoofed emails designed to look like they’re coming from LinkedIn. They’re dressed with LinkedIn branding, which fools victims into clicking on links to fake websites where they’re prompted to enter their login credentials. The sites then send them to the real LinkedIn site, disguising the attack altogether.
SMTP Relay Service Attacks: An Overview
Do you know where your emails are coming from? Hackers are making it harder and harder to trust the emails arriving in inboxes every day, particularly because they have found ways to make malicious messages look like they’re coming from innocent—even trusted—sources.
These are called SMTP relay service attacks, and this is how they work:
SMTP, which stands for Simple Mail Transfer Protocol, is a system for transferring email from one server to another through the internet. SMTP servers are often protected with usernames and passwords, but when unprotected, they’re referred to as open SMTP relay servers, and these give attackers a distinct advantage. An open relay doesn’t identify the actual source of an email message, which makes it relatively easy for spammers to send a message that looks like it came from a legitimate source.
Even Gmail Isn’t Immune
According to a recent report, there has been “a massive uptick of these SMTP relay service exploit attacks in the wild, as threat actors use this service to spoof other Gmail tenants.” This means if you or your company uses Gmail, you may be susceptible to these kinds of attacks. Someone could send an email pretending it’s from you, which could be used to trick someone else into providing sensitive information.
Of course, Google won’t just let this slide. It said it will “display indicators showing the discrepancy between the two senders, to aid the user and downstream security systems.”
With or without Google’s help, it’s a good idea to protect yourself from spam and spoofed emails by understanding how they work, their impact, and how to prevent them. Additionally, email users can learn about email fatigue and how to overcome the problem.
How Do Spam and Spoofing Work?
Spam works by sending many unwanted emails to users—often including malware within the content or attachments. Spoofing is another kind of email attack, in which the attacker uses an email address that looks like it belongs to someone within your or a trusted organization.
The success of a spoofing attack is reliant on two things:
- The victim believes the email is indeed from the person it appears to be coming from
- The victim clicks a malicious link or attachment
At that point, the user is either brought to a fake website or malware is installed automatically on their computer. In some situations, spoofed emails are used to trick recipients into divulging sensitive information or sending money.
What Is Phishing and How Does It Affect Business?
Phishing attacks can result in the loss of money, stolen intellectual property, reputational damage, and the disruption of normal operational activities. Even though the intention varies from one phishing email to another (i.e., steal login credentials, install malware, etc.), the end objective is to trick the recipient into doing something that could harm them, someone else, or the business in general.
It’s important to keep in mind that even clicking a single link inside a phishing email can result in extensive damage across the entire organization’s network.
Ways Spam Emails Can Disrupt a Business
Spam emails can impact a business in a number of different ways: malware contained within the email, phishing attacks, unproductive employees, disruption of business services, making the company more vulnerable to attacks, and legal problems.
1. Malware
Spam emails often look like they come from legitimate businesses, prompting unsuspecting employees to click on links or attachments that then download malware that could damage their system or a network it’s connected to. Malware is an umbrella term for malicious software that includes viruses, worms, and ransomware.
Some forms of malware take over your computer’s resources and use them to launch more attacks, while others, like ransomware—which continue to go up in terms of frequency, severity, and ransom payments—can cripple your entire system or network.
2. Phishing Attacks
A phishing attack can result in your business losing money, employees wasting time, and the exfiltration of sensitive data. If, for example, a phishing scam tricks an employee into sending money, the business has to invest time and resources in trying to get the money back as well as figure out what went wrong.
Professionals within the organization’s IT team may have to stop business-critical projects to manage the fallout. Needless to say, the attack hampers productivity, creating opportunity costs on top of the costs directly associated with the theft.
3. Less Productive Employees
Spam forces employees to constantly update their email filters. To reduce instances of phishing, employees often have to update and customize filters to block unwanted emails. While it may only take a few minutes per instance to update filters, with the volume of spam emails being sent across the globe—hundreds of billions annually—continuous updating can consume precious hours over the course of a year, costing the organization in terms of lost productivity.
4. Disruption of Business Services and Increased Vulnerabilities
Spam attacks can put business services on hold, whether they successfully cause a breach or due to the amount of time employees spend trying to prevent them. In some situations, a single attack may be just the beginning. If word gets out that your company succumbed to an attack, cybercriminals may see your company as an easy target.
5. Legal Problems
Even a single spam email can result in legal fees if it causes an employee to share sensitive data. This puts your organization out of compliance. Legal fees, combined with the cost of restoring damaged systems and setting up infrastructure to prevent future attacks, can make it difficult to meet budgetary goals.
Keep in mind that if an attack prompts your organization to make network infrastructure changes, albeit temporarily, you could face legal issues. For instance, if you have to shift sensitive user payment data to a database that doesn’t have satisfactory security, you could slip out of compliance and face penalties.
How Authorities Are Turning the Tables on Phishing Attacks
Fortunately, consumers and business owners aren’t alone in their battles against spam and phishing. The Department of Justice (DOJ) has been targeting phishing attackers and has scored some significant wins. For instance, the DOJ caught and filed charges against a cybercriminal organization that attacked more than 300 universities with a phishing campaign.
The DOJ also caught up with a California man, Sercan Oyuntur, who used phishing attacks to steal $23 million. To execute his scheme, Oyuntur, with the help of fellow conspirators from New Jersey, Germany, and Turkey, targeted an individual in charge of communicating with the Department of Defense regarding payments for jet fuel.
Oyuntur and his conspirators tricked this individual—and others—into inputting login information for government accounts in the fake websites they created. The attackers then used the stolen credentials to make payments to themselves from the government’s accounts. Oyuntur faces the possibility of 30 years in prison for each of the fraud counts he was convicted of.
Protecting Your Business Against Spam and Other Email-Based Threats
Businesses can proactively tackle email spam and other threats through basic measures such as:
- Setting up multiple email addresses, at least one private and one public. Make the private address harder to spam by using a more abstract address—it should not be based on your name and consists of random letters and numbers, for example
- Not responding to spam emails
- Not clicking “unsubscribe” when it’s an option on a spam email. Set a filter instead
- Using antivirus and anti-spam filters
- Always using the most recent version of your web browser
- Continuously applying patches to any software you use in connection with emails, such as Microsoft Office or Adobe Reader
Educate Your Employees About Email Threats
Human error makes employees the weakest link in your cybersecurity chain, but given the right training, they can serve as your strongest defense. Educate them on how to spot spam and spoofed emails, as well as what to do in case they receive one.
Leverage Artificial Intelligence(AI)-Based Tools
A recent study found that spam emails are likely to come from certain geographies and are “more likely to be routed through a higher number of locations than emails that are benign.” To protect against phishing attacks, it’s best to use AI-powered protection.
Prevent Business Disruption from Spam and Spoofed Emails
The effects of spam and spoofed emails on organizations can’t be taken lightly, so take the necessary steps to prevent getting them in the first place. Education is one of the most powerful tools against hackers. When employees know what to look for, they can protect both themselves and your organization.
