Email attacks have moved past standard phishing and become more targeted over the years. In this article, I will focus on email impersonation attacks, outline why they are dangerous, and provide some tips to help individuals and organizations reduce their risk exposure to impersonation attacks.
What are email impersonation attacks?
Email impersonation attacks are malicious emails where scammers pretend to be a trusted entity to steal money and sensitive information from victims. The trusted entity being impersonated could be anyone – your boss, your colleague, a vendor, or a consumer brand you get automated emails from.
Email impersonation attacks are tough to catch and worryingly effective because we tend to take quick action on emails from known entities. Scammers use impersonation in concert with other techniques to defraud organizations and steal account credentials, sometimes without victims realizing their fate for days after the fraud.
Fortunately, we can all follow some security hygiene best practices to reduce the risk of email impersonation attacks.
Tip #1 – Look out for social engineering cues
Email impersonation attacks are often crafted with language that induces a sense of urgency or fear in victims, coercing them into taking the action the email wants them to take. Not every email that makes us feel these emotions will be an impersonation attack, of course, but it’s an important factor to keep an eye out for, nonetheless.
Here are some common phrases and situations you should look out for in impersonation emails:
- Short deadlines given at short notice for processes involving the transfer of money or sensitive information.
- Unusual purchase requests (e.g., iTunes gift cards).
- Employees requesting sudden changes to direct deposit information.
- Vendor sharing new.
This email impersonation attack exploits the COVID-19 pandemic to make an urgent request for gift card purchases.
Tip #2 – Always do a context check on emails
Targeted email attacks bank on victims being too busy and “doing before thinking” instead of stopping and engaging with the email rationally. While it may take a few extra seconds, always ask yourself if the email you’re reading – and what the email is asking for – make sense.
- Why would your CEO really ask you to purchase iTunes gift cards at two hours’ notice? Have they done it before?
- Why would Netflix emails come to your business email address?
- Why would the IRS ask for your SSN and other sensitive personal information over email?
To sum up this tip, I’d say: be a little paranoid while reading emails, even if they’re from trusted entities.
Tip #3 – Check for email address and sender name deviations
To stop email impersonation, many organizations have deployed keyword-based protection that catches emails where the email addresses or sender names match those of key executives (or other related keywords). To get past these security controls, impersonation attacks use email addresses and sender names with slight deviations from those of the entity the attacks are impersonating. Some common deviations to look out for are:
- Changes to the spelling, especially ones that are missed at first glance (e.g., “ei” instead of “ie” in a name).
- Changes based on visual similarities to trick victims (e.g. replacing “rn” with “m” because they look alike).
- Business emails sent from personal accounts like Gmail or Yahoo without advance notice. It’s advisable to validate the identity of the sender through secondary channels (text, Slack, or phone call) if they’re emailing you with requests from their personal account for the first time.
- Descriptive changes to the name, even if the changes fit in context. For example, attackers impersonating a Chief Technology Officer named Ryan Fraser may send emails with the sender name as “Ryan Fraser, Chief Technology Officer”.
- Changes to the components of the sender name (e.g., adding or removing a middle initial, abbreviating Mary Jane to MJ).
Tip #4 – Learn the “greatest hits” of impersonation phrases
Email impersonation has been around for long enough that there are well-known phrases and tactics we need to be aware of. The emails don’t always have to be directly related to money or data – the first email is sometimes a simple request, just to see who bites and buys into the email’s faux legitimacy. Be aware of the following phrases/context:
- “Are you free now?”, “Are you at your desk?” and related questions are frequent opening lines in impersonation emails. Because they seem like harmless emails with simple requests, they get past email security controls and lay the bait.
- “I need an urgent favor”, “Can you do something for me within the next 15 minutes?”, and other phrases implying the email is of a time-sensitive nature. If you get this email from your “CEO”, your instinct might be to respond quickly and be duped by the impersonation in the process.
- “Can you share your personal cell phone number?”, “I need your personal email”, and other out-of-context requests for personal information. The objective of these requests is to harvest information and build out a profile of the victim; once adversaries have enough information, they have another entity to impersonate.
Tip #5 – Use secondary channels of authentication
Enterprise adoption of two-factor authentication (2FA) has grown considerably over the years, helping safeguard employee accounts and reduce the impact of account compromise.
Individuals should try to replicate this best practice for any email that makes unusual requests related to money or data. For example:
- Has a vendor emailed you with a sudden change in their bank account details, right when an invoice is due? Call or text the vendor and confirm that they sent the email.
- Did your manager email you asking for gift card purchases? Send them a Slack message (or whatever productivity app you use) to confirm the request.
- Did your HR representative email you a COVID resource document that needs email account credentials to be viewed? Check the veracity of the email with the HR rep.
Even if you’re reaching out to very busy people for this additional authentication, they will understand and appreciate your caution.
These tips are meant as starting points for individuals and organizations to better understand email impersonation and start addressing its risk factors. But effective protection against email impersonation can’t be down to eye tests alone. Enterprise security teams should conduct a thorough audit of their email security stack and explore augments to native email security that offer specific protection against impersonation.
With email more important to our digital lives than ever, it’s vital that we are able to believe people are who their email says they are. Email impersonation attacks exploit this sometimes-misplaced belief. Stopping email impersonation attacks will require a combination of security hygiene, email security solutions that provide specific impersonation protection, and some healthy paranoia while reading emails – even if they seem to be from people you trust.
Armorblox, a cloud office security platform that protects inbound and outbound enterprise communications, announced the availability of integrations with Box and Slack to stop socially engineered attacks and data loss across email, messaging, and file-sharing services.
In addition to API-based integrations with Office 365, G Suite, and Exchange, these new integrations extend Armorblox capabilities beyond email to prevent targeted attacks and sensitive data disclosures across cloud office applications.
Cloud office adoption is becoming nearly universal, accelerated even further by the rush to support remote workforces. This distributed nature of both people and applications has led to gaps in data visibility and security, with employees collaborating across email, Slack, Box, and other applications.
Whether inadvertently or maliciously, employees share PII, PCI, passwords, and confidential data – either with outside parties or laterally across email, messaging, and file-sharing services. The expanded threat surface has also heralded a rise in socially engineered attacks that host credential phishing sites on reputed cloud applications.
Armorblox, which was recently named a Gartner Cool Vendor, is a cloud office security platform that connects with email, Box, and Slack over APIs. By leveraging natural language understanding, deep learning, and other techniques, Armorblox analyzes thousands of signals including the language within enterprise communications.
Under its email protection capabilities, Armorblox stops socially engineered attacks such as payroll fraud, vendor fraud, account takeovers, and advanced VIP/employee impersonation.
For enterprises using Box or Slack, Armorblox will detect malicious URLs and sensitive information such as PII/PCI data, whether at rest or in transit. Security teams can leverage preconfigured policies to automatically assign remediation actions to offending emails, Box files, or Slack messages.
With these new integrations, Armorblox can also protect organizations against lateral data loss across channels (e.g. someone downloading sensitive information from Box and sharing it over email).
Analyzing signals across cloud office applications lends Armorblox universal context over sensitive/confidential data, user behavior including login and access patterns, and the nature of external/internal interactions.
“Humans don’t communicate in silos, especially in a world dominated by remote work and digital workflows,” said DJ Sampath, Co-founder and CEO of Armorblox.
“The rapid-fire and heterogeneous nature of communication across email, messaging, and file-sharing services has made it easy for adversaries to launch attacks across channels after compromising someone’s credentials. It’s also regrettably easy for employees to accidentally share sensitive information with the wrong people.”
“We believe that the combination of identity, behavior, and – most importantly – language signals provides the most effective detection framework for protecting the human layer against targeted attacks and data loss. Integrating with Box and Slack is a critical step in our journey to secure all enterprise communications.
“We’re excited to build on these integrations and extend support for Microsoft Teams, OneDrive, GDrive, and other cloud office applications in the months to come.”
Box and Slack integrations are immediately available for the Armorblox cloud office security platform.
In order to help global organizations of all sizes address cybersecurity during the COVID-19 pandemic, a number of vendors provide free (time-limited) access to their solutions.
All of the offers below are available immediately, and they cover a number of areas. Vendors are listed alphabetically, and all require registration.
Armorblox – Free email protection
Armorblox made its fully-featured email security platform free for businesses that have between 100 and 2,000 employees until April 30th and will reassess the situation for potential extensions beyond that.
Awake Security– Free platform access
Bugcrowd– Free access to Vulnerability Disclosure Program and Attack Surface Analysis
If you represent an emergency service, healthcare, or other care provider helping to manage the unprecedented COVID-19 situation, Bugcrowd are offering you free access to their Vulnerability Disclosure Program and Attack Surface Analysis for the next 90-days.
BullGuard – Free Small Office Security license
Dynatrace – Free access to Software Intelligence Platform
Dynatrace is providing new users with extended, free trial access to the Dynatrace Software Intelligence Platform, through May 19, 2020. In addition, new users will receive free access to the Dynatrace Real User Monitoring (RUM) for SaaS vendor experience, through September 19, 2020.
ERMProtect – Free security awareness training
ERMProtect is providing free access to its Security Awareness Training for 3 months. Organizations can access two animated training modules that teach employees to spot phishing attacks and work safely online from home – a particularly relevant module as employees shift to working remotely.
Foresite– Free emergency cybersecurity services
Foresite, a managed security and cyber-consulting services provider, are offering free cybersecurity services for small to medium enterprises: free external vulnerability scan, free phishing awareness campaign for up to 250 users, free firewall monitoring and management for 30 days, and more.
GreatHorn – Free email protection
GreatHorn will provide 60 days of free, unrestricted access to the GreatHorn Email Security platform to give business leaders and employees peace of mind as they navigate changes to work and business operations during the pandemic.
Qualys – Free remote endpoint protection
Qualys is offering instant security assessments, visibility and remote computer patching for corporate and personal computers – free for 60 days. The solution allows security teams to gain continuous visibility of remote computers, see missing patches for critical vulnerabilities and deploy them from the cloud.
SentinelOne– Free platform access
SentinelOne Core is available free of charge through Friday, May 16, 2020, enabling enterprises to secure remote work. SentinelOne’s cloud-based platform scales, making it well suited to protect both businesses and employees transitioning to a work-from-home environment, whether they are using corporate or personal devices.
Signavio – Trial for collaborative crisis resilience and people management
StorONE – Free enterprise storage platform
StorONE is providing its S1 Enterprise Storage Platform at no cost to any organization impacted by COVID-19 until June 30, with healthcare and scientific research facilities at the center of the pandemic response granted free use through October.
Sucuri – Medical service providers can get a year of Sucuri WAF for free
Sucuri is offering a year of their Web Application Firewall (WAF) service to medical service providers. Sucuri’s WAF is frequently updated with the latest and emerging threat definitions to block DDoS and other attacks by bad actors.
SyncDog – Free trial of Secure.Systems
SyncDog announced free access to their Trusted Mobile Workspace application. Secure.Systems delivers a suite of mobile productivity applications that encrypt corporate data and can be integrated into any existing mobile device on any carrier.
Votiro – Free Disarmer for Email
Votiro‘s advanced email attachment sanitization solution – Disarmer for Email – is free through the end of the year to help reduce organizations’ security risk. Rest assured knowing your workforce’s email attachments are safe from any known and unknown threats.
The RSA Conference Early Stage Expo is an innovation space dedicated to promoting emerging talent in the industry. Here are some of the most exciting companies exhibiting innovative products and solutions, which you can see in person in the San Francisco Ballroom, Moscone South, Level 2.
Abnormal Security stops targeted email attacks. Abnormal Behavior Technology models the identity of both employees and external senders, profiles relationships and analyzes email content to stop attacks that lead to account takeover, financial damage and organizational mistrust. Abnormal sets up in minutes with Office 365 and G Suite, has no end-user friction, and does not disrupt email flow.
We talked with Evan Reiser, CEO of Abnormal Security, about how layering diverse defenses is crucial for stopping email attacks.
The Armorblox platform uses natural language understanding and deep learning to analyze content, context, and metadata on all business communications. Armorblox protects against targeted email attacks, prevents accidental or malicious data disclosure, and stops insider threats.
We interviewed Armorblox CEO Dhananjay Sampath about thwarting email-based social engineering attacks.
BluBracket is the first comprehensive security solution for code in the enterprise—so developers can innovate and collaborate, and security teams can sleep at night. Using BluBracket, companies can view, monitor and secure their code, without altering developer workflow.
Fuzzbuzz is a fuzzing platform and set of tools that enables dev & sec teams to effortlessly find severe bugs and vulnerabilities by integrating fuzzing into the SDLC. Fuzzbuzz saves developer time by eliminating false positives, ensuring bugs are never reintroduced, and automatically generating fuzz harnesses.
K2 Cyber Security
K2’s Next Generation Application Workload Protection Platform protects web and binary applications from attacks. K2’s deterministic approach eliminates false positives and provides runtime protection against OWASP top 10 attacks.
Using proprietary OCFI technology to create a DNA map of each application, K2 provides exact location of vulnerability saving significant time and effort.
Kindite assembled a unique set of confidential computing technologies into a single data-protection platform, which ensures data is encrypted end-to-end, even while being processed. Kindite’s platform keeps the encryption keys within the organization’s trusted environment, creating a true zero-trust relationship with any infrastructure while maintaining full business continuity.
For more depth, read the following articles Kindite contributed to Help Net Security:
LevelOps is an application security platform that helps security teams manage the security lifecycle, across multiple products and from requirements to operations. LevelOps integrates with existing tools in your SDLC and provides a way for security teams to scale, without compromising engineering velocity.
Shujinko brings cloud compliance know-how together with automation to make compliance and audits fast and easy. Shujinko helps confidently prepare for an audit by automating most of the technical controls that are error-prone to set up in a compliant way, as well as the evidence collection and documentation that takes thousands of hours to complete.
The vFeed correlation algorithm analyzes a large plethora of scattered vendors advisories and third party sources, then standardizes the content with the respect to industry security open standards.
Vulcan Cyber is a vulnerability remediation and orchestration platform that is modernizing the way enterprises reduce cyber risk. With its remediation-driven approach, Vulcan automates and orchestrates the vulnerability remediation lifecycle, enabling security, operational and business teams to effectively remediate cyber risks at scale.