Real-World Examples of Employees Engaging with Email Attacks

Many professionals are operating under the assumption that today’s email attacks are just as poorly-worded or obviously malicious as those from ten years ago. But modern threat actors have optimized their strategies and are launching attacks that not only bypass legacy security tools, but also trigger no alarm bells for the average employee.

Any time an employee has to assess whether an email is malicious is an opportunity for them to make a mistake—and for an attacker to capitalize. And the data shows that employees are notoriously bad at making that distinction.

Our latest threat report found that the median open rate for text-based business email compromise (BEC) attacks was nearly 28%. Further, of the malicious emails that were read, an average of 15% were replied to.

To help illustrate just how believable these attacks can be, we’re breaking down two examples of real email attacks in which cybercriminals successfully engaged with employees.

Note: The following attacks were observed during risk assessments in which the companies had implemented Abnormal Inbound Email Security in passive, read-only mode, which means the Abnormal platform was integrated with the organizations’ mail clients but not actively blocking attacks.

In the first example, the attacker posed as the office manager of a small safety management business and emailed the facilities manager of a food distribution company. The threat actor first requested the status of payments for outstanding invoices and then informed the recipient that the company’s remittance information had recently changed.

To give the appearance of legitimacy, the attacker created a lookalike email address on a domain with a tiny misspelling that could easily be overlooked. For privacy purposes, all identifying information has been censored, but a comparable example would be if the real domain was initialus.com and the threat actor’s email address was hosted on intialus.com.

As you can see, the messages contain no misspellings, no malicious links or attachments, and only minor grammar and punctuation issues. The attacker also used the office manager’s real email signature with the company’s contact information and logo. Simply put, to most employees, the email would raise zero red flags, which is likely why the target provided the requested information shortly after receiving the message.

The threat actor then quickly replied with the “new” bank information, asked that all future payments be sent to that account, and requested that the target confirm receipt of the email.

Understanding that the real office manager could email at any time and torpedo the attempted invoice fraud, the attacker turned up the pressure and sent two follow-up messages in short succession.

The technique was successful, and the facilities manager confirmed the new account and routing information would be forwarded to the company’s accounts payable department.

At this point, Abnormal stepped in to prevent the attack from moving forward, despite being in read-only mode.

In the next attack, the threat actor impersonated an accounting assistant. Similar to the example above, this attacker created a lookalike email address using a domain with a nearly unnoticeable misspelling. Again, all identifying information has been redacted, but to help illustrate how virtually imperceptible the difference is, imagine that the real company URL is odilla.com and the domain in the threat actor’s email address is odilila.com.

However, in this attack, the threat actor didn’t initiate first contact with the target. Instead, the attacker replied to a message sent by the target to the accounting assistant’s actual email account.

Based on this, it would appear that the threat actor had compromised the account and had been waiting for an opportunity to hijack the conversation.

When the target emailed the accounting assistant to let her know he was having phone trouble but was working on transferring the funds his business owed, the attacker saw their chance. They replied to the email using the lookalike email address and informed the target that the company’s bank account was scheduled to be audited and all payments needed to be directed to a new account.

Just like the threat actor in the first example, this attacker used the impersonated party’s actual email signature with the company’s contact information and logo. They also didn’t utilize phishing links or malicious attachments to execute the attack, as these can be flagged by email security systems as indicators of compromise.

But rather than just copying and pasting the “new” bank information into the email, this threat actor added a bit more credibility by including the banking details in a modified document using the company’s actual letterhead. This further affirms the assumption that the attacker had compromised the accounting assistant's account and had browsed previous correspondence to locate an official document they could repurpose for this attack.

None of the emails from the threat actor contain any misspellings or obvious grammar errors. The attacker is persistent but never rude and includes relevant pleasantries, including wishing the target a happy new year and telling him they’re happy he’s received a new phone.

Further, email clients on mobile devices don’t usually display full email headers, making it even easier for the attacker to hide their true identity.

In other words, just as with the first example, almost any employee at any level of an organization would believe the messages were legitimate—as the target in this attack did.

Once more, despite being in read-only mode, Abnormal stepped in at this point to prevent the attack from progressing.

As long as companies use email, cybercriminals will launch email attacks. The above examples demonstrate just how convincing modern email attacks can be and how threat actors can expertly leverage social engineering to trick employees.

As attackers continue to upgrade and enhance their strategies, it will become increasingly difficult for your employees to differentiate these threats from legitimate emails. This means it’s crucial to minimize opportunities for your workforce to engage with malicious emails. Indeed, the most effective way to prevent your workforce from falling victim to an attack is to invest in an email security solution that ensures attacks are never delivered in the first place.

For even more insight into the risk that employees pose to cybersecurity, download our latest email threat report today.