Two Decades of Email Attacks: A Look Back at How Threats Have Evolved

Can you believe Cybersecurity Awareness Month was started 20 years ago? For two decades, businesses of all sizes, across every industry, have used October as an opportunity to evaluate and enhance their security practices while providing their employees with tips and tricks for staying safe online.

To say that the attacks launched in 2003 look different than those we contend with now is, of course, quite an understatement. But while threat actors have continually found ways to make their malicious emails more sophisticated and more difficult to detect over the past 20 years, their preferred attack vector has remained the same.

Email is still one of the most commonly used business communication channels, which means it’s a prime target for cybercriminals—a fact that is unlikely to change anytime soon. To protect financial, personal, and sensitive information, organizations need to educate employees and implement proactive cybersecurity solutions that stop attackers before they reach inboxes.

But to know where the threat landscape is going, we need to understand where it's been. Let's take a journey down memory lane and explore the evolution of email attacks.

While many technologies have fallen in and out of vogue in the past two decades, email has largely stayed the same. It’s a primary communication channel for businesses and consumers alike.

Over four billion people use email and an astonishing 99% of email users check their inboxes daily, with 58% checking their email first thing in the morning. Even as business collaboration tools, instant messaging, and social media channels have emerged, email addresses are still the most common way for users to communicate.

Unfortunately, email was never designed to be a secure channel. It was just an electronic mailbox. Email protocols like simple mail transfer protocol (SMTP) and post office protocol 3 (POP3) were developed in the early days of the internet without encryption, spam filters, or proof of sender. It was never intended to be the center of digital communications, virtual sign-ins, and a storehouse for sensitive information. And yet that’s what it’s become.

Because of this, email became a valuable target for cyberattacks.

Threat actors could easily spoof a sender’s identity, send harmful attachments or malware, or steal sign-in credentials through phishing attacks. Infiltrating a user’s account gave the attacker access to past emails, the ability to sign into other accounts, and the capacity to send malicious emails from a legitimate account.

Twenty years ago, these threats were still pretty rudimentary. Attacks got through, but a good portion of them could be stopped by a secure email gateway (SEG) and employee training. Sadly, this is no longer enough. Even today, 74% of all breaches involve the human element.

Individual users have always been a target for bad actors, but businesses hold even more value. Compromised email addresses provide increased credibility to attackers sending malicious emails. Plus, the ability to access a trove of financial, personal, and sensitive information is just too appealing to threat actors.

Worse still, hackers can often access applications integrated with compromised email accounts. There’s an average of almost 4,000 third-party applications for organizations with more than 30,000 employees.

Phishing attacks, malware, and social engineering scams are a mainstay for threat actors. But in recent years, hackers have launched more sophisticated business email compromise (BEC) and vendor email compromise (VEC) attacks.

For organizations with more than 5,000 mailboxes, there’s a 90% chance of receiving at least one BEC attack each week. These attacks are purpose-built to exploit the trust shared between coworkers, bosses, and vendors to trick targets into transferring funds or sharing sensitive information with the threat actors.

Couple this with the widespread availability of generative AI to create more convincing email copy, and it’s easy to see the evolution of email-based attacks in the here and now.

For example, an attacker can use a tool like Google Bard to pull up-to-date information on their target. This includes members of the executive team and their personal or professional histories. This information is then fed into ChatGPT—or its more nefarious cousin FraudGPT—to instantly craft an error-free email requesting sensitive or financial information. Attackers can even mimic the tone of real people to make their attempts more persuasive.

The malicious use of generative AI means attacks are more sophisticated, more targeted, and harder to detect and stop based on traditional methods.

Cybercriminals aren’t the only ones utilizing new technologies and techniques. Thankfully, cybersecurity is also evolving. If threat actors are using AI, it only makes sense that organizations use good AI in response.

Sophisticated email-based security solutions leverage AI and machine learning to create a baseline of good behavior to better detect potential bad behavior. This shifts the onus of spotting malicious emails away from employees who, despite their best efforts, aren’t a reliable way to stop cyberattacks. Advanced email security proactively identifies, flags, and blocks attacks from reaching inboxes, which means fewer employees have the chance to interact with bad actors.

Abnormal can also tell in post-detection when an email was most likely written by generative AI. So even if attackers produce higher-quality scams, phishing emails, BEC attacks, and the rest, Abnormal can stay a step ahead.

If the past 20 years have taught us anything, it’s that the bad guys never give up. Organizations can’t afford to give up either. Investing in sophisticated AI-native security is essential for defending businesses today, tomorrow, and beyond.

For valuable information and tools that can help you maximize the impact of Cybersecurity Awareness Month in your organization, download our resource kit.

And to see how you can take your email security to the next level and keep your end users safe all year long, schedule a demo of Abnormal.