Rising volume of email fatigue opens doors for Cybercriminals

This blog was written by an independent guest blogger.

While remote work has many benefits, it can increase the risk of employees suffering from directed attention fatigue (DAF), where they find themselves unable to focus due to constant distractions. This is due primarily to isolation and the constant bombardment of emails and instant messages. In fact, one of the most worrying types of DAF for security professionals is email fatigue. 

Communicating through emails is often preferred over phone calls, but it may present a greater security risk – especially if we consider the amount of critical business data shared through email these days. When workers’ attention spans are stretched too thin, they are more likely to click on cleverly disguised malicious emails and put their data at risk. 

The best way to arm yourself against such attacks is by educating yourself. To that end, the following guide will explore how cybercriminals breach companies through employee inboxes and what you can do to prevent it.

What is email fatigue?

According to a recent study, the average American worker spends roughly five hours a day checking email. Email fatigue has long been a problem, but we can expect it to worsen because of the almost exponential growth of daily sent and received emails worldwide over the past few years. 

Similar to alert fatigue, this constant send-and-receive cycle keeps workers from concentrating on their core tasks. They often find that they need to ignore one for the other. Thus, they may start to ignore messages, delete them, and/or unsubscribe from email lists.

Unfortunately, this is when we are the most vulnerable to hackers.

How email-based cyber attacks work

Email-based attacks are not a new problem. For example, some of the most notorious email-related cyber attacks of the 1990s came through the propagation of the Melissa virus. During these attacks, the attacker would send the virus through a Microsoft Word document attached to an email. Once the victim opened the document, it would run a macro script that would infect the system and steal their mailing list.

Surprisingly, not much has changed, and email is still a popular way to send malware. According to a recent analysis conducted by Freshbooks on the rise of Covid scams, email remains one of the most vulnerable outlets for cybercriminals.

Even though many consider spam and phishing outdated techniques, they are still employed by cybercriminals today. A hacker will send an email from what seems to be a reputable social media site, but the email will have a malicious link or a fake button. As soon as you click on it, it confirms your email address and hackers will then target you with more malicious emails with more intricate exploits. 

Recent email-based attacks

In August 2021, a Revere Health employee was hacked through a phishing email attack which exposed approximately 12,000 patient medical records. The hackers may not have intended to release patient medical records; rather, this may have been a long-term phishing scheme designed to hack other Revere employees. Still, because of the overwhelming pressure the healthcare sector suffered due to the Covid-19 pandemic, they were left more vulnerable to cybercrime. 

The Revere Health data breach was small scale compared to the 2020 MEDNAX data breach. The data of over 1.2 million individuals was exposed after employees responded to a host of phishing emails. The breach was comprehensive, revealing the information of both patients and providers.

While there are different types of phishing, spear phishing is the most popular. Most phishing attacks are random or large-scale, while spear phishing is more targeted - that is, the cybercriminal will target a particular individual or organization with a custom attack. A fine example of this is the 2020 Magellan Health ransomware attack where the records of over 1 million individuals were revealed. 

In another case, Aetna Ace, a health insurance company, saw the records of over 480,000 patients exposed after an employee responded to a spear-phishing email. The company had to pay $1 million in fines after it was found that it violated HIPAA privacy rules due to the hacks. As a result of these attacks, healthcare service vendors and agents have had to change how they organize and store data in order to decrease the risks of a similar breach. 

Nevertheless, while healthcare accounted for 79% of all reported data breaches in 2020, it’s not the only sector that’s susceptible. Treasure Island, a non-profit company that aids the homeless, suffered losses of $625,000 after a sophisticated month-long business e-mail compromise (BEC) attack.   

The FBI’s 2020 Internet Crime Report found that businesses and consumers lost a combined $1.8 billion to BEC and email compromise attacks. To protect ourselves, we need to understand hackers’ motivations and strategies. Employing software-based security measures is important, but cautious employee behavior can render a large variety of attacks unsuccessful.      

Understanding email cyber attack strategies

Many businesses are taking steps to increase security protections for remote workers, but something like a phishing attack requires more than VPNs and encryption to prevent it. In some cases, you can immediately tell that phishing emails are inauthentic. A few grammatical and spelling mistakes may give it away, or the email address may be obviously fake.  

So how do so many employees fall victim to phishing scams? Over the years, cybercriminals have refined their skills. They carefully study their victims before launching their attacks. For example, in a BEC attack where the attacker poses as an executive or high-level employee, they study and mimic how the subject communicates through email. 

They achieve this by building a composite of email interactions. They may first pose as a lower-level employee and interact with the executive. Then they can use artificial intelligence (AI) to analyze how the victim communicates through email. It can look for subtle nuances such as diction, use of grammar and punctuation, typos, etc. 

Hackers can go a step further and use AI to automate their attacks. A recent study reported that OpenAI's GPT-3 could construct dangerously convincing spear phishing email messages. And this is just the tip of the iceberg. In 2019, hackers used AI and deepfake technology to defraud a UK-based company of $243,000 by mimicking the CEOs voice over the phone.      

It’s not just a matter of infecting the network with malware or ransomware, though these are still popular techniques for siphoning information as part of a larger-scale attack. Nonetheless, when we consider all these factors, falling prey to an email attack seems almost inevitable. But there are plenty of things companies can do to protect themselves. 

Preventing email-based hacks 

Before we discuss which security tools we can implement to mitigate or prevent security breaches, we need to address the human element. It’s obvious that remote work has impacted the balance in our working lives, so we need to utilize new coping mechanisms. 

Employees should be encouraged to understand and treat directed attention and email fatigue.  Remote workers should be sure to work in a stimulating environment with good ventilation. Taking regular breaks and getting enough sleep are also important tips to avoid fatigue. 

Also, organizations can minimize the risk of falling prey to phishing emails through comprehensive cybersecurity training. Companies should make it a priority to verify that employees are indeed practicing good cyber hygiene and know what to look for in phishing schemes. 

Next, you’ll need to ensure that you’re using the correct email hosting services for your company. According to web developer and marketer Gary Stevens from Hosting Canada, it is vitally important to do your research and look for email hosting providers that make security a top priority. 

“Some of the cheap hosts out there will use outdated email delivery standards that open you and your internal correspondence up to a myriad of potential security risks,” says Stevens. “Do yourself a favor and make sure that whatever host you choose offers Imap and Pop3 email delivery. These security standards will ensure that your private emails stay, well… private, and it will prevent your information from falling into the wrong hands (i.e., competitors and hackers).”

In addition, you’ll need to implement a security protocol with:

  • Advanced persistent threat detection and response 
  • Unified security management from anywhere (USM)   
  • Vulnerability scanning for email
  • Secure web gateway protection

Conclusion

Email fatigue is a concern that companies should not take lightly. In times of crisis, cybercriminals take advantage of the chaos by targeting our stresses and anxieties. Addressing email fatigue, implementing incident response training, and deploying a multi-faceted anti-malware program can thwart cybercriminals and keep your company safe.  

Article Link: Rising volume of email fatigue opens doors for Cybercriminals | AT&T Cybersecurity