Phishing – it seems you can’t talk about anything IT-related without it coming up. That’s because phishing is still the number one delivery vehicle for cyberattacks – and cyberattacks are still on the rise.
A criminal may want to steal employee login credentials or launch a ransomware attack for a payout. Or possibly plant spyware to use later once they’ve planned a better attack – a technique called a Persistent Foothold. A successful phishing campaign provides an attacker with an excellent starting point for implementing all kinds of other attacks.
To make things worse, 80% of surveyed security professionals say that phishing campaigns have significantly increased post-pandemic.
Phishing not only continues to work, but it’s also increasing in volume due to the move to remote teams. Many employees are now working from home. Regardless of the benefits, many remote workers don’t have the same network protections they had when working at the office.
Why has phishing continued to work so well after all these years? Aren’t people finally learning what phishing looks like?
It’s true that people are generally more aware of phishing emails and how to spot them than a decade ago. But it’s also true that these emails are becoming harder to spot as scammers evolve their tactics.
One of the newest tactics is particularly hard to detect. It is the reply-chain phishing attack.
What is a Reply-Chain Phishing Attack?
Just about everyone is familiar with reply chains in email. An email gets sent to multiple recipients, someone replies, then another person chimes in on the conversation, creating a big, long reply-chain.
Before long, you have a reply chain with an entire conversation that lists each reply one under the other so everyone can follow it.
You don’t expect a phishing email tucked inside that ongoing email conversation – you’ve been replying to it right along. Most people are expecting phishing to come in as a new message, not a message included in an ongoing conversation.
The reply-chain phishing attack is particularly insidious because it does exactly that. It inserts a convincing phishing email in the ongoing thread of an email reply chain.
How Does an Attacker Gain Access to the Reply Chain?
By gaining access to the email account of one of those people copied on the email chain. Once breached, the attacker can begin his phishing campaign from an email address that other recipients recognize and trust.
The attacker also gains the benefit of reading down through the chain of replies – emulating the existing conversation and enabling them to craft a response that looks like it fits.
For example, they may see that everyone has been weighing in on a new product idea. So, they send a reply that says, “I’ve drafted up some thoughts on the new product, here’s a link to see them.”
The link will go to a malicious phishing site and Bob’s your uncle. The site might infect a visitor’s system with malware or present a form to steal more login credentials.
The reply won’t seem like a phishing email at all. It will be convincing because:
- It comes directly inside an ongoing conversation.
- It comes from a participant that has already been engaging in the conversation.
- It may sound natural and reference items in the discussion.
- It may use personalization. The email can call others by the names the attacker has seen in the reply chain.
Business Email Compromise is Increasing
Business email compromise is so common that it now has its own acronym. Weak and unsecured passwords lead to email breaches. So do data breaches that reveal databases full of user logins. Both are contributors to how common compromise is becoming.
In 2021, 77% of organizations saw business email compromise attacks. This is up from 65% the year before.
Credential theft has become the main cause of data breaches globally. So, there is a pretty good chance of a compromise of one of your company’s email accounts at some point.
The reply-chain phishing attack is one of the ways that hackers turn that compromise into money. They either use it to plant ransomware or other malware or to steal sensitive data to sell on the Dark Web.
Tips for Addressing Reply-Chain Phishing
Here are some ways that you can lessen the risk of reply-chain phishing in your organization:
- Use a Business Password Manager:
This reduces the risk that employees will reuse passwords across many apps. It also keeps them from using weak passwords since they won’t need to remember them anymore.
- Put Multi-Factor Controls on Email Accounts:
Present a system challenge (question or required code). Using this for email logins from a strange IP address can stop account compromise.
- Configure Risky-Sign In Alerts:
This provides near-instant alerting for accounts that Microsoft or Google believe are being targeted or are at-risk of breach.
- Teach Employees to be Aware:
Awareness is a big part of catching anything that might be slightly “off” in an email reply. Many attackers do make mistakes.
How Strong Are Your Email Account Protections?
Do you have enough protection in place on your business email accounts to prevent a breach? Let us know if you’d like some help! We design email security solutions that can keep you better protected and your staff trained.