6600 organisations scammed with 'official email services' so far in 2020

Cyber criminals are increasingly registering accounts with legitimate services, such as Gmail and AOL, to use them in impersonation and business email compromise attacks, says email security firm Barracuda Networks, the trusted partner and leading provider for cloud-enabled security solutions.

In their most recent threat spotlight report, Barracuda researchers observed that 6,170 malicious accounts that have used Gmail, AOL and other email services, have been responsible for over 100,000 BEC attacks which have impacted nearly 6,600 organisations.

What’s more, since April 1, these ‘malicious accounts’ have been behind 45 per cent of all BEC attacks detected.

Essentially, cyber criminals are using malicious accounts to impersonate an employee or trusted partner, and send highly personalised messages for the purpose of tricking other employees into leaking sensitive information, or sending over money. Cyber criminals preferred choice of email service for malicious accounts is Gmail, which accounts for 59 per cent of all email domains used by cyber criminals.

Yahoo, is the second most popular, accounting for just 6 per cent of all observed malicious account attacks. Researchers at Barracuda also observed that most malicious accounts (29 per cent) are used for less than 24-hour periods – most likely to avoid detection and suspensions from email providers. However, it’s not unusual for cybercriminals to return and re-use an email address for an attack after a long break.

Having analysed attacks on 6,600 organizations, Barracuda researchers found that in many cases, cyber criminals used the same email addresses to attack different organisations. The number of organisations attacked by each malicious account ranged from one, to a single mass scale attack that impacted 256 organisations — 4 per cent of all the organisations included in the research. Similarly, the number of email attacks sent by a malicious account ranged from one to over 600 emails, with the average being only 19.

Michael Flouton, VP Email Protection, Barracuda Networks told The Commentator, “The fact that email services such as Gmail are free to set up, just about anyone can create a potentially malicious account for the purpose of a BEC attack.

“Securing oneself against this threat requires organisations to take protection matters into their own hands – this requires them to invest in sophisticated email security that leverages artificial intelligence to identify unusual senders and requests.

“However, no security software will ever be 100% effective, particularly when the sender appears to be using a perfectly legitimate email domain. Thus, employee training and education is essential, and workers should be made aware of how to manually spot, flag and block any potentially malicious content.”

Latest posts