Office email services have been used to impersonate and scam nearly 6,600 organisations so far this year, according to a study by email security firm Barracuda Networks.
Barracuda found that 6,170 malicious accounts that have used Gmail, AOL and other services have been responsible for more than 100,000 business email compromise (BEC) attacks, which have impacted nearly 6,600 organisations. Since April 01, these malicious accounts have been responsible for 45% of all BEC attacks detected.
“Essentially, cyber criminals are using malicious accounts to impersonate an employee or trusted partner, and send highly personalised messages for the purpose of tricking other employees into leaking sensitive information or sending over money,” Barracuda said.
Gmail is cyber criminals’ preferred service for malicious accounts. According to the Barracuda study, Gmail accounts for 59% of all email domains used by cyber criminals. Yahoo, the second most popular, accounts for just 6% of all observed malicious account attacks.
The study also found that 295 malicious accounts are used for less than 24 hours, likely to avoid detection and suspension by email providers. However, it is not unusual for cyber criminals to return to re-use an old email address after a long break. Barracuda also found that cyber criminals often use the same email addresses to attack different organisations. The number of organisations attacked by each malicious email address ranged from one to 256 that were impacted in a single mass attack. The number of email attacks sent by a malicious account ranged from one to more than 600 emails, with the average being 19.
“[Because] email services such as Gmail are free to set up, just about anyone can create a potentially malicious account for the purposes of a BEC attack,” said Michael Flouton, vice president of email protection at Barracuda Networks. “Securing oneself against this threat requires organisations to take protection matters into their own hands. This requires them to invest in sophisticated email security that leverages artificial intelligence to identify unusual senders and requests. However, no security software will ever be 100% effective, particularly when the sender appears to have a perfectly legitimate email domain. Thus, employee training and education is essential, and workers should be made aware of how to manually spot, flag and block any potentially malicious content.”