For many hackers, email is a juicy low-hanging fruit—one of the easiest gateways for penetrating cybersecurity barriers. To illustrate, a hacker recently hit Christie Business Holdings Company, which does business as Christie Clinic, with an email attack designed to steal information regarding their dealings with a third-party vendor. To make it through their system, the attacker gained access to a single email account.

Whether they were able to successfully intercept transactions between Christie Clinic and one of their providers is unclear, but it’s the least important detail of the story. Because they were able to access Christie Clinic’s email system—and the details of as many as 500,000 people—they could have levied any number of cyber assaults, including ransomware, other malware-based attacks, and elaborate social engineering schemes.

Mailchimp Phishing Attack Targets Cryptocurrency Wallets

A recent attack on Mailchimp took aim at users of Trezor, a crypto hardware provider. According to reports, someone inside Mailchimp gained access to Trezor users’ email accounts and then used social engineering to trick unsuspecting customers into downloading a supposedly updated version of the Trezor Suite. But when users clicked the link, they ended up downloading malware that stole their cryptocurrency.

Ironically—but not surprisingly—the attacker used the specter of a fake breach to execute a real one: They said Trezor had been attacked on April 2, 2022, and that they “must assume that [users’] cryptocurrency assets are at risk of being stolen.” Unfortunately, it worked: It looks like more than 100 Trezor users fell for the scam.

As the Mailchimp/Trezor and Christie Clinic examples demonstrate, many attackers are foregoing technically complicated assaults on firewalls and other cybersecurity technology in favor of email-based attacks. This is likely because it takes cutting-edge tech to circumvent cybersecurity and the threat intelligence that powers it, and so attackers use the oldest tricks in the book—human manipulation and mind games—to slip into an email system.

Email Clients and Servers: An Overview

The email attack surface can be categorized into mail clients and mail servers. An email client is what users interface with when they write, read, and send emails. An email application, such as Outlook, is an example of an email client, and it forms the bridge between users and email servers.

An email server is what sends and receives emails. A user types the email in their browser, which acts as the client, and the content of the message gets sent to a server, which then forwards it to the intended recipient.

Why Hackers Attack Email Clients

When an attacker targets an email client, they’re either trying to:

• Obtain passwords or other information stored on the client
• Take advantage of unauthorized access to a user’s client

Using a compromised account to send and receive emails, they can pretend to be someone within an organization. They can also use account credentials to access other sensitive information, particularly if the organization uses email accounts as usernames to log in to certain sites. This was apparently what happened in the Christie Clinic attack, where a single business email account was compromised and then used in an attempt to steal information.

Why Hackers Attack Email Servers

An attack on an email server is a very different kind of assault because it involves getting inside a computer—the server—that sends emails between people and organizations. When you’re using emails, such as Gmail or Outlook, even if you store your messages on your computer, they’re not going from your PC straight to the recipient. They get sent to the email server and then to the person you’re communicating with.

As a result, servers often contain mountains of sensitive emails. If a hacker compromises a server, they can take the following steps to levy an attack:

• After getting inside the server, they locate emails that have been sent to it
• The hacker can then open an email someone sent and read it
• They can look for emails that require a response to a specific issue, particularly one that could be resolved with a downloadable document, application, or another file
• They abuse their rights within the server to send a reply that looks like it came from the intended recipient. In the reply, they include a download that’s supposed to solve a problem or provide critical information. In reality, it contains malware, and this is used to take over or corrupt the original sender’s computer or network

This merely scratches the surface of what a hacker could do if they gain access to an email server, especially because people often exchange sensitive data over email.

Why Email Is Still Target No. 1 for Cybercriminals

Email has maintained its position as the most attractive low-hanging fruit because it provides easy access to the weakest link in most companies’ security chain: people. It’s relatively easy to make a fake email look authentic, especially if the recipient either doesn’t know how to spot email fraud or if they’re just too busy to take one or two extra steps.

An email attack also gives a hacker access to a deep pool of potential victims. Using spam, for example, they can target many people at the same time, and all a criminal needs are their email addresses.

Additionally, if an attack succeeds in getting sensitive user credentials, the hacker can flip a quick profit by selling the info on the dark web. For attackers who are more focused on making a quick buck than orchestrating complicated, devastating attacks, email is an ideal vector to exploit.

Major Security Threats to Expect in an Email

Some of the most prominent threats to watch out for include malware, spam and phishing, social engineering, entities with malicious intent, and unintentional acts by unauthorized users.

1. Malware

In a malware attack, the hacker’s objective is to infect either a mail server or a user’s computer with malware. Once the malware has been planted, it can execute a ransomware attack, exfiltrate data, set up a backdoor for a future attack, and much more.

2. Spam and Phishing

Spam is irritating, but it’s actually more dangerous than aggravating. Within the haystack of seemingly innocent, extravagant ads and “warnings” are several sinister needles, such as malware and malicious links, waiting to be discovered.

Also, with a well-crafted spam email, a hacker can successfully phish for sensitive information. The target may visit a website, for instance, that appears legitimate but is actually designed to steal sensitive data, as was the case in the Mailchimp/Trezor attack.

3. Social Engineering

Because social engineering involves manipulating people into compromising information or systems, email is an ideal attack vehicle. A lot of folks still trust the emails they receive, especially if they appear to come from a trusted person or entity. They may not notice they’re being manipulated until it’s too late.

4. Entities with Malicious Intent

For anyone with malicious intent, an email server is like a playground. They can use it to:

• Steal usernames and passwords
• Send malware and malicious links
• Steal sensitive company information
• Sabotage an individual or organization by sending fake emails from real addresses

5. Unintentional Acts by Authorized Users

Sometimes, a well-meaning user can email sensitive data or proprietary information to the wrong person or entity. This can have both legal and reputational repercussions.

DOJ Action vs. Email Threats and How Security Companies Are Helping

The Department of Justice (DOJ) has been hot on the tails of cybercriminals who try to launch attacks via email. For example, the DOJ has filed charges against a criminal group that launched a phishing campaign that impacted 300 universities in 21 different countries. The defendants were found to have launched attacks on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC), which plays an important role in Iran’s intelligence-gathering efforts.

To this end, cybersecurity companies have been stepping up to the plate to support the DOJ’s efforts. For instance:

• Cisco has outlined several tools organizations can use to meet the DOJ’s cybersecurity objectives
• Kaspersky has designed products that meet the needs of national cybersecurity teams
• Fortinet has developed Fortinet Federal, which is designed to meet the demands of strict government cybersecurity standards

How to Protect Sensitive Information Sent via Email

To safeguard sensitive information when using email:

• Keep private information private. Never provide private information to anyone you don’t know over email—unless you can verify they have a legitimate reason for asking for it
• Think before you click. Make sure every page you visit from an email is legitimate by hovering your cursor over the link or long-tapping it
• Verify email addresses before sending sensitive information. Avoid sending bank details or proprietary information to anyone whose email address you can’t confirm
• Delete emails with sensitive information. If anyone has sent you a message containing sensitive information, make sure to delete it completely—not just send it to the trash folder—to prevent a hacker from discovering it

Stay One Step Ahead of Attackers

Your organization doesn’t have to be the next headline. Even though email continues to be a primary attack vector, once employees and executives know what to look for, they can avoid giving hackers access to sensitive material. In this way, you can predict and prevent the most common attacks—malware, spam, phishing, and social engineering—from impacting your organization.