Everybody’s Darling – Why Users and Hackers Love Email

Email is one of the most important channels of communication in everyday office life. No other medium makes it so easy to exchange messages at any time and place, or to address large groups of users. However, cybercriminals are also taking advantage of these features.

German employees love to send emails. According to the Digital Office Index 2018 by Germany’s digital association Bitkom, 90% of people send and receive electronic messages ‘very often’. The Adobe survey ‘Email Use 2017 in Germany’ confirms the importance of email to German companies. According to the survey, 77% of those asked said they regularly use this channel of communication with colleagues.

The are good reasons why email is so popular in business communication. After all, email offers many advantages:

Freedom from time and place restrictions.
To talk to someone face to face or over the telephone, your conversation partner has to be there in person or available to take the call. Emails, in contrast, can be answered later and from anywhere with an internet connection.

When sending an email, it is largely irrelevant whether the message is to be sent to one person or to tens of thousands of addressees. This means the medium is not only suited to the direct personal exchange of information, but also to addressing large groups of people, for example through customer newsletters and other communications.

Ability to document and archive
In contrast to a conversation in person or over the telephone, the progression of an email communication can be traced and archived directly and seamlessly. These documents can be referred to in the event of misunderstandings or legal disputes.

The dark side of email communication
Despite, or rather because of, their popularity, emails are not without their problems as a form of communication. The medium also has its disadvantages:

Reduction in productivity
For many, the answering and managing of emails has become their main task. According to a survey by the work management specialists Workfront, 55% of those asked in the USA feel they are prevented from doing their actual work by the constant flow of electronic messages. According to the study, US workers spend around 16% of their work time on writing and reading electronic messages.

Loss and theft of data
Sensitive information can be forwarded on to addressees for whom it is not intended both easily and without being noticed. This is not necessarily done with malicious intent. The auto-complete function of the email programme is often all it takes for this happen, by entering the wrong recipient when an email address is typed in. In many cases, however, sensitive information is presented to the outside world wholly on purpose, in order to deliberately harm the employer or to gain financial advantages. But even if an email with secret data reaches the correct recipient, the medium is actually not suited to such uses. Experts compare the confidentiality level of email with that of a postcard. Although systems like PGP (Pretty Good Privacy) and S/MIME (Secure/Multipurpose Internet Mail Extensions), which can be used to encrypt messages and exchange them securely, have existed for several years, they do not yet enjoy widespread use in companies.

Why cybercriminals love emails
The low costs of email communication and the potential to reach a large of number of recipients with minimum effort soon led to its misuse. The first unsolicited electronic message was sent as early as 1978.

However, the term ‘spam’, which is commonly used for this form of harassment today, was only established in the 1990s. According to the calculations of the security specialists Trustwave, 39% of emails received by companies in 2017 were spam – a real improvement considering the fact that the spam rate ten years earlier was as high as 85%. The economic damages caused remain enormous nonetheless. According to the IT provider Oracle, losses in terms of productivity downturn, energy costs and the wear and tear of computers alone amount to 130 billion US dollars each year. According to the SANS Institute’s calculations, 74% of all cybercrime attacks begin with an email. The following principle methods and techniques of attack can be distinguished:

The mass sending of unsolicited advertising messages is also known as UBE (unsolicited bulk email). Senders usually promote extremely low-priced medications and anti-impotence drugs, counterfeit goods or dodgy financial services.

Advance payments:
These spam messages offer the recipient the prospect of large sums of money. It is often claimed that an unknown, distant relative has died and left a fortune. Another scheme offers the message recipient a substantial commission if they help a politician or business man to transfer large amounts of money via their bank account abroad. To receive the promised sum, however, the recipient must first transfer small sums of money themselves, for example to pay lawyers or notaries or to acquire the required export documents. The ‘advance payments’ are, of course, lost, and the large amounts of money are never paid out.

In this fraud scheme, criminals try to induce the addressee to click on links in an email, or to open attachments. The messages are usually masquerading as official communications from banks, authorities or online shops. To put the recipient under pressure and tempt them to click on links, the hackers threaten them with account suspensions, high fees, financial penalties or collection procedures.

The links lead to prepared websites on which the user is meant to hand over sensitive data such as the login details for their online bank, or their credit card number. Malware such as a blackmail trojan or spyware is hidden in the files. In the fourth quarter of 2018 alone, the Anti-Phishing Working Group (APWG) counted almost 240,000 phishing campaigns and around 138,000 phishing websites. According to research by the market research firm Osterman Research, 34% of security incidents in companies trace back to successful phishing attacks.

Spear phishing:
In this instance, criminals do not send out vast quantities of impersonal spam messages, but address their victims personally. They acquire their information from one of the numerous data thefts and via publicly available information on company websites and social networks.

CEO fraud:
In this scam, also know as ‘whaling’, criminals send deceptively genuine-looking emails that seem to come from a member of the management team. In these emails they instruct the employee to transfer large sums of money abroad in order to conclude a deal. The target is put under intense time pressure and sworn to secrecy. One typical threat is that the future of the company is in jeopardy and the employee will be responsible for the consequences if the deal falls through.

The FBI estimates the worldwide loss caused by CEO fraud to be more than three billion US dollars. The German Federal Criminal Police Office put the number of cases in Germany in 2017 alone at more than 250 cases. Among this crime’s most high-profile victims is the Bavarian automotive supplier Leoni AG, from whom fraudsters were able to scam 40 billion euros, according to company accounts. The chat platform Snapchat was also duped by an email purporting to come from the boss. A member of the payroll department fell for the trick and transferred payroll details and other personal information of current and former employees to the criminals.

Email remains an indispensable form of business communication. No other channel makes it possible to communicate with such ease, regardless of place or time. A large number of customers or business partners can be reached for a negligible cost. To send a message, all that is required is the email address of the potential recipient. However, this simplicity also soon caught the attention of criminals, who flood the inboxes of email users with mass mailings of spam messages. At the same time, the ways in which hackers use email as a tool have become increasingly sophisticated. They reach their climax in targeted attacks on individual people, as seen in spear phishing or CEO fraud.

The role employees play in this and how the security of email communication can be improved will be explored in the next article of this special feature.