Phishing, i.e. attempts to access and retrieve personal or business information through fraudulent activities, is still regarded as the number one online cybersecurity crime. Cybercriminals are interested in stealing individuals bank details, company’s system login credentials, launching ransomware attacks or undertaking industrial espionage. Phishing is a method that allows them to do that.
Highlighting the ongoing seriousness of this type of online attack, a recent of survey of cybersecurity professionals states that online phishing campaigns and attacks have significantly increased in recent years. Not only have phishing attacks proven to be effective, but they are also increasing due to the recent trend of employees working from home. When an employee leaves a company office, the reliance on the safety and security of an organization’s network protections and systems are decreased.
While the public have become more aware of phishing attempts through email and other delivery methods, the techniques of the perpetrators of these attacks have evolved to become more sophisticated and harder to identify and detect.
One of the newest techniques of phishing that we are witnessing, which is particularly difficult to detect, is the reply chain attack.
Reply Chain Phishing – What is it?
A reply chain can be found in answered emails and messages, and it is a common occurrence in online correspondence. When a person replies to an email, the original email that they are replying to is copied underneath their own reply, and if the conversation continues between a person or group, each new reply will also be copied underneath the latest email response, thus creating a chain of historical replies. Users find this a useful feature as they can view a historical conversation on a subject between two or more people, and they can gain further information from it and context to a particular conversation or subject.
A reply chain phishing attack can occur when an entity inserts a malicious message into the email reply chain. As most users expect phishing attempts to arrive via a new message, they may not be as vigilant in their own security when perusing and actioning an ongoing conversation that they or others might already be taking part in, and it is this reduction in vigilance by users that cybercriminals are able to exploit for their own advantage.
How Can a Cybercriminal Gain Access to a Reply Chain?
To place a phishing message in an email reply chain the cybercriminal first needs to gain access to the conversation. The easiest way for them to do this is by hacking one of the participating user’s email accounts.
If a cybercriminal gains access to a user’s email account, they can begin sending messages from it. Other users will trust this hacked account and its sender since they will recognise it as a source of information. The infiltrator can also read earlier responses in the reply chain, which will aid them in their deception.
For example, the offender may glean information from a conversation about a new product being developed, which for this purpose will be called “Stop Spam”. As this is a vital part of the conversation, they can make sure that their phishing email mentions the Stop Spam product, to add a form of authenticity to their content. A phishing email could be worded as “I have some new ideas regarding the Stop Spam product. Here is a link to them”. The link contained in the email will in fact be malicious in intent, and it will re-direct the users in the reply chain conversation to a phishing attempt, such as a fake form to steal log in credentials, or a download page to a malware or spyware program.
Here are some of the reasons why staff may not be able to detect a phishing email and its ill intent:
- The message will originate from the email address of a colleague or a friend, which is already known and trusted by the receiver.
- The message may sound naturally spoken and reference items and words of importance that have been mentioned previously.
- The message may use personalisation, such as a first name, which can be learned from the previous reply chain messaging.
The Compromising of Business Email Messaging is Increasing
The compromising of business email is increasing, with one report showing that in 2021 77% of businesses were subjected to email compromising attacks, which was an increase from 65% reported from 2020.
Reply chain phishing is unfortunately proving to be a valuable opportunity for cybercriminals, and they will continue to employ this method for as long as it is profitable.
As credential theft is the number one cause of security breaches globally, it is very likely that your organisations email accounts will be subjected to malicious attempts at some point in the future.
Ways That You Can You Reduce the Risk of Reply Chain Phishing
There are some simple and practical ways that you can reduce the risk to your organisation of supply chain phishing:
- Use A Password Manager
By employing a password manager across your organisation there is a reduction on the reliance of staff to use easy to remember passwords across the many applications and logins that they access. They can use more complicated and varied passwords throughout their activities without the burden of needing to remember them.
- Enable A User Challenge on Email Accounts
By enabling a user challenge i.e., a question or login code on email accounts, you can add a simple layer of security that may be sufficient to deter and stop any attempt to illegally compromise your organisations messaging.
- Increase Staff Knowledge and Awareness
Staff knowledge and awareness of security matters is a vital component to any overall online security strategy. As staff can often be the first point of contact for malicious attempts, their awareness of it can provide important assistance in preventing it.
Is Your Email Security Strong Enough?
Email security is an ongoing and evolving issue, and it is important that you and your organisation are up to date and using the latest methods and systems to ensure that the protection of your business is as good as it can be.
We can help you to achieve that. Just let us know what your needs are or if you would like us to examine your existing online security practices, and we will suggest what, if any, improvements need to be made.