Cybercriminals use a variety of methods to gain access to business networks to install malware, although by far the most common method of spreading malware is spam email. According to a recent study by F-Secure, in 2018, 90% of malware was delivered through spam email.
The most common types of malware delivered via spam email are downloaders, bots, and backdoors, which collectively account for 52% of all infections. Banking Trojans account for 42% and Emotet, Trickbot, and Panda banking Trojans are most common. While 2018 has seen many ransomware attacks on businesses, ransomware account for only 6% of spam-delivered malware. F-Secure notes that throughout 2018, email-based ransomware attacks have declined.
An analysis of spam emails has shown that one of the most effective and most used lures is a failed delivery notification, especially during holiday season. At this time of the year, consumers are likely to be expecting package deliveries.
During holiday season, many consumers let their guard down and respond to messages that they would identify as suspicious at other times of the year. This was demonstrated by F-Secure through simulated Black Friday and Cyber Monday themed phishing attacks. The campaign saw a 39% increase in people responding to the phishing messages than at other times of the year.
F-Secure’s analysis revealed 69% of spam emails attempt to get users to visit a malicious URL. The hyperlinks in the messages direct users to phishing websites where they are asked to enter sensitive information such as credit card numbers, Office 365 logins, or other credentials. Hyperlinks also direct users to sites hosting exploit kits that probe computers for vulnerabilities and silently download malware or trick users into downloading seemingly benign files that contain malicious scripts. 31% of spam messages contain malicious attachments – often macros and other scripts that download malicious software.
In years past, spam emails were relatively easy to identify; however, many of the spam and phishing emails now being sent are much more sophisticated. Cybercriminals are using tried and tested social engineering methods to recipients to disclose sensitive information or install malware. Many spam emails are almost identical to those sent by real businesses, complete with appropriate branding and logos.
With more consumers opening malicious email attachments and clicking hyperlinks in emails at this time of year, businesses face a higher risk of malware infections, email account breaches, and theft of sensitive information.
Naturally, an advanced spam filtering solution should be implemented to prevent malicious messages from being delivered to inboxes. Web filtering technology can be implemented to prevent employees from visiting malicious websites. However, as good as technological solutions are at blocking spam, phishing, and malware downloads, it’s important not to neglect the last line of defense: Employees.
Security awareness training should be provided to all employees to teach them cybersecurity best practices and how to identify malicious emails. Through continuous training, the susceptibility of employees to phishing attacks can be significantly reduced. According to Cofense, training and phishing simulation exercises can reduce employee susceptibility to phishing attacks by more than 90%.