In 2018, a group of nine Iranian cyberterrorists stole more than $3 billion in intellectual property from hundreds of targets, including universities, private companies, the US government, and even the United Nations. They didn’t use an advanced computer virus or elite hacking skills. They did all of this using simple email deception.
We’ve come a long way in protecting our computers from malware and viruses in the past couple of decades. Better antivirus software and greater awareness of common scams make it easy to be lulled into a false sense of security. But in reality, cyberattacks are still a huge problem across nearly every industry. In fact, this year’s World Economic Forum Report lists cyber threats as the fourth greatest risk to world economies, after extreme weather, climate change, and natural disasters.
Part of the problem is that, like the Iranian hackers, attackers are relying less on high-level technology, and more on impersonation and psychological tricks to work their way into your network. Verizon’s 2019 Data Breach Investigations Report found that phishing—impersonating a reputable business or individual to trick your victim—is the number one cause of data breaches.
Email attachments are an important part of a phisher’s tool kit. In fact, several studies found that anywhere from 50% – 90% of malware is delivered by email.
Nobody likes to think they could fall victim to a phishing attack, but cyberattackers are becoming more and more skilled at fooling even tech-savvy business professionals into accidentally downloading malware. Once they’ve wormed their way into your computer, they can exploit these vulnerabilities to steal data, transmit viruses, or install ransomware. This is a threat not only to your company’s bottom line but also to your intellectual property and reputation.
Let’s take a closer look at how these attackers work, what tools they use, and how we can all work together to eliminate the threat of email-attachment malware.
Cyberattackers target executives
Everyone is familiar with the Nigerian prince email scam, a ubiquitous attempt at phishing that seems more comical than serious. It’s hard to believe that anyone would fall for such an obvious gambit (but thousands still do, every year).
What you may not realize is that there are much more convincing scammers out there, with an arsenal of tools and tricks designed to gain your confidence. These high-level attackers are increasingly targeting CEOs, CFOs, and others in leadership positions.
The Verizon report found that C-suite employees are statistically much more likely to be targeted in phishing attacks than other employees. This form of phishing is whimsically dubbed “whaling,” because of the value and prestige of the targets. Bigger fish are harder to take down, and these whaling attacks a more difficult to spot because they so specifically targeted.
Cyberattackers have become increasingly sophisticated in their approach to high-level targets. Here are a few of the common tactics they employ:
- Spoofing email addresses: Attackers hide their real email address and disguise their email so that they appear to come from someone you know and trust.
- Personalization: Most whaling emails are carefully crafted to deceive the recipient. They may mention or impersonate colleagues or even family members. In extreme cases, there may be a telephone-communication component to support the veracity of the email.
- Spoofed links: Attackers may embed misleading links that obscure their actual destination. They sometimes create entire fake banking, social media, or other secure login sites in order to trick victims into entering their passwords or other personal information.
- Embedded attachments: Emails may include seemingly innocuous attachments (often PDFs) that contain malicious programs designed to undermine your security and steal your information.
All of these tricks make it very difficult to know exactly who is behind the emails in your inbox, which means caution is needed at all times. Always verify the identity of the sender before clicking any links or downloading any attachments.
The insidious danger of PDF malware
It’s that last bullet point, embedded attachments, that is quickly becoming a major security issue for organizations of all sizes.
While most people know not to download suspicious-looking attachments, PDFs are usually seen as innocuous. They are a part of everyday office life, with documents, contracts, presentations, and other official business frequently shared as email attachments both internally and externally. That makes PDFs the perfect vehicle for sneaking malware onto your computer.
Even scarier: PDF files themselves can contain other embedded or encrypted files. This means that an attacker can conceal a malware file inside an innocent PDF, thereby fooling antivirus scanners and other security controls.
A report by SonicWall Capture Labs threat researchers says that there’s been a substantial increase in PDF malware attacks in 2019. According to SonicWall president and CEO Bill Conner, “Increasingly, email, Office documents and now PDFs are the vehicle of choice for malware and fraud in the cyber landscape.” SonicWall is identifying tens of thousands of attack variants each month, meaning that attackers are evolving faster than security companies working to keep up.
These stats are pretty scary. Malicious email attachments wreak havoc on unsuspecting users and erode everyone’s trust. Luckily, the solution is quite simple.
The solution: Stop sending email attachments.
Stop sending email attachments.
The next time you need to send an important PDF securely, share your documents using a service like DocSend. It allows you to bypass the email attachment step entirely.
It can be dangerous to share important information via attachment. Once you send someone an email attachment, it’s no longer under your control. There’s no telling who it could be shared with. If your recipient’s inbox or email server is hacked, your personal information is at the mercy of those attackers.
Sending email attachments is a clunky process. They take up a lot of space, can become corrupted, erroneously caught in a spam filter, or (ironically) mistaken for malware. It’s easy to lose track of PDFs in a cavernous inbox, which can mean having to resend the same document multiple times.
Instead, upload your documents to DocSend and then send them to your contacts via a secure link. There are almost no extra steps to sending files in this manner, versus as an attachment. You can use our Outlook plugin or Gmail plugin and Chrome extension to easily upload documents and add the links to your emails. You can share a whole library of documents with a single link using Spaces.
The process is safer for both parties: You keep control of your sensitive materials, and the recipient can feel secure in the knowledge that they aren’t accidentally downloading malicious materials to their computer. Most importantly, you will be doing your part in making email inboxes a safer place by reducing the threat of email malware.
The end of email malware attacks
It’s important to remain vigilant against phishing attacks, but attackers rely on the fact that it takes only a single mistake for them to slip into your computer or your business; the higher your position in an organization, the greater your risk of being targeted. As malware and high-profile phishing attacks become more and more sophisticated, it will become increasingly important to critically examine all emails and be cautious about links and downloads.
We can all do our part to make these attackers’ jobs a little bit harder, not just by keeping our wits about us but also by sending documents securely.
A shift away from email attachments and toward secure file-sharing via links can help ensure that your attachments get opened as intended. Sending your documents as links, not attachments, can help establish your credibility and ensure that your contacts trust the material you are sending them.