In 2018, a group of nine Iranian cyberterrorists stole more than $3 billion in intellectual property from hundreds of targets. This included universities, private companies, the US government, and even the United Nations. They didn’t use advanced malware or elite hacking skills. They did all of this using email attachments and simple deception.
We’ve come a long way in protecting our computers from malware and viruses in the past couple of decades. Better antivirus software and greater awareness of common scams can lull us into a false sense of security. But in reality, cyberattacks are still a huge problem across nearly every industry. In fact, this year’s World Economic Forum Report lists cyber threats as the fourth greatest risk to world economies, after extreme weather, climate change, and natural disasters.
Part of the problem is that attackers are relying less on high-level technology and more on impersonation and psychological tricks to work their way into your network. Verizon’s 2019 Data Breach Investigations Report found that phishing—impersonating a reputable business or individual to trick your victim—is the number one cause of data breaches.
Nobody likes to think they could fall victim to a phishing attack. But cyberattackers are becoming increasingly skilled at fooling even tech-savvy professionals into downloading malware. Once they’ve wormed their way into your computer, they can exploit vulnerabilities to steal data, transmit viruses, or install ransomware. This is a threat not only to your company’s bottom line, but also to your intellectual property and reputation. A single corporate malware attack costs $2.4 million on average, according to the Accenture’s 2017 Cost of Cyber Crime study.
Let’s take a closer look at how you can work to eliminate the threat of email-attachment malware.
Cyberattackers target executives
Everyone is familiar with the Nigerian prince email scam, a ubiquitous attempt at phishing that seems more comical than serious. It’s hard to believe that anyone would fall for such an obvious gambit (but thousands still do every year).
There are many more convincing scammers out there with an arsenal of tools and tricks designed to gain your confidence. These high-level attackers are increasingly targeting CEOs, CFOs, and others in leadership positions.
Verizon’s report found that C-suite employees are statistically much more likely to be targeted in phishing attacks than other employees. This form of phishing is often called “whaling” because of the value and prestige of the targets. Bigger fish are harder to take down, and whaling attacks are more difficult to spot because they are so specifically targeted.
Cyberattackers have become increasingly sophisticated in their approach to high-level targets. Here are a few of the common tactics they employ:
- Spoofing email addresses: Attackers hide their email addresses and disguise their emails so they appear to come from someone you know and trust.
- Personalization: Most whaling emails are carefully crafted to deceive the recipient. They may mention or impersonate colleagues or even family members. In extreme cases, there may even be a telephone communication component to attempt to legitimize the email.
- Spoofed links: Attackers may embed misleading links that obscure their actual destination. They sometimes create fake banking, social media, or other sites to trick victims into entering passwords or other personal information.
- Embedded attachments: Emails may include seemingly harmless attachments (often PDFs) that contain malicious programs that compromise security and steal your information.
All of these tricks make it very difficult to know exactly who is behind the emails in your inbox. Because of this, caution is needed at all times. Always verify the identity of the sender before clicking any links or downloading any attachments.
The insidious danger of PDF malware
It’s that last bullet point, embedded attachments, that is quickly becoming a major security issue for organizations of all sizes.
Email attachments are an important part of a phisher’s tool kit. In fact, several studies found that anywhere from 50%-90% of malware is delivered by email.
While most people know not to download suspicious-looking attachments, PDFs are often overlooked. (To learn how to secure a PDF with a password go here). They are part of everyday office life, with documents, contracts, and other official business frequently shared as email attachments. That makes PDFs the perfect vehicle for sneaking malware onto your computer.
Even scarier: PDF files themselves can contain other embedded or encrypted files. This means that an attacker can conceal malware files inside innocent PDF, thereby fooling antivirus scanners and other security controls.
A report by SonicWall Capture Labs threat researchers says there’s been a substantial increase in PDF malware attacks in 2019. SonicWall president and CEO Bill Conner says, “Increasingly, email, Office documents and now PDFs are the vehicle of choice for malware and fraud in the cyber landscape.” SonicWall identifies tens of thousands of attack variants each month, and attackers are evolving faster than security companies can keep up.
These stats are pretty scary. Malicious email attachments wreak havoc on unsuspecting users and erode everyone’s trust. Luckily, the solution is quite simple.
The solution: Stop sending email attachments.
Stop sending email attachments.
The next time you need to send an important PDF securely, share your documents using a service like DocSend. It allows you to bypass the email attachment step entirely. (Check out how our email best practices here).
It can be dangerous to share important information via attachment. Once you send someone an email attachment, it’s no longer under your control. There’s no telling who it could be shared with. If your recipient’s inbox or email server is hacked, your personal information is at the mercy of those attackers.
Sending email attachments is a clunky process. They take up a lot of space, and they can become corrupted, caught in a spam filter, or (ironically) mistaken for malware. It’s easy to lose track of PDFs in a cavernous inbox, which makes it hard to stay organized.
Instead, upload your documents to DocSend and send them to your contacts via secure link. There are almost no extra steps to sending files this way versus as an attachment. Use our Outlook plugin or Gmail plugin and Chrome extension to easily upload documents and add the links to your emails. You can share a whole library of documents with a single link using Spaces.
The process is safer for both parties. You keep control of your sensitive materials, and the recipient is secure in the knowledge that they aren’t unwittingly downloading malicious materials. Most importantly, you will be doing your part in making email inboxes safer by reducing the threat of email malware.
The end of email malware attacks
It’s still important to remain vigilant against phishing attacks. Attackers rely on the fact that it takes only a single mistake for them to slip into your computer. And the higher your position in an organization, the greater your risk of being targeted. As malware and high-profile phishing attacks become more sophisticated, it will become increasingly important to critically examine all emails. We can all do our part to make attackers’ jobs a little bit harder by sending documents securely.
Shifting away from email attachments and toward secure file-sharing via links ensures that your attachments get opened as intended. Sending documents as links, not attachments, helps establish credibility so that your contacts trust the material you are sending them.