CSI My Email
To really understand how to protect yourself from cyber crime, it helps to understand who’s doing it and, more importantly, why.
Call it “email forensics”, if you like.
The motivations for a cyber criminal can generally fall into 4 major buckets, but the vast majority of attacks, to the tune of greater than 90% of attacks, are motivated by financial gain and espionage for both political gain and competitive advantage. The remainder fall under FIGs (Fun, Ideology and Grudges) and other assorted criminal activity.
Financial Gain
Cyber Crime is massive industry.
One estimate places the global cost of cyber-crime at $600 billion. This is on the lower end of estimates – as you might imagine it is a very hard ecosystem to measure. For many cyber criminals, the extremely low cost to enter, low prosecution rates, high potential payouts breeds a strong incentive to pursue a life of cyber crime. If you factor poor employment prospects, the incentive for some becomes even clearer. Compared to organized crime, it is cheaper and less dangerous to operate as a cyber criminal – less violent, lower risk of being prosecuted and easy to remain invisible. Cyber crime is growing to be more lucrative than older (dare I say traditional) crime categories, with some estimates saying it will be larger than all illegal drug trade combined by 2021.
The financial gains can come in several forms. There is credit card fraud and impersonation allowing criminals to use stolen data to make purchases. Cyber-assisted fraud which results in victims sending money to the criminals. Ransomware can hold a business or computer hostage until demands are met. Reselling data is another significant means by which cyber criminals generate profit, with the black market (aka the Dark Web) providing high demand for quality data (and even for low quality as well).
Political Espionage
Cyberwarfare is the new preferred weapon for many countries looking to settle scores or gain intel.
There’s a wide range of activity here, everything from lone wolf actors to well established state sponsored groups. These actions take on a variety of ends. There’s political sabotage, such as the Russian hack of the DNC emails. There’s political revenge, such as the rumored hacking by the North Koreans of Sony in response to “The Interview”, which ridiculed Kim Jong Un. Or the gathering of intel, such as the data breach of the Office of Personnel Management, which is suspected to have been carried out by Chinese operatives and the breach of 22 million records. Or even as a weapon such as Stuxnet, believed to be an Israeli and US intelligence-designed tool to destroy Iranian Nuclear reactors. The average person doesn’t need to worry about being directly targeted for this reason, unless you believe you have something of significant value to a hostile foreign entity, in which case you may have a lot more to worry about than email security!
Corporate Espionage
Corporate espionage is becoming an increasingly important part of the cyber crime landscape.
The reasons include the theft of intellectual property, blackmail, gaining a competitive advantage through stolen intel, and creating a PR nightmare or sabotage. These are especially relevant given a lack of technological savviness (and email security awareness) that is found across many industries, compounding the threat. Thyssen Krupp is one example having fallen victim to a major theft of intelligence in 2016. The great majority of espionage attacks on corporations come from state sponsored groups, estimate at 90%. If you have any information of value to a cut-throat competitor who is particularly brazen in their tactics, this is a case where you’re more likely to encounter an email threat.
The FIGs
The FIGs or Fun, Ideology, Grudges and the odd mistake, are the motivations and reasons for this last group of attacks.
This group makes up roughly 7% of attacks and are decreasing in frequency. These attacks are often perpetrated by individual actors or relatively isolated groups who are often pranksters or activists. Think of a celebrity stalker, a disgruntled ex-partner, and a fired employee (who still has passwords to critical data), or Wikileaks-type politically motivated organization.
Attacks can come from anywhere, from Pyongyang to Florida, Tehran to Bangkok, Moscow to Shanghai, Tel Aviv to yes, Lagos. Significant Attacks have been launched from all these places. Really all an attacker needs to launch an attack is a laptop, a cafe, or even an iPhone will do. While cyberwarfare-based attacks tend to lead back to some of the nations mentioned above, attacks that are more focused on financial gain tend to be coming from individual actors or small groups from a wide array of backgrounds.
So, Why You?
Aside from the motivations listed above, most often, especially, with financially focused, non-targeted attacks, being the victim of an attack can be the result of bad luck – maybe your friend was a victim of a breach, you filled out a form you shouldn’t have, or even you trusted a company with your data that you couldn’t have known they’d be irresponsible with.
As well, you are targeted because you are vulnerable. Criminals and hackers are often engineers and learn to exploit vulnerabilities.
It Starts With An Email
Through all these attacks, one thing remains pretty consistent. A huge majority of these attacks will start with an email.
The email might contain a request to reset a password, a malicious file, or another tool. The action the criminal intended is taken and then often without the victim knowing, a virus or other form of malware is installed. This can run in the background for days, months and even years, before being discovered. In the meantime, the hacker is downloading data without anyone knowing it. Or it could immediately lock you out of your computer and demand a ransom.
It’s important to recognize these motivations, as they will help you understand suspicious emails when you encounter them. The best defence against fraud and deception is always a critical eye. When you receive an email that seems out of the ordinary, your first thought should be to try to verify its authenticity, always considering who may benefit from what is being asked for, whether its dollars, data or something else.
It’s key to understand what particular risks your organization will face. Individual industries will face very specific threats and vulnerabilities, with each needing tailored email security strategies. Think about the difference in security needs between a nuclear plant, a retail e-commerce company and a lawyer.
Email Security is Everyone’s Responsibility
The FBI and other global law enforcement agencies continue to target cyber criminals, but it is a difficult task. With many of the attacks coming from within rogue states, places with weak law enforcement, or even being launched by states themselves, enforcement presents a monumental challenge. Unlike some other crime vectors, it is not sufficient to rely on law enforcement doing their job. You need to ensure your defenses are up to par. And the first line of defense? We will get into that in the next module.
Prefer to take our email security
program by email? Subscribe here:
