Marketers and PR people send a LOT of emails. While there may be some nuance depending on the industry you work in, it’s likely an enterprise-level company’s marketing team is sending emails to thousands of recipients every week. And lately, marketers have been attempting to ride the wave of a surge in email marketing engagement during our new work-from-home normal.
Like a Georgia mosquito to blood, the cybercriminals swoop in.
As a marketer, you may not realize that the vast majority (67%) of data breaches are caused by email phishing attacks, according to the most recent Verizon Data Breach and Incident Response report. Many such attacks spoof popular brands that you and I are most accustomed to receiving emails from, like Amazon, Google and Walmart.
Unfortunately, COVID-19 has made the phishing epidemic worse. With remote work exacerbating security gaps, attackers have upped the frequency of their phishing to exploit distracted parents and weaker security controls commonly found outside of the office.
In fact, Google’s Threat Analysis Group reported in mid-April that they blocked 18 million COVID-19 themed malware and phishing emails per day. With marketers eager to enjoy the benefits of a rise in digital shoppers and email open rates, it’s possible that a future email campaign could become the target of the next great email phishing event.
Beware of Phishing Attacks Targeting Marketers
Because of the large volume of emails sent and received, marketers and PR pros are especially vulnerable to phishing attacks impersonating brands and people.
Below, we consider three examples shining a light on why the phishing threat is so great for marketers.
In one recent attack uncovered by global email security (and Alloy client) IRONSCALES, attackers targeted email delivery service providers, Mailgun and SendGrid. The attacks attempt to trick recipients into believing that “the following services failed to auto-renew and are about to expire.” Such spoofing messages, which appear to come from “renewal teams,” provide a link to a fake phishing website where recipients are prompted to “update” their credit card on file so as to avoid any disruption in service.
As ZDNet points out, Microsoft Office 365 is core to many businesses from Exchange to Teams to SharePoint, and attackers have taken notice. As one of the most widely used email platforms for agencies, Microsoft is a common target for email phishing scams, sending users to fake login pages that then lead to credential theft (username and password). Marketers should be wary of any suspicious link they receive and either send it to their IT team or try using a free URL scanner to verify its legitimacy. Again, it’s unlikely that marketers are the end-goal for these attackers, but rather an entry point to harvest information that could be exploited for financial gain.
You’ve probably seen this one before - you get an email that looks to be from your manager or boss asking to pick up a gift card or another similar task. These are called business email compromise (BEC) attacks that rely on social engineering to get the recipient to fall for a tactic. Rather than include a malicious payload (link, attachment), these attacks prey on tricking an individual into replying to an email and providing the attacker with compromising information. These attacks are effective and alarming, which is why IT Pro Portal calls humans the “most dangerous component” of cyberattacks.
Marketing leaders must be aware of these common phishing schemes and report suspicious activity to IT or security personnel without hesitation.
At Alloy, we invest more time, money and resources in cybersecurity than most agencies. From password managers and email security to cloud app security and phishing awareness training, we want our clients to have complete trust in our ability to keep their data safe and secure.
As we all navigate COVID-19 together, Alloy surveyed 100 tech companies in a new data report. Click here to learn more about marketing in a post-COVID world.