It seems you can’t read an article on cybersecurity without the work “phishing” being mentioned. Thats due to phishing being the number one delivery vehicle for cyberattacks.

Cybercriminal may want to steal an employees email password, encrpt your files for a ransom or plant key loggers to steal sensitive info. Sending a phishing email is usually the first step most hackers make to start their dirty deeds.

Phishing is also increasing in volume due to the move to a hybrid workforce. As many employees are now working from home they usually don’t have the same network protections they have when working at the office.

But haven’t people learnt by know about what phishing is and do their best to not fall for these schemes?  Yes, people are generally more aware of what phishing emails are and how to avoid them but these emails are becoming harder to spot as scammers evolve their tactics.

One of the their newest tactics is particularly hard to detect and is called reply-chain phishing attack.

What is a Reply-Chain Phishing Attack?

Just about everyone is familiar with reply chains in email. An email is copied to one or more people, one replies, and then another. Soon, you have a chain of email replies on a particular topic which list each reply one under the other so everyone can follow the conversation.

Most people don’t expect a phishing email contained inside that ongoing email conversation as people expect phishing to come in as a new message and not a message included in an ongoing reply chain.

The reply-chain phishing attack is particularly insidious because it does exactly that. It inserts a convincing phishing email in the ongoing thread of an email reply chain.

But How Does A Third Party Obtain Access to the Reply Chain Email?

The simple way is by hacking the email account of one of those people copied in on the email chain.By emailing from a known and trusted user, the hacker can email a compromised link or attachment from an email address that the other recipients may then click on or open.

Having full access ot the compromised email account allows the hacker to also gain the benefit of reading through the chain of replies, enabling them to craft a response that looks like it fits.

For example, they may see that the email thread is talking about a new poduct or service. The hacker can then send a reply that says something along the lines of, “I have written up some some thoughts on the new product / service, here’s a link to see them”. The link then goes to a malicious site that infects any visiting comptuers.

The reply looks convincing and doesn’t look like a phishing email at all because:

• It comes from a known and trusted email address that has already been participating in the email thread.
• The email can be crafted to fit into the conversation and reference previous itmes mentioned in the discussion.
• The reply can be personalised and use the actual names of people in the thread.

Business Email Compromise is Increasing

Weak and unsecured passwords lead to email account breaches, AKA business email compromise (BEC).

The reply-chain phishing attack is one way that hackers turn that BEC into real money by planting ransomware or selling personal or business sensitive data on the Dark Web.

Tips for Addressing Reply-Chain Phishing

Some ways to lessen the risk of reply-chain phishing in your business are:

• Use Multi-Factor Authentication (MFA) On All Email Accounts.
• Use a Password Manager.
• Educate Employees on Best Security Practices.

How Strong Are Your Email Account Protections?

Do you have enough protection in place on your business email accounts to prevent a Reply-Chain Phishing Attack? Contact us if you would like some help implementing better security practices for your business,