What Are Cyberthieves After & How Do They Leverage Email to Obtain It?

Cybercriminals are readily taking advantage of organizations’ increased reliance on email as a preferred channel for confidential business communications, along with common weaknesses in traditional methods of securing business email, to cripple corporate networks and systems with ransomware and gain access to sensitive information that can be monetized for personal gain.

Over 90% of modern cyberattacks begin with a phishing email, and Guardian Digital researchers have identified a 600% increase in phishing attacks since the start of the pandemic. Ransomware and phishing attacks dominate security news headlines daily and have become so commonplace that they often fail to turn heads as they did in the past, but the harsh reality is that these threats are becoming increasingly dangerous, disruptive, and costly for all businesses. This article will provide a glimpse into cyberthieves’ motives for launching email-borne attacks, the mechanisms that make these attacks so successful, and what businesses have to lose in a cyberattack or a breach due to inadequate email security defenses.

Examining Cybercriminals’ Motives & Methods for Success

Cyberthieves use email attacks like phishing and business email compromise (BEC) because they’re a successful way for them to gain access to valuable corporate assets - account numbers, PINs, SSNs, medical info, credit cards, bank accounts, or other personally identifiable information (PII). - that can be used to make fraudulent transactions, initiate fraudulent wire transfers, and ultimately be monetized for financial gain. Account takeover (ATO) is another popular and dangerous tactic that gives cybercriminals a valuable foothold into an organization and can cause unprecedented damage by compromising further accounts, initiating fraudulent wire transfers or transactions, or infecting corporate systems with dangerous malware. 

Social engineering, a method of deception that is used in 98% of all cyberattacks, leverages personal and business context to establish trust between the victim and the attacker, with the goal of obtaining sensitive information. Social engineering techniques have been used for centuries by cybercriminals, though the immensity of this threat has increased drastically. Attackers are now developing methods of compromising sensitive information by searching through the internet and social media accounts. These campaigns are successful due to the fact that relationships have already been built between the target and superior, colleague, or company the attacker is posing as.

Cybercriminals are also now using the pandemic and the remote or hybrid work environment to their advantage, and new attacks are emerging. These attacks are used to target cloud email users, such as sophisticated spear-phishing, malware, and BEC campaigns that prey on human error. The majority of these scams employ malicious URLs leading to fake login pages of fraudulent websites. Opening a malicious URL or attachment can lead to stolen credentials or install malware onto your device.

The above image depicts a phishing email containing a malicious URL that was detected and quarantined by Guardian Digital EnGarde Cloud Email Security. See more examples of malicious emails and get tips on how to identify and protect against them in a recent blog post: Think Like A Criminal: How To Identify Malicious Emails.

Mechanisms Used in Popular Email Attacks


There are several variants of phishing attacks, ranging from standard en masse campaigns to highly targeted spear-phishing attacks. Phishing attacks work to convince someone to click on a malicious link, login to a fake website, or run an executable by using social engineering tactics to steal a users’ data or to reveal financial information. Cybercriminals have a series of techniques at their disposal to build lists of targets, such as email addresses stolen in a data breach. Attackers will then impersonate known contacts and manipulate the target using identity deception techniques like domain spoofing and lookalike domains. Once users take the bait by opening phishing site links and entering their credentials, the phisher will be able to compromise the account and steal money by making a fraudulent wire transfer.


Spear-phishing is a more targeted form of a phishing attack, with the intention of reaching a specific individual and compromising their system or account or installing malware on their computer to be used in other attacks. The process begins with the attackers researching and collecting data accessible on the internet to build their target list. Attackers will then develop fake websites designed to impersonate legitimate companies or brands to manipulate victims. Once the campaign is launched, attackers use tactics such as spoofing, look-alike domains, or display name deception as opposed to malicious links or attachments to convince the email recipients. If the victim opens a malicious attachment or clicks a phishing link, the attackers can then login to the victim’s account or access their system to steal sensitive information to be monetized.


Ransomware is a variant of malware that works by blocking access to a victim’s computer system, encrypting critical files, and demanding a sum of money to be paid. A majority of ransomware is delivered via email. Ransomware is either purchased on the Dark Web or quickly launched using hosted services. Much like phishing attacks, threat actors will manipulate their targets by using social engineering tactics, such as posing as trusted individuals or organizations. Once the victim is tricked into believing the sender is legitimate and opening a malicious attachment, the ransomware is activated and the payment is demanded. The system is encrypted until a form of payment is made, typically in the form of untraceable bitcoin, though many victims never recover their systems even after making the payment.


Malware attacks also use spoofing tactics as well as urgency and social engineering to trick a victim into opening a malicious link or attachment. The hackers gain access to the internal network after compromising a system or an email account. Once the hacker has gotten into the organization, they will then typically install a remote-access Trojan that allows them remote access that may go undetected for long periods of time. Developing a connection to the internal network, these cybercriminals will attempt to compromise additional systems and accounts. The last step in a malware attack is the theft of sensitive data and disruption of business operations after corrupting critical systems.

Fileless malware is a payload-less email attack that runs in a computer’s random access memory (RAM) and is typically delivered via phishing emails. When the victim opens a fraudulent website created by the attacker, the site will look for known vulnerabilities in applications, like Flash or Java. These vulnerabilities will most likely be exploited into running a malicious code in the memory of the browser memory. Unlike traditional malware, fileless malware doesn’t leave a signature as it doesn’t leverage executable files.

Macros in Word documents could also result in malware being installed on your computer and network, which can then build a long-lasting tunnel between your network and the threat actor, potentially siphoning off your data without you ever even knowing it. 

Business Email Compromise (BEC)

Like spear-phishing scams, business email compromise (BEC) attacks begin with threat actors building a list of targets by scouring business contact databases, social media profiles, and corporate websites to identify employees and their relationships within the company, as well as using the same spoofing methods to impersonate the individual, such as an executive, CEO or CFO. Expressing urgency and preexisting trust are used to convince the victim to proceed with the request in the malicious email, often resulting in a data breach with a hefty financial loss. 

The image to the right depicts a BEC email that was detected and quarantined by Guardian Digital EnGarde Cloud Email Security. See more examples of malicious emails and get tips on how to identify and protect against them in a recent blog post: Think Like A Criminal: How To Identify Malicious Emails.

Understanding the Risks & Repercussions of a Successful Cyberattack

The impact of a data breach can have critical consequences on a business ranging from data theft, account compromise, lateral phishing, recovery costs, financial loss, downtime, reputation damage, lost client trust, legal repercussions, compliance issues, and permanent closure as the worst-case scenario. The Ponemon Institute reports that 74% of organizations that experienced a data breach lost customers, 59% faced potential litigation, 33% faced potential fines, 32% experienced a decline in share value. 60% of organizations that experience a ransomware attack are forced out of business within six months.

Real-world Examples of Attacks

  • On April 29th of last year, hackers accessed a virtual private network account that provided employees remote access to the Colonial Pipeline’s computer network. At the time of the attack, the account was no longer in use but was still able to access the network. The breach resulted in nearly 75 Bitcoins (5 million) for the decryption tool after 100GB of corporate data had been stolen within two hours. The vector that was attacked is unknown, however, experts report the attack may have been the result of a successful phishing email, an unpatched vulnerability that was exploited, or compromised credentials.
  • In July of 2021, an IT solutions developer for MSPs and enterprise clients named Kaseya announced that it had become the victim of a cyberattack. 800 - 1,500 downstream businesses were impacted after zero-day exploits had been used to gain access to their customers and their systems and distribute malicious software. The ransomware gang responsible, REvil, was then able to exploit vulnerabilities within the compromised systems to encrypt files.
  • Marriott International fell victim to a phishing scam in September of 2018 where 500 million customers were affected after discovering that an unauthorized party had copied and encrypted information. The attack was reported to be part of a state-sponsored intelligence-gathering effort by the Chinese government as the hack wasn’t for profit. The compromised information included guests’ names and their payment information as well as other PPI. 

Key Takeaways 

Email is cyberthieves’ preferred attack vector because it provides an easy, efficient, and effective way to gain access to valuable sensitive data and infect systems with dangerous malware. Cybercriminals recognize common weaknesses in traditional methods of securing email like relying on native Microsoft 365 email protection or endpoint security alone and are readily exploiting these shortcomings. No business can afford the aftermath of an email cyberattack or data breach, making implementing a proactive, multi-layered email security solution critical in safeguarding your users, your data, and your hard-earned reputation and keeping your business secure and successful in 2022 and beyond.

Must Read Blog Posts

Latest Blog Articles

Recommended Reading