Magnifying glass showing a spam folder.
Magnifying glass showing a spam folder.

Read this before your emails today

Monday mornings already get a pretty bad rap, but now we have another reason to hate them.

A new report from cybersecurity research firm Proofpoint has revealed more malicious emails are delivered on Monday mornings than any other day.

More than 30 per cent of all cyber-attack emails sent by opportunistic hackers and scammers go out on the first day of the week, declining steadily with each passing weekday.

Proofpoint said the reason for the Monday morning spam surge was because scammers track the success of their attacks and had found that the inbox-clearing Monday ritual and a concept called "social jet lag" (caused by changing your sleeping patterns over the weekend - yes, sorry to tell you, the Sunday morning sleep-in might actually be doing you damage) are why they have more success.

But while many people have antivirus or email filters to avoid getting caught out by scam emails, the scammers are changing their approaches to get around them by using surprisingly easy methods that have been around since the early internet to impersonate legit senders.

"It's called email spoofing, it's been around since the '90s and of course it's incredibly convincing," Proofpoint head of cybersecurity strategy Ryan Kalember told news.com.au.

"Email spoofing" is when scammers send emails using forged email addresses to make them appear legitimate.

While email spoofing had legitimate uses at first, many of these have fallen out of favour after years of malicious users exploiting the ability to make an email look like it came from someone else.

Proofpoint head of cybersecurity strategy Ryan Kalember.
Proofpoint head of cybersecurity strategy Ryan Kalember.

Many think of hackers as Matrix-esque operatives doing technical wizardry while green text is projected around them, but hackers are more likely to use something far more dangerous: charm.

Rather than use technical vulnerabilities to break their way into systems, hackers instead use social engineering to get let in the front door.

"We're at the point where we can safely say that human vulnerability is more easily monetised than technical vulnerability," Mr Kalember said.

"What attackers are looking for is the maximum point of vulnerability, and if you think about when we are most vulnerable, it's when we're occasionally overwhelmed - emotion always contributes to this - and when we're being asked to do something.

"If you agree to do something for someone, the next request is likely to be accepted, even if that request is a whole lot bigger and a whole lot more unusual."

Social engineering emails also avoid filters by not having links, attachments or other warning signs than can trigger anti-malware software.

Scarily, it only takes one person letting a hacker get their foot in the door for them to get access to an entire organisation.

ANU was targeted by hackers late last year.
ANU was targeted by hackers late last year.

Earlier this month, the Australian National University revealed that a massive data breach that led to a trove of its data going back up to 19 years being stolen by a team of hackers began with just one email sent to a senior staff member.

Mr Kalember said universities were particularly susceptible because students didn't have as much experience using email and weren't familiar with phishing emails and other scams.

As well as this, only one of Australia's top 10 universities (Melbourne's Monash University) uses the correct email authentication protocol, domain-based message authentication, reporting and conformance (DMARC), which prevents unauthorised email spoofing.

Victorian hospitals part of the Gippsland Health Alliance and South West Alliance of Rural Health were also victims of ransomware attacks in the past month that are believed to have been delivered over email.

Hackers typically target big institutions and businesses, but not necessarily the people you'd expect.

"Executives are not usually the most interesting target for the cybercriminals, their executive assistant is statistically more likely to be a target than they are themselves," Mr Kalember said.

"They might actually have a better understanding of how a lot of the processes work than the CEO, and they have access to the CEO's mail, calendar, everything."

Mr Kalember detailed how one Australian organisation (though not by name, unfortunately) that frequently moved large sums of money around the world for construction and engineering projects fell victim to scammers.

"The CEO's assistant was compromised, so (the scammers) had access to their calendar and their emails. The EA can send on behalf of the CEO, so they waited until the CEO was in a meeting with a third party, sent an email based on an email in the sent items - so exactly in the CEO's voice: 'I'm stuck in this meeting, but we got the deal done, here's the final number, I need the wires sent'. And he actually was in that meeting!"

The company ended up losing around $14 million.

"After that they redesigned the business process so it became impossible, even if it was the CEO requesting it, for something to be approved solely based on email," Mr Kalember said.

Scammers are also known to do things like email HR departments about fake tax returns in order to request data and information they could monetise.

Even the big tech companies aren't immune.

RELATED: Tech firms fall for massive scam

"Facebook and Google sent $US100 million to a Lithuanian guy before they realised what was going on," Mr Kalember said, referring to the case of Evaldas Rimasauskas, a since-jailed scammer who targeted employees at the two companies with phishing emails designed to look like invoices from major Asian hardware manufacturer Quanta Computer Inc., a company they regularly sent large amounts of money.

"He was impersonating a supplier that makes pieces of kit that go into data centres. He just registered a version of Quanta in the Baltics, like it was a tax dodge," Mr Kalember said.

Facebook and Google obviously thought nothing was fishy about this, since they do the very same thing in tax havens around the world.

"So he got $US100 million, briefly, before they figured out what he had done. He's actually in prison at the moment, but it really was a great couple of days I'm sure," Mr Kalember said.

HOW TO AVOID FALLING VICTIM TO EMAIL SCAMS

Mr Kalember said there were a couple of straightforward ways to avoid falling for an email scam.

TAKE NOTICE OF WHAT YOU'RE LOOKING AT

"The likeliest way you're going to fall for something is via email, but much more is spent investing in firewalls and antivirus rather than defending email," Mr Kalember said.

It pays to actually pay attention to your emails, especially on a Monday morning when "social jet lag" and an abundance of emails can make you lose focus.

USE MULTI-FACTOR AUTHENTICATION

Scammers "constantly take over cloud accounts, things like Office 365, GSuite. They read the email, look at the calendar, pull down the global address list, map out the organisational chart. All of that is available and can get phished easily," according to Mr Kalember.

Using multi-factor authentication adds another step that stops bad actors accessing accounts.

TRAIN YOUR PEOPLE - AND THE RIGHT ONES

Some people within an organisation are better targets than others, which means they require more training.

The upside is, according to Mr Kalember, telling these employees that out of all the people in the company they're the most targeted actually makes them feel special, and so they take the training more seriously.


OP results 2019: Schools celebrate record year

premium_icon OP results 2019: Schools celebrate record year

Queensland students achieve record-breaking OP results

Massive three-day drugs, weapons bust bags 309 charges

premium_icon Massive three-day drugs, weapons bust bags 309 charges

Police have charged 45 people on 309 drug, property, and weapon offences.

‘My dog saved my life’: Amazing house fire rescue

premium_icon ‘My dog saved my life’: Amazing house fire rescue

'My dog was nosing under my arm and lifting my arm up.'