Reply-Chain Phishing Attacks

In today’s digital age, email remains a crucial communication tool for businesses. However, this widespread reliance makes it a prime target for cybercriminals.

Among the various phishing tactics, reply-chain phishing attacks have emerged as particularly deceptive. Understanding and mitigating these attacks is crucial to safeguarding personal and organisational data.

What is a Reply-Chain Phishing Attack?

A reply-chain phishing attack, also known as conversation hijacking, occurs when a cybercriminal infiltrates an email thread and sends malicious emails from within that conversation.

By inserting themselves into an ongoing, legitimate email chain, the attacker leverages the trust between the participants, increasing the likelihood that the malicious email will be opened and acted upon.

The Rising Threat in the UK

In the UK, the threat of phishing attacks has been growing. According to the Cyber security breaches survey 2024, it is by far the most common type of breach or attack (84% of businesses and 83% of charities). The sophistication of these attacks poses significant risks to businesses and individuals alike.

How Reply-Chain Phishing Attacks Work

1. Compromise an Email Account: The attacker first gains access to an email account, often through phishing or other means.
2. Monitor Conversations: Once inside, they monitor ongoing email conversations to identify potential targets.
3. Insert Malicious Content: The attacker replies to an existing email thread with a message that appears legitimate but contains a malicious link or attachment.
4. Harvest Data or Spread Malware: If the recipient falls for the trap, they may provide sensitive information or inadvertently download malware, further compromising their system or network.

An example of a Reply-Chain attack

A recent attack occurred to a client of ours regarding an email conversation that took place with them and a vendor about making payments.

The hacker infiltrated this group and sent an email, seemingly as a colleague. The email address was identical to the employee’s save for 1 extra letter that was added in. The change was barely visible and those in the email chain failed to notice it. The hacker asked vendor to make the payment to a new account and sent new details.

This phishing attempt almost succeeded. Had the bank not flagged it up as a possible scam, the vendor would have lost out on around £50K.

Upon approaching NPIT, we immediately used Spamtitan to enable a setting that meant if an email address of a person changed mid-way in a chain, it would pick it up going forward. In addition, we initiated user education training to prevent this happening again.

Strategies to Avoid Reply-Chain Phishing Attacks

1. Implement Multi-Factor Authentication (MFA): MFA adds an extra layer of security, making it more difficult for attackers to compromise email accounts. Ensure that all email accounts, especially those with access to sensitive information, use MFA.
2. Use Email Security Solutions: Advanced email security solutions can detect and block phishing emails before they reach the inbox. Look for solutions that offer real-time scanning and threat intelligence. For example, PhishTitan by Titan HQ employs cutting-edge AI technology to offer unmatched protection against malicious emails.
3. Regularly Update Software: Ensure that all email clients and related software are regularly updated to protect against known vulnerabilities. Cybercriminals often exploit outdated software to gain access to systems.
4. Monitor Email Accounts for Suspicious Activity: Regularly monitor email accounts for signs of unauthorised access, such as unusual login times or locations. Immediate action can be taken if suspicious activity is detected.
5. Secure Email Servers: Ensure that email servers are properly configured and secured. Use encryption to protect email content in transit and at rest.
6. Educate and Train Staff, Promote a Culture of Security Awareness:
   • Encourage employees to verify unexpected or unusual requests through a separate communication channel, such as a phone call.
   • Provide regular training sessions on cybersecurity best practices to help employees recognise phishing attempts. The change in email addresses can be as subtle as using a ‘0’ instead of an ‘o’ when creating an “identical” address.
   • Utilise services such as Trend Micro Phish Insight to test how likely your employees are to detect fraudulent emails seemingly from a colleague or manager.
   • Foster a culture where employees feel comfortable reporting suspicious emails or activities. Prompt reporting can help mitigate potential threats before they escalate.

Conclusion

Reply-chain phishing attacks exploit the trust inherent in email conversations, making them particularly dangerous.

In the UK, where phishing remains a predominant cyber threat, awareness and proactive measures are essential to protect against these attacks. By educating employees, implementing robust security practices, and fostering a culture of vigilance, awareness and caution, organisations can significantly reduce the risk of falling victim to reply-chain phishing.

NPIT are an ISO 27001 certified MSP Provider, we follow the international best practices for information security management. If you have any concerns about protecting your emails, contact us to resolve an issue, provide advice, check the status of your software and install any necessary updates