Skip to content

How to Defend Against Reply-Chain Phishing When It’s Hard to Spot

How to Defend Against Reply-Chain Phishing When It's Hard to Spot

Just about everyone is now familiar with the term “phishing.” These are messages that employ social engineering tactics to trick people into doing things, such as clicking on malicious links, downloading dangerous attachments, or sending passwords or other personal details.

Phishing is unfortunately very common. Last year, 83% of organizations experienced phishing attacks coming through their networks. Approximately 30% of all phishing emails are opened, which is why phishing remains so prevalent… simply put, it works. 

Companies have done things to ward off phishing attacks, such as putting in firewalls, installing email filtering, and training employees in security awareness. But one thing that makes this type of attack challenging to overcome is that attackers keep upping their game and evolving tactics.

The latest tactic is to slide a dangerous phishing message inside an ongoing email conversation. This is when two or more people are copied on an email chain and continue replying to add their thoughts to the ongoing conversation.

Now, you wouldn’t expect to get a phishing email in this way, which is what makes reply-chain phishing so dangerous.

How Does Reply-Chain Phishing Work?

The first thought when you hear about reply-chain phishing is, “How can a scammer insert their email into an email thread?” This attack is done in conjunction with business email compromise (BEC). 

Business email compromise rose 80% in certain sectors in 2020 and was experienced by 65% of organizations.

Simply put, BEC is when an employee’s email address is breached. The hacker somehow gains access to the password and is able to send and receive emails as that person.

When this happens, the person that has had the account breached often doesn’t even know about it. Smart attackers will stay quiet. They’ll gather emails of value and look for potential email conversations in which they can insert a convincing phishing message.

The attacker then replies to the ongoing email chain as if they were one of the legitimate participants. The others in the chain don’t typically suspect phishing for a few reasons:

  • The email comes from someone they know, and from that person’s email address
  • The hacker can often craft a convincing reply because they’ve been able to read the ongoing thread
  • Most people don’t realize that phishing can be sent in this way

The scammer will add an attachment or link and ask the recipients to open it. They may even ask for personal information if they happened to breach the account of a supervisor or person with an authoritative position.

What Can You Do to Avoid Falling for Reply Phishing?

Reply-chain phishing is harder to spot than one-off phishing messages because they’re inserted into an ongoing conversation. However, there are some things you can do to prevent this type of attack from causing a breach in your organization.

Make Employees Aware of the Possibility

First, you want to make your employees aware that phishing can be inserted into legitimate email conversations and sent from familiar email accounts. Train them to use the SLAM phishing detection method on all emails, not just those from unknown addresses. 

Being aware can help them catch something that might sound slightly “off” in a colleague’s reply and prompt them to double-check authenticity with the sender by phone or in person.

Increase Business Email Compromise Defenses

If email accounts can’t be compromised, then it’s nearly impossible for an attacker to conduct a reply-chain phishing attack. Make email account security a high priority. 

Here are some ways to reduce the risk of your email account being breached:

  • Add multi-factor authentication to email accounts
  • Require the use of strong passwords
  • Use a business password manager, so employees won’t feel the need to use easy passwords and reuse passwords
  • Audit email accounts regularly for suspicious activity 

Use Advanced Security, such as “Safe Links” and “Safe Attachments”

Inquire with your email service provider or IT provider about advanced features you can use to better secure email and fight phishing. For example, Microsoft 365 has two options in certain business plans called “safe links” and “safe attachments.”

These security features use AI and machine learning to look for and block any suspicious links or attachments, even those being sent internally. This feature also extends to messages in Microsoft Teams.

Many platforms like M365 are now using these advanced AI features to improve email and data security, but you often need to enable the feature to benefit.

Watch Out for Urgency Triggers

One thing that often gives a phishing scammer away is that they always want you to act in a hurry. They know that if you have time to think about an email request or double-check the message, you might realize it’s a fake. Thus, they’ll often use terms like “this needs to be done now!” or “I need you to review this immediately.”

Any urgency triggers like this should increase your skepticism, and you should actually take a step back and thoroughly review the message and, if needed, verify it in another way with the purported sender.

Improve Email Security & Reduce Risk with GEEK911

Phishing may be getting sneakier, but defense solutions are also getting more sophisticated. GEEK911 can help your Silicon Valley area business put advanced anti-phishing techniques in place to reduce your risk.
Schedule a consultation by calling 1-866-433-5411 or reach us online.

Leave a Comment