An organised and unauthorised use of an app to send thousands of messages to its users is defined as a spam attack. These messages, which often contain false advertisements and links encouraging users to click, are sent by fake or hacked profiles.

Malware, short for "malicious software," is a file or code that is typically transmitted over a network to infect, exploit, steal, or perform any action desired by an attacker. Due to its numerous variants, there are various methods used to infect computer systems.

What is Data Exfiltration?

Data exfiltration involves the unauthorised theft or movement of data from a device, often carried out by cybercriminals through various attack methods, targeting personal or corporate devices such as computers and mobile phones.

What is URL Phishing?

URL phishing involves embedding a link to a malicious site within a phishing email, with the aim of tricking the recipient into clicking on it. Common examples of phishing emails include fake invoice scams, email account upgrade scams, and others.

Scamming occurs when an attacker pretends to be a trusted entity to deceive a victim into opening an email, instant message, or text message in order to obtain confidential information. This information is then used for financial gain or to launch further attacks.

What is Domain Impersonation?

Domain impersonation, a type of phishing attack, occurs when an attacker uses a company's domain name to impersonate the company or one of its employees, often through fake websites or fraudulent email addresses.

What is Brand Impersonation?

Brand impersonation involves impersonating a trusted company or brand to deceive individuals into sharing personal or sensitive information.

Blackmail involves criminals using extortion emails to threaten to disclose sensitive information to friends and family unless a payment is made.

What is Business Email Compromise?

Business email compromise (BEC) is a specific type of phishing attack that aims to trick employees into taking harmful actions, such as sending money, by impersonating known sources and making legitimate requests.

What is Conversation Hijacking?

Conversation hijacking is a newer type of phishing attack where threat actors insert themselves into business email conversations to obtain sensitive information or perpetrate fraudulent activities.

What is Lateral Phishing?

Lateral phishing involves attackers using compromised accounts to send phishing emails to unsuspecting recipients, such as close contacts within a company or external partners.

What is Account Takeover?

Account Takeover (ATO) is an attack in which cybercriminals gain control of online accounts using stolen usernames and passwords, often acquired through data breaches, social engineering, or phishing attacks.

Email Cyber Security 101: Understanding Phishing, Malware, and Data Theft Risks

23 Oct

Written By Pinnaca Team

As businesses increasingly embrace digital tools and capabilities the potential for infiltration by cyber-criminals, and therefore the defences against this, are ever-evolving. With email still being the preferred method of communication for the majority of businesses and business professionals the threat from email phishing attacks continues to be a critical concern.

In this month’s blog we will look at the current state of email phishing attacks, the risks they pose to you and your business, and the importance of human-based solutions in their prevention.

An illustration with a green background, a computer screen and red warning icons and the text Email Cyber Security 101: Understanding Phishing, Malware, and Data Theft Risks

Talk To An Expert

Download Guide

More Email, More Spam, More Risk!

46.8%

Amount of email traffic that is spam.¹

28%

Average time a professional spends reading and answering email during a work week.²

£1bn.

Cost to UK businesses compromised by phishing attacks in 2023.³

Setting up email accounts and sending emails en masse is relatively easy and inexpensive meaning cyber criminals need only a tiny percentage of attacks to succeed for a phishing campaign to be viable. While many people think of email phishing attacks as a plea from a Nigerian Prince riddled with spelling mistakes and poor grammar, this form of cyber deception is constantly increasing in sophistication and frequency making them harder to detect by both humans and software.

Email remains a necessary, if often annoying, part of the working day and the continued shift toward online and remote working means more emails than ever are being sent and received. As workers endeavour to quickly clear their inboxes they are required to identify and delete spam while ensuring legitimate emails are actioned, it is this urgency that cyber criminals try to exploit. Attackers cleverly mimic legitimate emails or scenarios in the hope that recipients mistakenly believe they are genuine.

What is Email Phishing?

“Phishing, the use of deceptive emails, messages, or links to websites designed to trick people into performing actions that would expose a business to a breach, was the most common way businesses fell prey to cyber criminals in 2023.”
- Report: ‘The Cost of Business Cybercrime in 2023, Beaming, Jan 2024

General email phishing attacks use techniques aimed at exploiting human nature, such as fear/respect for authority, conveying a sense of urgency or implying financial gain. When combined with email compositions that simulate those of large companies or organisations that most people would not be suspicious about being contacted by, recipients are tricked into acting impulsively rather than logically.

The worldwide brands most frequently abused in cyber attacks are Microsoft, Adobe, DHL, Google, AOL, DocuSign and Amazon⁴. In the UK, the most spoofed government organisations are National Health Service (NHS), TV Licensing, HM Revenue & Customs, Gov.uk, DVLA and Ofgem⁵.

These phishing campaigns usually take the form of an email containing either a link to a bogus or compromised website or a malicious attachment. Fake URLs, set up by criminals to mimic those of familiar organisations and brands, will either contain a form to capture the victim's personal data, login credentials or credit card details, or will contain malicious software that allows hackers to access the personal data on the device. Similarly, downloading malicious attachments will install malware, spyware or ransomware on the device allowing attackers to extract or extort sensitive information. More information about threats to email security can be found in our blog 9 threats to email security that you need to know.

Once criminals have gathered data they can use it to steal money, for identity theft, or to sell on to other hackers on the dark web. Data gathering may also be used towards further phishing scams or for targeted spear-phishing campaigns.

What is Spear-Phishing?

50%

Number of organisations that were victims of spear-phishing in the last 12 months.⁶

The average number of spear-phishing emails a typical organisation receives each day.⁶

22%

Number of organisations that had at least one email account compromised in 2022.⁶

370

The average number of malicious emails sent from a compromised account.⁶

Unlike general phishing campaigns that rely on being vague enough for mass recipients, spear-phishing attacks target particular individuals or organisations directly and are designed to appear as if from a known or trusted sender.

These more sophisticated attacks will employ multiple phases to achieve their goals. First gathering information and credentials so as to access a business’ email systems, then learning how the company operates, where the vulnerabilities lie and the best way to exploit them. This is known as Business Email Compromise (BEC) and can expose businesses to further attacks.

Data Theft

As with general phishing attacks, the theft and sale of sensitive data can be lucrative for criminals. But companies offer hackers the chance to score large amounts of data in one hit meaning greater incentive to target businesses. As well as reputational damage and the costs involved in rectifying the breach, businesses may also face heavy fines by regulators for the loss of customer data.

Extortion

Once they have access to sensitive data, criminals may try to extort money from an employee, by threatening to expose them for their part in the breach, or from the company, using ransomware or the threat of publishing trade secrets if the demands are not paid.

Invoice Fraud

Attackers can replicate legitimate emails containing invoices but with the account details changed to those of one controlled by the attacker, this is known as clone-phishing. These emails can either be sent to the company, appearing to be from a legitimate supplier, or to the company’s customers.

Whaling

Fraudsters may focus their attention on CEOs and individuals higher up in a business as they have more authority and are therefore less likely to be questioned, this is known as whaling as the spoofed target is a ‘big fish’. By infiltrating existing email conversations, i.e. thread hijacking, the hackers can exploit the seniority of the person they are impersonating to request large transfers of funds or sensitive data.

Humans: The Weak Link or the Last Line of Defence

“Just over one in four employees (26%) said they had fallen for a phishing scam at work in the last 12 months.”
- Psychology of Human Error 2022, Tessian Research, Jan 2022

Modern technologies, such as spam filters and malware analysis, are able to catch the majority of email attacks but, inevitably, there will always be some that slip through meaning ultimately human intervention is required to prevent successful infiltration of your business systems via phishing attacks. In a recent blog article we explained Why Your Staff Needs to Know About Cyber Security, outlining the damage that hackers can do with just an email.

The reason phishing attacks are so successful is that attackers use social engineering techniques to exploit basic human nature. Whether it be fear, greed, curiosity, familiarity, inexperience or respect for authority, all can be targeted in different ways such that identifying those who may be susceptible to certain attacks is extremely difficult. Furthermore, it has been shown that stress, such as that experienced in the work environment, can cloud a person’s judgement and lead to impulsive actions⁷.

Constant vigilance is key. Educate yourself and your team about new phishing techniques, as well as how to deal with them, and keep your security knowledge up-to-date.

A stack fo Email Security and protection brochures on a wooden desk — The Complete Email Security Survival Guide.

Discover how to protect against all 13 email threat types with Barracudas AI-powered defence that blocks 47% more attacks than Microsoft alone.
**Download Now >**

Practical Tips for Identifying Phishing Emails

Email phishing is ever-increasing and cyber criminals change their tactics regularly so there are no hard-and-fast rules for identifying scams, but there are certain indicators to look out for that can help you spot a potentially malicious email. Always stay sceptical when you receive unsolicited emails, messages or calls, no matter how legitimate they appear, and remember, if in doubt, use a known URL, login page or contact, separate from the email, to verify anything that looks suspicious.

Common Characteristics
Typically, phishing emails contain mismatched URLs, poor grammar or requests for personal information that seem out of context.
Alarming Subject Line
Be wary of subject lines that pressure you to act immediately, offer unsolicited help, or announce unexpected prizes. These are designed to create a sense of urgency and cloud your judgement.
Click with Caution
Exercise caution with email links and attachments, as these are common conduits for malware. Hover over links to preview URLs and scan attachments with security software before opening.
Verify Sender Authenticity
Check the sender’s email address. Genuine businesses often have domain emails, not general ones like Gmail or Yahoo. Also be cautious of email addresses containing random strings of characters or numbers as this can be a sign of automatically generated accounts.
Consider the Tone
Look for anomalies in the language used. Phishing attempts often rely on generic language, veiled threats and overly formal or informal tones to provoke a response.
Dodgy Design
Fraudsters try to mimic legitimate emails by including logos or graphics. Genuine emails are generally tested to ensure they look professional so look out for poor quality, low resolution assets or janky layouts.

Technology: The First Line of Defence

Although human error is usually the endpoint of a successful phishing attack on a business, it is ultimately the business's responsibility to mitigate the risk of its employees being exposed to these threats. An overwhelming majority of malicious emails can be stopped from ever reaching inboxes using business systems protection and email defence technology.

“Since Pinnaca set us up with Barracuda Total Email Protection, our enhanced email security saved us nearly 50% on our Cyber Security Insurance.”
- Pinnaca Client Testimonial, High Street Fashion Retailer.

Pinnaca can help you set up a secure business email infrastructure, as well as other robust cybersecurity defences. We can be on hand to act quickly when security breaches occur, minimising the impact on your business and, if necessary, recovering your business systems.

We partner with Barracuda to offer top-notch spam and malware protection techniques, including virus scanning, spam scoring, real-time intent analysis, URL link protection and reputation checks. Barracuda uses AI to learn communication patterns within your organisation to detect anomalies that may indicate spear-phishing attacks. Other solutions include Domain Fraud Protection, Account Takeover Protection and High Risk Employee Analysis.

We can offer Security Awareness Training to boost threat awareness for you and your staff, while Phishing Attack Simulations help assess your company’s resilience to suspicious emails.

Discover how our partnership with Barracuda can help protect your company's email and data!

Download The Complete Email Security Survival Guide to learn how Barracuda Email Protection keeps you safe from new email threats. Explore how Barracuda's AI-powered defence blocks 47% more attacks than Microsoft, covering all 13 types of email threats.

LIMITED TIME OFFER Sign up for Barracuda Email Protection now* and pay nothing until Jan 2026.
+ Free setup of Barracuda Email Protection when you subscribe to a Pinnaca support package.

Get in touch now to find out how you can protect your inbox with Pinnaca!

BOOK A CALL BACK

*Terms and conditions apply. Orders must be confirmed by 31st December 2025.

Frequently Asked Questions

An organised and unauthorised use of an app to send thousands of messages to its users is defined as a spam attack. These messages, which often contain false advertisements and links encouraging users to click, are sent by fake or hacked profiles.
Malware, short for "malicious software," is a file or code that is typically transmitted over a network to infect, exploit, steal, or perform any action desired by an attacker. Due to its numerous variants, there are various methods used to infect computer systems.
Data exfiltration involves the unauthorised theft or movement of data from a device, often carried out by cybercriminals through various attack methods, targeting personal or corporate devices such as computers and mobile phones.
URL phishing involves embedding a link to a malicious site within a phishing email, with the aim of tricking the recipient into clicking on it. Common examples of phishing emails include fake invoice scams, email account upgrade scams, and others.
Scamming occurs when an attacker pretends to be a trusted entity to deceive a victim into opening an email, instant message, or text message in order to obtain confidential information. This information is then used for financial gain or to launch further attacks.
Spear phishing is a targeted form of phishing that focuses on specific individuals or groups within an organisation. It involves personalised emails that directly address the target by name, often using tactics to elicit urgency and trust.
Domain impersonation, a type of phishing attack, occurs when an attacker uses a company's domain name to impersonate the company or one of its employees, often through fake websites or fraudulent email addresses.
Brand impersonation involves impersonating a trusted company or brand to deceive individuals into sharing personal or sensitive information.
Blackmail involves criminals using extortion emails to threaten to disclose sensitive information to friends and family unless a payment is made.
Business email compromise (BEC) is a specific type of phishing attack that aims to trick employees into taking harmful actions, such as sending money, by impersonating known sources and making legitimate requests.
Conversation hijacking is a newer type of phishing attack where threat actors insert themselves into business email conversations to obtain sensitive information or perpetrate fraudulent activities.
Lateral phishing involves attackers using compromised accounts to send phishing emails to unsuspecting recipients, such as close contacts within a company or external partners.
Account Takeover (ATO) is an attack in which cybercriminals gain control of online accounts using stolen usernames and passwords, often acquired through data breaches, social engineering, or phishing attacks.
1. ¹Statista - Monthly share of spam in the total e-mail traffic worldwide from January 2014 to December 2023, Mar 2024
2. ²McKinsey & Company - The social economy: Unlocking value and productivity through social technologies, July 2012
3. ³Beaming - Report: The cost of business cybercrime in 2023, Jan 2024
4. ⁴Statista - Worldwide brand names most frequently abused in cyber attacks in 2023, Apr 2024
5. ⁵NCSC - NCSC reveals top government email impersonation scams taken down in 2022, Dec 2022
6. ⁶Barracuda - 2023 spear phishing trends, 2023
7. ⁷Scientific American - Everyday Stress Can Shut Down the Brain’s Chief Command Center, Apr 2012