Reply Chain Phishing: What Your Business Needs to Know

Cyber crimes reached new heights and drew more attention than ever in 2021. 

Many big-name companies, including Acer, Colonial Pipeline, JBS Foods, CAN Financial, and social media giants like Facebook and LinkedIn, fell victim to cyberattacks. It's estimated that cybercriminals stole a staggering  $6.9 billion in 2021. 

And this trend seems to have rolled over into 2022. If you're thinking those are all big name companies… my small business doesn’t have to worry about it, think again. 

Unfortunately, the latest report from Barracuda found that small businesses are now more frequent targets for cyberattacks than larger companies. The report concluded that, on average, an employee of a small business with less than 100 employees will experience 350% more social engineering attacks than an employee of a larger enterprise.

Cybercriminals have stunned again with an "upgraded" version of the old phishing techniques.

We're talking about reply chain phishing attacks!

In case you missed it, this phishing attack took IKEA, the Swedish-based furniture giant, by storm on Black Friday and its execution technique was nothing short of jaw-dropping. This phishing technique could be a shocker to many in 2022, so we'll explain everything you need to know about it in the next sections. 

What Is a Reply Chain Phishing Attack?

Reply chain phishing occurs when hackers sneak themselves into legit email conversations through compromised accounts. 

We've all been in those email threads where everyone on the chain participates in the discussion/conversations. These email chains are usually common in an organization.

The thing with email chains is that every response gets cataloged within the conversation by the email program. Reply chain phishing occurs when a hacker hijacks a legitimate email account and "joins" the discussion using the compromised account. 

Once the hacker has gained access to a legitimate user's account, they examine the email threads to identify those with the highest financial potential. The hacker then joins the discussion in one of the email threads, disguised as a valid one, with a malicious link.

Inadvertently, the participants may click on the link and download or install malware, which can then propagate over the host network. 

Here's a typical example of how reply-chain phishing occurs. 

A hacker will go through the chain of replies to understand the discussion, then craft their own reply that fits what the participants are looking for. Let's say the participants are weighing in on the design of the proposed office building.

A hacker may send a reply that says, "I've drafted a detailed floor plan that illustrates the location of the walls, doors, windows, elevators, as well as the kitchen." Here's a link to see it. Since the email comes from a legitimate user in the email thread, everyone will easily be fooled into clicking on that link, not knowing they're opening themselves up to attacks. 

How Do Hackers Gain Access to the Reply Chain?

A hacker gains access to an email chain by hacking the email account of one of the recipients/participants in an email thread. 

How does this happen?

• The hacker gains access to one of the participant's email credentials through nefarious means. This could be through hacking, phishing, smishing, social engineering, keylogging, etc. 
• Once they obtain logging credentials, they sneak themselves into the conversation and can send replies posing as the legitimate account owner
• They then forward that email thread to their own address as a safeguard should the account password change. 

The hacker can fool everyone in the email chain because they use an email address other recipients recognize and trust. They can use this access to steal money or deploy even more attacks. 

Read: The 5 Most Prevalent Types of Cyber Scams Aimed at Businesses

How Sneaky Is Email Reply Chain Phishing

On a scale of 1 – 10, reply-chain phishing carries the most votes. 

Yes! It's pretty sneaky. That's because it catches the participants off-guard, thinking they're conversing with the legit account user, which is not the case. The bad news is that hackers exploit participants' trust to defraud the organization. 

How to Spot Reply Chain Phishing

A reply-chain attack is not easy to spot. 

In the case of IKEA, the participants discovered that the email responses from that account were full of grammatical errors, which the real account owner never makes. Plus, all the email links had one thing in common: They all ended in 7-digit numbers. 

That said, a strategically executed reply-chain phishing can be hard to spot. But if you look deeper into the conversations, you might observe a pattern standard to all phishing attacks. 

How to Protect Yourself Against It

Here are steps you can take to avoid falling prey to reply-chain phishing.

1. Educate Your Employees on this Kind of Phishing Attacks

The first step you can take is to educate your employees on reply-chain phishing and other types of cyberattacks. Every company and especially small businesses, need to provide a Cybersecurity Awareness Training Program for their employees. After all, they are your last line of defense. 

2. Increase Business Email Compromise Defenses

The next thing you'll want to do is improve email security. It would be impossible for hackers to execute reply-chain attacks if email accounts can't be compromised. Here are some ways to improve email security in your organization. 

• Require all users to use strong passwords
• Add multi-factor authentication to all emails
• Use business password managers
• Audit email accounts regularly for suspicious activity
• Employ a monitoring service for your Office 365 instance.

3. Encourage the Use of Internal Messaging Apps

Hackers won't be able to execute a reply-chain phishing attack on Teams, Slack, or Asana. 

While these apps aren't 100% secure, they're immune to many attacks that target email. Plus, these apps are faster, more convenient, and easier to track than email. 

Summing Up 

Reply chain phishing occurs when hackers sneak themselves into legit email conversations through compromised accounts. These attacks can be very dangerous because the responses tend to come from trusted people in the email chain, catching participants off-guard. 

Organizations can mitigate these threats by educating their employees on rely-chain phishing, improving business email compromise defenses, and encouraging the use of messaging apps. Having robust Cybersecurity in place for your small business doesn't hurt either. 

If you need help with your email security or other IT needs, don't hesitate to reach out. We're here to help! We'll give you a free, no-pressure technology audit so you can find out how effective and secure your operating environment really is. 

For you: The Laymen's Guide to Ransomware