Types of email attacks—protection, detection, and prompt response

Get to know various types of email attacks and learn how to respond to them. We will present the latest security measures to keep your inbox safe and private.
According to recent statistics, cybercrime has increased by 600% since the pandemic, largely as a consequence of the increase in remote work and online correspondence. The types of email attacks have also diversified, with more and more users facing data breaches and intrusions of privacy.This guide will present common cyber threats and help you reevaluate your current email security standards. We will discuss:
Safeguard your communications with SkiffSkiff Email provides powerful end-to-end encryption and real-time threat detection
Sign up

Why are cyber attacks by email common?

Emails often contain a history of crucial personal or sensitive data you’ve shared. They’re not only a repository of your private conversations or document attachments, but your email account also holds info about the online services you use, your shopping habits, and your overall digital footprint.Getting attacked via email is common because the process is pretty easy. An average hacker can infiltrate your account using various entry points, such as the login window or the network server. Our list of email attack types covers all major threats across different access points.

Common email attack types every user should know

In most cases, cyber-attackers want sensitive data or access to your online accounts. They can steal your identity or sell your credentials to the highest bidder on the dark web. Some hackers also use emails to enter an organization’s servers, disrupt services, and cause reputational damage.On a macro level, email attacks typically fit one or more of these five types:
  1. Phishing
  2. Malware
  3. Man-in-the-middle attack
  4. Denial of service
  5. Account takeover

Phishing—an ever-expanding evil

Phishing is an umbrella term for any malicious activity involving social engineering and the abuse of predictable human behavior.The attackers use psychological manipulation to harvest data or defraud users.Most of us can see right through the notorious Nigerian prince or trust fund scams by now, but you still need to keep your guard up because phishing attacks are constantly evolving. The table below summarizes the most elaborate phishing tactics:
Phishing subtypeDetails
Clone phishingThe hacker intercepts an existing email and sends it to you again, often word for word, using a spoofed address. The new email contains infected attachments or unreasonable requests that can get the unsuspecting user in trouble
Spear phishingSpear phishing targets specific individuals within a company to orchestrate access to sensitive info. A spear-phishing email is created after thorough research of the intended victims, so they appear to originate from a trusted source
Whaling/CEO fraudWhaling involves tricking senior or influential employees, and even celebrities, into taking a desired action
Pharming and spoofingThe enablers of pharming and spoofing attacks bait users by creating fake websites that look like the original. These portals are often used to collect credit card info
HTTPS phishingHTTPS phishing is an extension of pharming. The attacker spikes emails with links to malicious websites that don’t follow hypertext transfer protocol secure (HTTPS) standards. Such URLs are usually shortened or unnatural
VishingVishing is a phishing attack that uses telephone calls instead of emails to harvest credit card and similar financial data from sensitive users under fake panic-inducing scenarios

Malware attacks

Malware attacks—including viruses, adware, scareware, and spyware—often accompany phishing schemes. You get an email asking you to download software or a document, but the attachment is infected with malware. Your inbox and device receive programs for activity tracking, keystroke collection, and data capture, compromising your privacy and security and putting your entire system at risk.

Man-in-the-middle (MITM) attacks

Emailing should be correspondence between two or more authorized parties, but there are more players facilitating the communication. A man-in-the-middle attack happens on the route used to send a message. The hacker bypasses network security protocols and intercepts emails traveling through servers and clouds.According to SecureOps Cybersecurity Statistics Report, 95% of HTTPS servers are vulnerable to MITM attacks, and in most cases, the users remain unaware of the breach. The only way to protect your inbox from these attacks is to use end-to-end encryption (E2EE). This security protocol converts a message into undecipherable signs before it starts moving through the network. Only the recipient has the key to decrypt the message, so the hacker cannot use it even if they manage to intercept the communication.Skiff is a highly reliable E2EE email service offering a privacy-first, user-friendly email environment with extra protection against phishing, MITM, and other attacks.

Denial of service (DoS) attacks

Denial of service (DoS) attacks plague businesses more than individuals. The hacker uses superfluous traffic to overwhelm and eventually cripple email servers, causing service disruption and significant financial and reputational loss. Signs of a DoS attack include:
  • The exponential rise in inbound emails from limited sources
  • Server slowdowns
  • Frequent network disconnection

Account takeover (ATO) attacks

In the case of an account takeover, someone gets hold of your login credentials and takes control of your email account. Your credentials are usually stolen via phishing, malware attack, or device theft. Other tactics can be:
  • Brute force attack—A brute force attack is implemented by well-configured bots that use trillions of password-username combos to access your email. Complex passwords can delay the process indefinitely
  • Dictionary attack—Dictionary attacks work like brute force attacks but target people who use weak passwords, including dictionary words like godfriendedme, password1, qwerty12345, ilovemydog, etc.
  • Credential stuffing—If you use similar passwords across platforms, credential stuffing can put you at risk. Hackers gain access to your leaked user data from other websites, using it to take over your email account
If you get hacked, your first response should be to regain control of your account and change your login credentials. In case you cannot do that, you must contact the email service provider and prove that you’re the original owner of the account. However, this may take hours or days, giving attackers time to execute an attack.

Email-based cyber attacks—defense strategy

Your email account is an easy gateway to your online presence, so keeping it secure is essential. Follow the basics of safety as a user—avoid engaging with emails or senders you don't know and never download or open attachments from unfamiliar sources. As for the technical aspects, here are some core security measures:
  • Improve your password and device security—Using strong passwords and device lock mechanisms can ward off account takeover attacks. A password manager can also help maintain password hygiene
  • Enable two-factor authentication (2FA)—2FA requires the user to verify their identity in two ways, which means knowing a password isn’t enough. You also have to do one of the following:
    • Enter an OTP sent to a phone
    • Provide biometrics validation
  • Use an end-to-end encrypted (E2EE) service—Unless you use providers with effective and transparent end-to-end encryption protocols in place, like Skiff Mail, you can never be sure who has access to your data behind the scenes

How E2EE defends you against email attacks

Your data is the most vulnerable on the network. According to the Breach Level Index (BLI) from 2017, more than 99% of 1.9 billion records breached during the first half of the year were unencrypted. E2EE services ensure your data is locked on the network and device levels because they make it unreadable to unauthorized parties.Keep in mind that services like Outlook and Gmail use encryption, but it is not end-to-end encryption. They follow Transport Layer Security (TLS) protocols that encrypt data only during transit, not while it rests on servers. The decryption key is also controlled by the provider, so your data can be hacked by anyone who infiltrates the servers or insiders with access to sensitive data.E2EE allows users to control the decryption keys, which turns the network into a safe passageway for your messages.
Opt for a fully secured email serviceSkiff's end-to-end encryption gives you the ultimate email protection
Sign up

Make E2EE email security the norm with Skiff Mail

End-to-end encryption requires complex algorithms, and providers didn’t have the resources to implement it on a large scale for years. The available E2EE services were expensive, complicated, and lacked features vital for effortless online communication.Skiff has revolutionized the landscape with a complete E2EE product suite, containing:
  1. Skiff Mail
  2. Skiff Pages
  3. Skiff Drive
  4. Skiff Calendar
Skiff follows a zero-trust policy, so not even Skiff can scan, read, or store your data. Sign up for a Skiff account to discover a secure, end-to-end-encrypted environment. The platform’s intuitive user interface helps you maintain a neat and organized inbox with free access to all essential features, including email search and cloud storage.

Skiff’s email attack resistance

Skiff is an open-source service, and the public can check how its security features are implemented. Besides the transparency, Skiff offers enhanced resistance against advanced attacks like:
  • Phishing and malware
  • Impersonation and identity theft
  • MITM attacks
  • Account takeover attacks
  • Username enumeration
  • De-anonymization
  • Brute force and dictionary attacks
Skiff implements advanced end-to-end encryption for a fast and efficient security setup. You can go through the public whitepaper to learn more about the platform’s security model and system design. Check out the following table to learn about other security features Skiff offers:
2FASkiff allows (and encourages) users to use 2FA for a completely secure login process
Zero-knowledge loginSkiff is all about anonymity. The platform doesn’t require your name, phone number, organization, and other personal info for login. Clients only provide their usernames and passwords upon sign-up, and user passwords are never sent via any network connection
Subject encryptionEven the priciest E2EE service may fail to encrypt your email subjects. Skiff keeps subjects private, as well as metadata for all Pages and Drive files
Secure crypto integrationCryptocurrency users are high-priority targets for cybercriminals. Skiff facilitates seamless crypto wallet integrations to help users enjoy E2EE based on an anonymous crypto identity
Distributed storageSkiff offers secure, centralized storage, but if you want greater data portability, Skiff integrates with IPFS (InterPlanetary File System) network providing peer-to-peer (p2p) storage
The best part about Skiff is that you get E2EE protection across the collaboration platform. Whether you’re creating wikis on Skiff Pages or adding event details on Skiff Calendar, your data is safe.You can access Skiff from any browser (on PC or smartphone) or install a compatible app (for iOS, Android, and macOS)—all you have to do is create an account. Here’s how:
  1. Go to the Skiff signup page
  2. Decide on a username
  3. Enter the desired password
  4. Set up an account recovery method (optional)
Once you’re in, navigate to the settings to activate 2FA and tweak other security measures.

Join the community

Become a part of our 1,000,000+ community and join the future of a private and decentralized internet.

Free plan • No card required