How to Avoid Reply-Chain Phishing Attacks

Blocking spam e-mail, warning pop-up for phishing mail
Headshot of Kristin Sperring

It may seem that every article on cyber security mentions phishing.


That’s because phishing is still the number one delivery vehicle for cyberattacks.


Phishing continues to increase at an alarming rate to attack businesses for employee login credentials, customer data, and more – especially since the move to remote working as a result of the pandemic. With many employees now working from home, they don’t have the same network protections that the office does.


80% of surveyed security professionals say that phishing campaigns have significantly increased post-pandemic.


Whilst people are more aware of phishing emails these days, the scammers are also becoming harder to spot as they evolve towards more sophisticated strategies. One of the newest tactics is particularly hard to detect: the reply-chain phishing attack.



What is a Reply-Chain Phishing Attack?

An email reply chain will probably look familiar to you already. In Outlook, for example, an email is copied to one or more people, someone replies, and that message sits above the original email. Then another person adds a response, and you soon have a chain of replies listed in order so everyone can follow the conversation.


You don’t expect a phishing email tucked inside that ongoing email conversation. Most people are expecting phishing to come in as a new message, not a message included in an ongoing reply chain. But reply-chain phishing does exactly that, by inserting a convincing looking email into the thread.



How Does a Hacker Gain Access to the Reply Chain?

By hacking the email account of one of those people copied on the email chain.


The hacker can send and reply to email conversations, with the added benefit of being able to read down the initial chain for better context. Then, they can form a response that fits.


For example, they may see that everyone has been discussing a new marketing campaign on LinkedIn. The hacker can send a reply that says, “I’ve drafted up some thoughts on using LinkedIn for marketing, here’s a link to see them.”


But instead of their thoughts on LinkedIn, the link goes to a malicious phishing site. The site might infect a visitor’s system with malware or present a form to steal more login credentials.



Reply-chain emails won’t look like a phishing attacks because:

  • It is from an internal address in an existing conversation
  • It is in keeping with the email discussions
  • Personal names are used in the emails pulled from elsewhere in the thread.



Business Email Compromise Is On The Rise

A new acronym has recently been coined to describe an increasingly common issue known as Business email compromise (BEC).  This occurs when weak or unsecured passwords or user login databases are breached allowing access to emails.

Over the last few years, BEC attacks has increased from 65% in 2020 to 77% in 2021.  The most common method of BEC is using reply-chain phishing attacks to steal sensitive data which is sold on the Dark Web, or to plant ransomware or other malware to impede business operations.



Reduce the Risk of Reply-Chain Phishing

There are a few methods you can use to reduce the risk of reply-chain phishing:


  • Implement a Business Password Manager to ensure staff use strong unique passwords for different applications.
  • Educate your employees on what to look out for and flag anything that doesn’t look right.
  • Two or multifactor authentication on email logins to block access from unknown or approved IP addresses.


Check Your Email Account Protections

Make sure you check what email security protections you have in place for your email accounts.  If you are unsure, get in touch with the team at Xiria, and we can help guide you on how to keep your business data protected.