How does a payloadless phishing email work?

by Egress
Published on 1st Nov 2022

With modern email security tools able to filter out many phishing emails with malicious attachments and links, attackers are looking for new ways to manipulate people. Payloadless phishing emails can bypass security that relies on detecting malicious payloads and trick victims into sharing information or making a payment.

How payloadless attacks work

Payloadless phishing emails are often used as a tactic in business email compromise (BEC) attacks. They use social engineering and simple messages to circumvent traditional security measures. Messages are designed to trick recipients into entering a conversation with the attacker without a malicious link or attachment. They’re likely spoofing the email address of a trusted contact or they’ve managed to takeover a legitimate account.

Because these messages appear to come from a trusted source (such as a vendor, colleague, or brand), the recipient is tricked into sharing information. The attacker will then manipulate the recipient into giving up valuable data, Bitcoin extortion, or payment fraud.

The cost of a payloadless attack tends to be higher than many other types of phishing. The FBI reports that these attacks have cost businesses $26 billion over several years, even though they make up only five percent of all phishing emails.

Why these attacks succeed

A typical phishing email often contains a payload – a malicious link or attachment that gives the attacker access to the device or coerces the recipient into sharing sensitive information (such as login details). Secure email gateways (SEGs) that rely on signature-based detections can catch a good number of these emails, but they rely on the presence of a link or attachment to be able to identify the threat.

Payloadless emails don’t contain these elements and can slip through the security measures offered by a SEG. A payloadless email will often appear to come from a trusted source and won’t have a clearly malicious link or attachment. With many employees trained to look out for suspicious attachments and links, they might be lulled into a false sense of security with a payloadless BEC email.

When an attacker impersonates a boss, supplier, client, or other trusted source, the recipient often has a sense of urgency to hand over information or make a payment. Even if this seems out of the ordinary, an employee may feel pressured to act as instructed, which allows the attacker to get away with money or sensitive information.

Some types of payloadless emails won’t come from a trusted source but are designed to coerce the victim into handing over private information. One example of this is sextortion attacks, which rely on text-based threats alone to manipulate recipients into making a cryptocurrency payment.  

How to stop payloadless attacks

Because payloadless emails are so good at signature-based detection, more advanced anti-phishing technology is needed to catch these emails. On top of this, it’s vital to train employees to look out for more than just malicious attachments and links. Here are some ways you can catch payloadless email before it causes problems:

  • Use a zero-trust policy when it comes to emails – even from trusted sources
  • Educate employees about what to look for in a payloadless phishing email
  • Use technology that understands the context and content of an email to detect attacks early on
  • Implement additional security measures for payments to protect against phishing

The use of technology can empower employees to become your first line of defense against these payloadless attacks. Egress Defend uses natural language processing to understand the context of an email on top of social graphing to evaluate the relationship between sender and recipient. It can identify a suspicious message, even if it’s bypassed other email security measures.

Defend then lets the recipient know the message might be malicious, allowing them to approach with caution or follow other policies the organization sets. These real-time teachable moments are key in helping employees to recognize future threats. Supporting people with Egress Defend not only ensures these attacks are caught but also that they understand why the email has been flagged as dangerous.

If you’d like to learn more about Egress Defend and how it uses natural language processing to identify payloadless threats, request a personalized demo here