Skip to main content

Popular email services impersonated and scammed thousands in 2020

(Image credit: Image source: Shutterstock/kpatyhka)

Thousands of companies have been targeted by cyberattacks that use official email services as a hook to appear legitimate.

Criminals are registering accounts with well-known services such as Gmail and AOL that are then used in phishing, impersonation and business email compromise (BEC) attacks, according to a report from Barracuda Networks.

Its researchers detected 6,170 malicious accounts using email services such as Gmail that have been responsible for over 100,000 BEC attacks impacting nearly 6,600 organisations. 

Such attacks are typically smash-and-grab assaults, with the email accounts used often only active for less than 24-hour periods - although some criminals were found to return and re-use an email address for an attack after a long break.

The number of email attacks sent by a malicious account was also found to be variable, with the company the average accounts sent 19 emails, but others sending out over 600 emails.

The volume of attacks appears to be linked to the global pandemic and lockdown, with Barracuda Networks finding that such tactics have been behind 45 per cent of all BEC attacks detected since April 1.

Gmail, which is free to register an account with, was found to be the most popular choice for attacks, accounting for 59% of all email domains used by cyber criminals, with Yahoo the second most popular on 6%.

“The fact that email services such as Gmail are free to set up, just about anyone can create a potentially malicious account for the purpose of a BEC attack," said Michael Flouton, VP Email Protection, Barracuda Networks.

“Securing oneself against this threat requires organisations to take protection matters into their own hands – this requires them to invest in sophisticated email security that leverages artificial intelligence to identify unusual senders and requests."

“However, no security software will ever be 100% effective, particularly when the sender appears to be using a perfectly legitimate email domain. Thus, employee training and education is essential, and workers should be made aware of how to manually spot, flag and block any potentially malicious content.”