Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Man-in-the-email vs. man-in-the-middle attack: What's the difference?

Learn the difference between man-in-the-middle and man-in-the-email attacks, and get tips on how to prevent becoming a victim.

What is a "man-in-the-email" attack? Is it different from a man-in-the-middle attack? Are there security tools...

and/or policies that can protect users from falling victim to such scams?

People and organizations are vulnerable to certain attacks regardless if the attack is via a webpage, phone call, email, text message or other type of communication.

High-profile vulnerabilities and advanced persistent threats get the most attention in the media, but low-tech attacks can be more difficult to stop or prevent because they attack the human.

A "man-in-the-email" attack is like the classic man-in-the-middle attack; a human attacker is in the middle of email communication, convincing other parties in the communication that they are communicating with each other. Since the middleman controls the communications, he or she could, for example, tell one party to transfer money to another party, but change the account number to direct the money to a fraudulent account the middleman controls.

There are long-term technical changes around knowing whom you are communicating with and being able to track the original source. Stopping these particular attacks might be possible with these long-term changes, but as the Internet Crime Complaint Center reported in its recent scam alert, attackers are changing their tactics.

Using only security tools and policies will not reduce the enterprise risk from man-in-the-email attacks. Since employees are being socially engineered into performing an action, security awareness is the most effective defense.

Training should include an out-of-band validation of any financial transactions through a known-good communication method, such as a PIN sent to an authorized mobile phone. Training could also include ways to detect fraudulent communications that can't be validated, such as spelling errors in names, email addresses, changes in phone numbers, among others.

Ask the Expert:
Perplexed about enterprise security? Send Nick Lewis your questions today. (All questions are anonymous.)

Next Steps

Get SearchSecurity's latest tips and advice on security awareness training.

This was last published in March 2015

Dig Deeper on Email and Messaging Threats-Information Security Threats

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

So a man in the email is a bit of a social engineering attack, but it would require some way to lead someone into believing they've communicated with a legitimate party.  

That's a little scary actually.  How many people give an email a second thought about who its really going to?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close