Email Security Blog

The Exploitation of Cloud Based Email Services

It’s been more than forty years since the dawn of email. And considering it didn’t really find its groove until the 1990s, it’s astonishing to think that now more than 333 billion emails are sent and received daily.1 Today’s technology sees more and more companies moving away from in-house servers and desktop storage to take their email to the cloud.

Cloud storage allows you to save data and files at an off-site, third-party location and access them through the public internet or a dedicated private network connection. Once your data is sent off-site, it becomes the responsibility of the Cloud Service Provider (CSP) who not only secures and manages your files but ensures they are available when you want them. For companies with large amounts of data, paying for cloud storage can be a big cost-saver, compared to owning and managing your own in-house data storage networks.

So, is the cloud a safer place for your email? It may feel insecure because your data is stored with a third-party CSP and not in your control, but Cloud Services Providers invest heavily in security and software. They also employ teams of security experts who watch over your data around the clock. Does this make the security of your email infallible? Certainly not.

When it comes to cybercriminals, where there’s a will, there’s a way and they’ll figure out how to even get through the cloud to steal from companies. For years now, the Federal Bureau of Investigations’ Internet Crime Complaint Center has been warning the public of phishing scams initiated by hackers targeting companies using cloud-based email services. In particular, they are conducting Business Email Compromise (BEC) scams. According to the FBI, “scams are initiated through specifically developed phish kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds.”2

In the last five years, the Internet Crime Complaint Center has received a steady increase in BEC complaints from companies, totalling $2.4 billion in 2021 alone. No one seems to be exempt as BEC scams have been reported in all 50 states and in 177 countries.3 

What may seem new is the use of phishing kits. Phishing kits are a collection of tools used by people with little technical skills to create convincing phishing schemes by replicating a familiar brand or company, often a cloud services provider like Microsoft or Google. Phishing kits are also used by cybercriminals who want to conduct a large-scale phishing attack on short notice. Phishing kits help hackers convince victims to share their log-in credentials.

While monitoring these cloud-based phishing attacks, the FBI found that hackers would take the following steps:1

  1. Use the phishing kit to identify the email associated with each set of compromised credentials, allowing the hacker to target victims using cloud-based services
  2. Analyze the content of the compromised email accounts for evidence of financial transactions
  3. Configure mailbox rules of a compromised account to delete key messages or enable auto-forwarding to an outside email account
  4. Impersonate email between compromised businesses and third parties (such as vendors or customers) to request pending or future payments

Can most of these cloud-based phishing attacks be prevented? The answer is yes. How? Just listen to what the FBI experts have to say. According to the Internet Crime Complaint Center, “While most cloud-based email services have security features that can help prevent BEC, many of these features must be manually configured and enabled. Users can better protect themselves from BEC by taking advantage of the full spectrum of protections that are available.”

Cost-effective and powerful, INKY can block impersonation attempts and coach users to make safe decisions – everywhere, all the time – with the only behavioral email security platform available. INKY signals suspicious behaviors with interactive banners that guide users to take safe action on any device or email client. IT teams don’t face the burden of filtering every email themselves or maintaining multiple systems, so it’s a win for everyone in the company.

Make email security a priority in your company before it’s too late. Schedule your free INKY demonstration today.


INKY is an award-winning, behavioral email security platform that blocks phishing threats, prevents data leaks, and coaches users to make smart decisions. Like a cybersecurity coach, INKY signals suspicious behaviors with interactive email banners that guide users to take safe action on any device or email client. IT teams don’t face the burden of filtering every email themselves or maintaining multiple systems. Through powerful technology and intuitive user engagement, INKY keeps phishers out for good. Learn why so many companies trust the security of their email to INKY. Request an online demonstration today.