What is an Email Reply Chain Attack? Why do you need to worry about this?

What is an Email Reply Chain Attack? Why do you need to worry about this?

According to recent data, email phishing continues to be the most common way for malware to penetrate enterprises, and Business Email Compromise (BEC) is the leading cause of financial loss in organizations. While classic phishing and spearphishing attempts try to spoof the sender by using a forged address, a more sophisticated type of attack hijacks legitimate email correspondence chains to insert a phishing email into an existing email conversation to gain the receiver’s trust.  This technique is often referred to as a “hijacked email reply chain,” a “reply chain attack,” and “thread hijacks spamming”.

Why are they Dangerous?

A major reason to worry about these types of attacks is their effectiveness. Unlike typical phishing, warning flags are usually absent in reply-chain attacks.

Due to their well-crafted and error-free text, even the most cautious and well-trained personnel may fall for email reply chain attacks. Since the reply comes from a legitimate sender and is part of an existing conversation it lends credibility to these attacks. This makes even the most cyber-security-aware people vulnerable to this technique.  In this technique, the most successful appear to leverage supplier relationships, which include any person or business that provides services or products to another. Attacks that leverage supplier relationships can end up costing companies anywhere from tens of thousands of dollars to multiple millions, making it worthwhile to illustrate this reply chain attack and how to prevent yourself from being a victim.

Experts predict that the problem will only worsen and become more expensive in the coming years, and finance departments are right in cybercriminals’ sights: According to email security company Agari Inc., one cybercriminal gang alone had the contact information of over 50,000 financial executives in their potential target database. So what is business email compromise and what can finance professionals do to protect themselves and mitigate the risk of a devastating loss?

How Can You Stay Safe from Reply-chain attacks?

Because of the indirect nature of this attack, it may appear impossible to defend against at first glance. Here are some strategies you can employ to reduce your chances of becoming a victim of this attack.

Be vigilant of suspicious or unexpected ‘urgent’ payment requests or changes

  • Do look carefully at the sender’s email address. Criminals often create an account with a very similar email address to your business partners so keep your eyes peeled.
  • Do spread the word so any colleagues dealing with bank accounts are aware of the scam.
  • If you receive an email concerning a change of payment method or bank account, Do contact the payment recipient through the phone using the pre-existing phone number  (known to you, not on the invoice) to verify this claim. Don’t reply directly to the email.

Teach Employees to Be Aware

Employees are often trained in security awareness so that they don’t open emails from unknown senders. The problem with reply-chain attacks is that the sender is someone you trust. Business email compromise (BEC) is a growing concern, which means employees need to take extra precautions when interacting with trusted emails.

How to prevent your business from being impersonated by a cybercriminal

You should take the necessary steps to protect yourself from being impersonated by cybercriminals who may scam your customers, eroding their trust and making it harder to get your invoice paid. 

  • Secure your email, accounting, and other systems with two-factor authentication.
  • Store supplier bank details in the internet banking payee list or in your accounting software rather than entering the BSB and Account Number each and every time.
  • Limit who can change payment details and introduce approval processes when bank details change.
  • Office macros should be locked down or completely forbidden whenever possible. Macros are still a common attack vector, even though they are not the only means by which malicious attachments can compromise devices.


Threat actors deploy email reply chain attacks as a form of social engineering to achieve their objectives. In contrast to the physical world with its hardcoded laws of nature, there are no rules in the cyber world that can’t be altered by manipulating hardware, software, or users. However, this is also true for defenders as well as attackers. As long as we keep control over all aspects of our cyber environment, we can prevent attacks from infecting our organization or causing lasting damage. Educate your users, train your staff, and let the criminals find another target. Does your business have enough email protection?  Let us know if you’d like some help! We design email security solutions that can keep you better protected and your staff trained.


Related Articles:


Read: 3 Cybersecurity Measures to be taken by SMB’s to ensure Safety

Read:  A ransomware survey by Fortinet shows many organizations are unprepared