Email is the single most effective and commonplace way of reaching someone in the business world today. Even as other methods of digital communication have come and gone over its 40-year history, email remains the backbone of business communications with 3.7 billion users worldwide collectively sending 269 billion messages every day.
But email’s ubiquity and popularity comes at a price: vulnerability. With the growing prevalence and success of targeted social engineering attacks, email continues to be a shockingly easy entry point for cybercriminals. In fact, the FBI’s 2017 Internet Crime Report indicates that business email compromise and phishing drive 48 percent of ALL internet crime-driven financial loss – more than all other business-related internet crime combined. Depending on their form, these targeted attacks are called by a number of names – spear phishing, business email compromise, impersonation, credential theft, etc. – and have a disproportionately large impact on an organization as they gain access to confidential information, intellectual property and in many circumstances, east-west migration attacks that go from email into core back-end systems that contain customer data or even financial access.
The Primary Email Security Challenge: Trust
Email security is a nuanced problem that lacks a silver bullet. This is because phishing preys on human psychology rather than technological vulnerabilities. At its core, the real challenge enterprises must overcome to protect themselves from email threats is users’ inherent trust in corporate email. This isn’t to say (as it might be easy to assume) that “users are the problem,” but in fact is symptomatic of a larger issue – that of the necessary balance between security and business operations.
According to a recent survey, there is a stark difference in the average workers’ perception of email-based threats within the enterprise and that of email security personnel. Only 34 percent of users without email security responsibility recall seeing email-based attacks in their inboxes, compared to 85 percent of email security professionals. While two-thirds of non-security workers claim to never see any email threats besides spam, 56 percent of security professionals see email-based attacks beyond spam on at least a weekly basis. These attacks include impersonations, wire transfer requests, W2 requests, payload attacks/malware, business services spoofing and credential theft.
This finding means one of two things: Either that the majority of professionals mistakenly believe that their work email systems are inherently secure or that they are lumping all “unwanted” email into the single category of “spam” regardless of whether it technically meets that definition. This dismissal of such threats within corporate email isn’t a result of thoughtless negligence – it’s due principally to a focus on business efficiency and operations. The average non-technical worker uses email as a tool to accomplish their job. The volume of email that comes through without threat, in fact, works against security in this instance because it lulls such workers into a false sense of confidence in the medium. The result is a high susceptibility to phishing and social engineering attacks, especially as those attacks become more sophisticated. Human error often plays a role in successful breaches, and no amount of periodic security awareness training will eliminate that.
With today’s complex IT ecosystem – spanning both company- and employee-owned tablets, phones, work laptops, home computers, and phones – email access is ubiquitous. This means people can constantly refresh and check for updates 24 hours a day, seven days a week, no matter where they are or what they’re doing. The pervasiveness of email and the always-on-nature of modern work means employees are likely checking email every waking hour – if not more – and the intense cognitive load this places on them can prohibit them from carefully considering each email and its legitimacy before taking action on or responding to a request. A distracted employee coupled with a convincing email from a seemingly trusted sender allows for scammers to easily exploit socially-engineered trust so that targeted employee voluntarily transfers money, personally identifiable information, or confidential and proprietary information.
Impersonations are Phishers’ Weapon of Choice
Overall, nearly half (46 percent) of all respondents from a GreatHorn survey see executive, internal or external impersonations, with that number jumping to 64 percent among email security professionals. Business services spoofing was the second most prevalent email threat professionals experience (42 percent), followed by wire transfers (39 percent), credential theft (34 percent) and payload/malware (33 percent).
When breaking down the data by company size, the prevalence of threats is roughly the same, with companies with less than 500 employees seeing slightly higher incidences of wire transfer requests, payload/malware attacks, and credential theft scams. Meanwhile, companies with more than 500 employees were more likely to see executive impersonations and W2 scams.
Email Security is Not Just a Phishing Problem
While phishing is certainly the most pervasive attack, it’s not just ultra-sophisticated and personalized attacks that reach workers. One-third of email security professionals report that payload attacks (e.g. malicious/suspicious attachments or links) are still making it through their cybersecurity defenses, despite being arguably the most heavily guarded against threats.
These basic attacks continue to be successful because organizations have traditionally relied on technologies like secure email gateways (SEGs) to protect email – in fact, 53 percent of respondents report using SEGs to guard against email threats. SEGs were designed to operate at the perimeter, using a binary good/bad model. Prior to cloud email platforms like Office 365 and Google G Suite, this model, which first came into the market in the late 1990s, was moderately successful for spotting malware. Today’s modern, cloud-based infrastructure, however, requires a continuous protection model that can spot highly targeted spear phishing campaigns as well as general malware, and provides a mechanism for re-evaluating and remediating email as new threats emerge.
With traditional technical solutions from a bygone era, it’s no surprise that 40 percent of respondents report they need to routinely take significant remediation actions to counter basic attacks that get through their email security solution. Nearly two-thirds indicate experiencing major technical issues with their existing security solution. For example, 19 percent report that they have weak or no remediation capabilities if an email threat reaches an end user, and 21 percent believe their solution negatively impacts business operations (e.g. too many false-positives).
Managing Email-Based Threats in Today’s Modern World
These findings indicate that the threat surface is growing. While cybercriminals are becoming more sophisticated, organizations continue to rely on outdated, perimeter-based approaches to blocking threats. These solutions are designed to stop the flow of unwanted mail from entering the corporate infrastructure at a single point in time. However, these gateway-based tools are inadequate for detecting attacks that rely on social engineering tactics to fool employees – like the impersonations, wire transfer requests, W2 requests and business services spoofing that the majority of security professionals report seeing on a weekly basis – and many bypass the perimeter unnoticed.
Sadly, visibility is severely lacking within most of today’s enterprises, and it’s unrealistic for security teams to secure something they can’t see. For organizations looking to defend their teams, they need to look to an email security solution that takes a much more nuanced approach to email security. By evaluating different threat vectors and comparing emails against expected patterns of communication, automated email security tools can be much more effective at providing comprehensive post-delivery protection against targeted email attacks that traditional email security technologies cannot. Such tools correlate deep learning and metadata information – such as geolocation data, relationship strength between sender and recipient, organizational who-knows-whom information, and frequency of contact – to determine whether an individual message is an attempt to deceive an organization’s employees.
With this increased visibility, an enterprise can look at every message, every security incident, and every social connection point between employees, external vendors, customers and trusted contacts to programmatically identify email-based threats and alert security teams to a potential attack. This contextual analysis drives down time-to-detection response drastically and allows teams to address threats in real time. In addition, automation detects patterns what these teams might otherwise miss by continuously evolving user and organizational profiling.
As cybercriminals continue to launch increasingly advanced attacks, email security must be a top priority for all businesses. Automating detection, remediation and post-delivery incident response allows organizations to protect their people from today’s sophisticated email threats with much more success and efficiency than ever before.