Email remains one of the most widely-used mediums for communications and is exploited by cybercriminals to target nations, organizations and individuals. Following the shift to remote work, attackers have intensified email-based phishing attacks to target workers as they adjust to the new realities of remote or hybrid work. Attackers also exploited the anxiety caused by the pandemic and tailored phishing campaigns offering information on COVID-19 or its vaccines.Â
According to a 2021 reportOpens a new window on business email compromise by GreatHorn, an email security company, 51% of organizations reported an increase in spear-phishing attacks in the last 12 months, while 57% said they experience spear-phishing weekly or daily.Â
Email phishing is quite effective, and many large organizations have fallen for it. A case in point is Facebook and Google, which were tricked into paying $100 million to unknown attackers between 2013 and 2015. Attackers sent a series of fake invoices via emails to the two companies impersonating one of their vendors Quanta.
In a more recent incident, after a large organization in the U.S. was targeted by a ransomware attack, investigators from SophosOpens a new window , a cybersecurity company, found that three months before the attack, a worker received a phishing email that appeared to be sent by a colleague. The email carried a malicious web link that enabled the attackers to steal the access credentials for the Domain Admin. Though the company’s IT team responded quickly and shut down the phishing attack, they couldn’t stop attackers from secretly installing and running two tools, Cobalt Strike (that allowed them to remain in the network) and PowerSploit PowerView (that helped them perform network reconnaissance), on the victim’s computer. After the original attacker found a buyer for the tools, the new attackers initiated the REvil ransomware attack and demanded a ransom of $2.5 million.
Om Moolchandani, co-founder, CTO & CISO at Accurics, a cloud cyber resilience company, points out that emails are the most dominant mode of communication. They communicate beyond organizational boundaries and can carry malicious payloads, such as attachments and files. This unparalleled connectivity makes them a perfect tool for attackers to spread malware via files, spreadsheets, Word documents and PDFs.Â
Why Is Email Security Such a Challenge?
According to Trend Micro, 91% of successful cyberattacks begin with a spear-phishing email. The fact that attackers are still leveraging it reflects the gaps in the email security practices of most organizations. These gaps are made worse by concerns like cost, talent shortage, and fear of slowing down operations.Â
â€œFor companies, implementing email security often seems to be a difficult and costly task. It requires you to find or train a specialist who will install and make the correct configuration of all mail systems, then select and purchase a product for the protection of corporate mail. The possible number of false-positive detections also scares many companies. A quick response to a message can be critical, and false positives slow the process down,â€ warns Roman Dedenok, Spam Analysis Expert at Kaspersky.Â
Lack of cybersecurity awareness among workers is another factor that makes securing emails challenging for any organization. Attackers cleverly use topical subjects as clickbait to pique the interest of the workers. The emails are often carefully crafted so that they appear legitimate. Most users fall for these tricks and end up clicking on malicious links or attachments that open doors for ransomware or other malware attacks.Â
â€œEven if an organization has a well-built technical system of echeloned defense, a person has always been and will remain an attractive target for socio-technical attacks, including phishing,â€ points out Pavel Kuznetsov, deputy managing director, cybersecurity technologies at Positive Technologies.
How Effective Are Your Email Security Solutions?
Though the human factor is a weak link, experts are not convinced of the efficacy of many email security solutions and their ability to flag phishing emails effectively. For instance, a 2020 reportOpens a new window by BitDam shows â€œthat email security systems such as Microsoft’s Office 365 ATP, G-Suite Enterprise and ProofPoint TAP have a miss rate of 20-40% for unknown threats on the first encounter.â€ They also found that 45% of threats can bypass one of these solutions. Also, these tools take 10 to 53 hours before protecting against threats they missed the first time. This means organizations are left unprotected against unknown threats daily.Â
Secure Email Gateways (SEG) that offer an all-in-one solution to block spam, phishing, and even malware from reaching workers’ inboxes have also got their limitations. As per Tessian LimitedOpens a new window , a security startup, SEGs can’t stop more advanced attacks like spear phishing. Attackers are increasingly using more sophisticated social engineering tricks to bypass them. Tessian’s findings show that most organizations have not implemented authentication tools such as Domain-based Message Authentication, Reporting and Conformance (DMARC), which makes it easier for attackers to spoof their domains.Â
Tips To Minimize Email Attacks
Phishing is one of the oldest techniques used by attackers. Experts believe cybersecurity awareness and training among workers can go a long way in mitigating risks from phishing emails.Â
â€œPhishing emails play on a person’s emotions, providing a level of incentive for opening a file or clicking on a link. Because of the psychological element, the risk associated with phishing emails is greatly reduced by ongoing user awareness training. And heuristically acting solutions such as sandboxes shouldn’t be forgotten,â€ said Kuznetsov.
Dedenok agrees that organizations should provide their staff with basic cybersecurity hygiene training and conduct a simulated phishing attack to ensure that they know how to distinguish phishing emails. â€œCompanies should include mail authentication (SPF / DKIM / DMARC) in their systems and install a security solution, which will help to detect and prevent such attacks,â€ he adds.Â
Kuznetsov feels that organizations should consider email as one of the vectors for attackers to enter the network and apply monitoring and controls accordingly to reduce the likelihood of realizing the risks that an attacker could reach by gaining access to the device or credentials of any of the employees.Â
Machine Learning (ML) can also add teeth to email security efforts and enhance real-time scans’ efficacy to identify key phishing indicators. By leveraging ML and contextual data, advanced behavioral analytics tools can recognize anomalies in emails within an organization more effectively and reduce the risk of spear-phishing or whaling.Â
The total number of email users worldwide is expected to grow to over 4.3 billion by the end of 2023, as per Radicati’s Email Statistics ReportOpens a new window . The growing email user base, easy access to personal information online, combined with poor security hygiene, and screen and email fatigue among users have made spear-phishing campaigns highly effective. Positive Technologies research shows that emailing remains the primary method of spreading malware in attacks on organizations (58%). Though email security is a top priority for many organizations, stepping up employee awareness initiatives with a special focus on email security can go a long way in mitigating associated risks.Â
Do you think greater employee awareness is the key to mitigating cyber-risks triggered by phishing emails? Let us know your thoughts in the comments below or tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!