Email is essential for business, yet it is more difficult than ever to protect users from threats like phishing, business email compromise and malware. In our most recent CISO Benchmark Study, we learned that 62 percent of Chief Information Security Officers (CISOs) in Asia Pacific surveyed felt that defending against user behaviors, such as clicking a malicious link in an email, is very or extremely challenging, higher than the global average of 56 percent. But only 40 percent of those surveyed in Asia Pacific currently use email security as part of their threat defenses, even while reporting it as the top threat vector putting their organizations at risk.
You could argue that email is structured in an almost ideal format for scammers. Email forces the user to read and make assessments about what they receive and then make decisions as to what they open or click as a result. Just the right amount of social engineering, exploiting the individual’s good nature, can push the user to action.
It is this social engineering that not only makes it an enticing delivery vector, but also so challenging to systematically defend. Rarely, if ever, does an email-borne attack bypass the user. While things like URLs leading to compromised or malicious websites utilizing exploit kits are common, they still rely on coercing the user into clicking on a link in an email first.
Some common email attack types that organizations need to be prepared for are Office 365 phishing, where the email appears to come from Microsoft. It says that your Office 365 email address will be disconnected due to errors or policy violations and the only way to prevent this from happening is by verifying the address at the provided link. However, the site is fake. Once the scammers have your credentials, they may try to log into other Microsoft related services, as well as harvest your contacts. One common technique is to log into your email account and send your contacts an informal email (e.g., Subject: FYI) that includes another phishing URL.
It’s not just Office 365 that is being targeted either. Similar phishing attacks have been observed against other cloud-based email services such as Gmail and G Suite, Google’s cloud email offering. Given the prevalence of Google accounts, and how they are leveraged across the Internet to log into various websites, it is no surprise that attackers have created phishing sites in this arena as well.
Business email compromise (BEC) is another example of a common email attack type and one of the most lucrative types that organizations experience, suffering billions of dollars in losses. BEC scams are a form of email fraud where the attacker masquerades as a C-level or above executive and attempts to trick the recipient into performing their business function, for an illegitimate purpose, such as wiring them money. With many executives on social media platforms today, attackers can easily social engineer their profile and craft tailored attacks to make the email seem legitimate.
Malware in email has also evolved. While it used to be more prominent, with .exe files attached directly to emails, malware is much more likely to be served indirectly, either through less suspicious attachments like commonly used business documents or by URLs contained within the message body nowadays—all of which are items frequently sent in regular, valid email communication. The idea here is to get past traditional email scans that would catch and quarantine a binary file or other infrequently distributed attachments.
As more and more organizations opt to have their email services hosted in the cloud, on-site, dedicated email appliances appear less necessary, with some IT teams assuming they can go without. However, while many cloud email services provide basic security features, the need for layered protection can’t be stressed enough.
With email being a necessity in all business communications, it is essential that businesses big or small have the right mix of a user education program and cybersecurity technology to ensure a layered security defense. Failure to do so means falling victim to cryptomining, having one’s credentials stolen, or, if one were to fall for the wrong socially engineered scam, out of large sums of money.
A layered approach to security is therefore critical in defending your organization from email-based attacks. Traditional approaches like spam blockers, malware and URL blockers and integrated sand-boxing remain must-haves. There are also new technologies like DMARC, machine learning, email remediation and several others that will help all organizations keep up with the always changing email threat landscape.
At the end of the day, education is the best weapon. Training users to recognize such scams can go a long way to reduce their impact. Some approaches that can be taken to reduce the risk that email threat pose include:
- Running regular phishing exercises to teach employees how to recognize even highly tailored and sophisticated phishing attempts and report them
- Use multi-factor authentication to prevent attackers from gaining access to accounts
- Keep software up to date – email gateways, apps, operating systems, browsers, plug-ins; just make time to patch
- Never wire money to a stranger – set up strict policies that require high-ranking authorization of wire-transfers; have a designated secondary signature requirement
- Stop and think – does the message in the email sound technically plausible? Does the pitch make sense? Are there holes in the requester’s story?
- Users – check the sender’s email address against the message signatory – do they match? If not, don’t touch it!
While the flexibility, productivity and cost savings benefits of cloud apps have fueled widespread adoption of multi-cloud across Asia Pacific, organizations are challenged to deal with its fragmented nature, increasing complexity, and lack of control when it comes to data, policy, and security. It is important to understand that some businesses will never go to 100 percent cloud deployment or have interest in doing so. Businesses need to constantly think about security across three aspects–email, web and endpoints-to ensure that they are protected at all points of their digital transformation journey.
