No matter how many messaging and collaboration apps clutter the enterprise space, most (if not all) employees will continue to use email. Cybercriminals know this, and they're increasingly leveraging this reliance to their advantage, finding new ways to bypass protective measures.
Bob Adams, cybersecurity expert at Mimecast, explains how email-based threats have evolved. "It's important to understand the history of these attacks to understand where they're going," he says. Older phishing scams were easy to detect, with poor spelling and grammatical mistakes. The people who fell for them were likely to give attackers what they wanted.
"One of the reasons it was so successful is it was targeted in a way that intelligent people wouldn't respond," he says. Today's threat actors have resources to make their attacks credible to a broad range of victims. Now, the people who could recognize obvious phishing scams are getting hit with spearphishing attempts and business email compromise (BEC) attacks.
In its Email Security Risk Assessment (ESRA), Mimecast passively scanned 95.9 million emails that went through email security systems and were received by a business email management portal. The ESRA caught 14.2 million spam messages (5.1 million rejected; 9.1 million quarantined), nearly 10,000 dangerous file types, 12,500 malware attachments, and 23,000 impersonation attacks.
Spam is annoying, sure, but most people know what it looks like and it isn't lethal. Impersonation attacks, on the other hand, are sneaky. "What's making these attacks even easier and have higher ROI is the sheer amount of information publicly available on every company and individual within its top ranks," says Wickr CEO Joel Wallenstrom.
"All attackers need to do is pick a target; tailor messaging based on data gleaned from Facebook, LinkedIn, obscure data brokers, and exposed PII databases; and voilà, the scam works as intended," he adds. Business email compromise has become a hugely profitable industry, with $5 billion in profit and categorization as a separate crime type by the FBI starting in 2017.
"What we're seeing more and more is spearphishing attacks, hearing much more of attackers using social engineering in a variety of different ways to get people to give up their account credentials," says Reena Nadkarni, group product manager at Google.
BEC attacks rely on simplicity, credibility, psychology, and urgency to convince victims to act, Adams points out. They won't use too many details: "It was great talking to you the other day" is more likely to convince a target than "It was great meeting you at Starbucks last Wednesday." Attackers may capitalize on employees' hesitation to question managers. "I can't talk right now, but I need you to do this immediately" is another line they may send a BEC target.
Of the 12,500 malware attachments that bypassed email security systems in the ESRA test, 11,653 contained known malware and 849 contained unknown malware. Failing to detect unknown malware in an email can be hugely detrimental because most common antivirus systems won't notice it, and an attacker can gain or extend their presence on the network.
Can Email Security Keep Up?
Major email providers Microsoft and Google have been stepping up to build stronger security into their platforms. Nadkarni explains how the evolution of cyberattacks has made email security a challenge; now, attackers are spoofing websites and creating lookalike domains.
"What's interesting about some of these emails is they don't have an attachment," she says. "Many of the traditional methods of being able to catch these just don't work."
Google recently added a few new Gmail security features as part of a broader redesign. Users can protect sensitive content by creating expiration dates for their messages or revoking sent messages before or after they're viewed. Recipients may be required to provide additional info view messages, a measure intended to protect data even if the receiving account was hacked.
Microsoft, to its credit, has also added new security features to its email platform. However, some security experts note there's much more to be done on the data security front. Gmail's confidential computing is "a step in the right direction," says Wallenstrom. Users must know to implement data expiration settings for each email, but only on the recipient's end. He points out that it would add helpful protection to minimize data on the sender's account also.
Adams says "it's a little bit late and it's also, in my mind, a little bit lacking," with respect to the recent Gmail updates, specifically referring to enterprise security. It might be good for smaller businesses, he says, but for major corporations "I don't see it being secure and effective enough at this time."
Eitan Bremler, vice president of product at Safe-T, points out how Exchange is still limited by the size of files (unless you send via OneDrive) and there is no integration with data loos prevention (DLP) and antivirus (AV) software. With Gmail, he's concerned about a lack of advanced security functions like file encryption and DLP or AV integration.
"While hackers have grown more sophisticated and created more nuanced ways of getting into emails, email technologies themselves have not evolved much from a technology perspective over the last 20 years," Bremler says.
What Businesses Can Do in the Meantime
To improve email security, Wallenstrom advises businesses to make security and data minimization a default, "something that employees don't have to opt into each time they communicate," he says. Further, enforcing a business-wide policy that bans sending valuable data — financial information, business intelligence — via email would also help build security hygiene.
"What surprises me is even today, a large number of administrative accounts don't have two-factor authentication," says Nadkarni. "If you have admin accounts in any system and that's compromised, that's a huge deal."
She also advises businesses to look into security keys. "That makes such a huge difference," she explains, noting that even multifactor authentication codes can be phished. "To introduce an element of physical security, that changes the game quite a bit."