Businesses Grow More Vulnerable to Email Attacks, Even with Improved Defenses
Editor's Note: This post can originally be found on the Agari Email Security blog.
By Patrick Peterson
Cybercriminals increasingly use new forms of identity deception to launch an email attack to target your weakest link: humans.
Call it a case of locking the back window while leaving the front door wide open. Throughout the last year, a number of reports have surfaced about sophisticated cyberattacks that are proving all too successful at circumventing the elaborate defenses erected against them.
Firewall? Check. Application security? Check. Endpoints? Those are covered, too. Yet despite the millions organizations spend each year on perimeter security, the bad guys are still winning. In 2018, cybercrime losses exceeded $2.71 billion in the United States alone.
But how can this be possible? How can businesses grow more vulnerable even as their defenses harden? As it turns out, 97% of organizations are failing to effectively leverage modern technology to protect against the number one target cybercriminals use to implement their schemes—human beings.
Indeed, whether it’s the Marriott breach that exposed the personal information of up to 500 million people or the 12 million patient records stolen through the Quest Diagnostics breach, cyberattacks tend to have one thing in common—they almost all involve identity deception perpetrated against specific individuals. And that means they almost always start with email.
Mission Impersonate for Data Access
The fact is, email is still the most popular tool for business communication and collaboration. But most email security systems are falling short in protecting organizations against fraud.
Today, up to 94% of data breaches start with an email reaching a well-placed target. And while you may think this number is excessively high, we’re not talking about the typo-laden phishing email attacks of the early 2000s.
Cybercriminals now produce flawlessly crafted messages capable of deceiving virtually anyone. They’ve also come to understand something far more critical to their success—you’re much more likely to be fooled into disclosing sensitive information or downloading dangerous malware if you’re reacting to a trusted colleague or someone you wish to impress.
Take the current trend in file-sharing email fraud. According to CSO, cyberthieves are increasingly leveraging information from social media to target corporate employees and then posing as colleagues and sending them file-sharing phishing emails from OneDrive and other popular cloud services.
Embedded links within the emails lead recipients to fake sign-in pages, where they’re prompted to enter their personal credentials. Attackers then leverage those credentials to hijack the real accounts of victims, where they can steal valuable information, access contact lists, and launch ever-more devastating attacks.
The problem is that most email security solutions can’t detect this kind of fraud because the login page is hosted on a compromised website with a good reputation.
Advanced Email Attacks: Personalized & Pernicious
Most identity deception-based email attacks increasingly follow a similar playbook. First, they leverage popular cloud services in order to make infrastructure reputation less reliable. After all, it’s not as if organizations can simply blacklist the likes of Google or Microsoft, since they also send a large amount of legitimate email.
Second, they appear to come from identities and brands the target trusts. Think simple display name ploys, where fraudsters insert a trusted identity within the “from” field within Gmail and Yahoo so it appears to be legitimate. Or domain spoofing, which involves displaying a legitimate email address, which is possible when organizations do not secure their brands from cybercriminals. But that’s not all.
In a look-alike domain email attack, criminals substitute say, “invoices-acme.com” for an actual domain, like “acme.com,” to send fraudulent invoices. And then there are account takeover attacks, which originate from legitimate (but compromised) accounts and are notoriously difficult to detect since there is little indication that the emails are not who they say they are from.
Whatever the technique, the highly personalized messages within these emails are designed to be indistinguishable from everyday business email—rendering traditional content analysis ineffective. The goal is to manipulate the recipient into taking some action or disclose some piece of information that they assume will be safe, and unfortunately, they are more successful than we’d like.
Stemming the tide of such attacks won’t be easy.
Securing the New Perimeter Against Phishing Attacks
Security awareness and phishing training can help employees detect some of these new forms of email attacks. But the quality and sheer volume of new email schemes mean that will only go so far.
And yes, Domain-based Message Authentication Reporting and Conformance (DMARC)protocols can help stop domain spoofing and brand hijacking. But 97% of companies have yet to set up policy parameters to optimize effectiveness. But even then, this doesn’t protect against all the attacks that target employees and partners.
It’s also unclear how many organizations are deploying machine learning technologies with the kind of modeling and analytics capabilities needed to go beyond content analysis and infrastructure reputation to assess people, relationships, and behaviors and put an end to the identity deception-based email attack.
As it stands now, there probably aren’t enough of them. Cybercrime is only continuing to increase as criminals become smarter, so we must be prepared to take a stand against them. All this to say, we better hope more organizations move beyond just securing that “back window” on the perimeter—and stop the endless stream of identity-based email attacks flowing through their front door.
To learn more about identity deception and the rapidly evolving threat from email attacks, download our report on the latest trends in email fraud.