Ever since email went mainstream, hackers and spammers have been bombarding inboxes with unwanted messages, phony ads, fraudulent links and viruses. And every time internet service providers (ISPs) and security vendors devise tools and techniques to eliminate or reduce the threats, fraudsters have found new ways to get around the newly created defenses. This has remained true since the time of spam mitigation in the early 2000s to the business email compromise (BEC) protection challenges of today.
At a time when email has solidified itself as a critical channel for business communications, threats are growing, with 9 out of 10 cyberattacks continuing to begin with email phishing. As such, email security must too continually evolve. According to Radicati Group, there are more than 235 billion emails sent around the globe per day, with more than half of those to or between businesses. In fact, the average business email user receives more than 90 emails per day - although nearly a quarter of those are spam.
While email security solutions continue deploying threat detection technology built mainly on rules and signature-based filters, IRONSCALES is pioneering the use of big data, machine learning and artificial intelligence to detect and respond to phishing messages with or without malicious payloads. We recognized years ago that advanced phishing threats would require a combination of security awareness training and machine intelligence working as one at all times, not in silos.
Such recognition of the email phishing threat landscape is how IRONSCALES evolved from a startup into a high-growth-stage security leader in just a couple of years. As we continue to progress with our anti-phishing technology, here’s a look back at how we got to where we are today.
Generation 1: Filtering Out Spam & Viruses (Late 1990s through 2012)
When email became popular in the 1990s, there were few security standards and people could send and receive messages with little accountability or verification. In this era, spam bombarded inboxes with promotions for porn sites and products like Viagra. Fraudsters also started creating fake brand ads and registering domain names that were very similar to legitimate companies with household names.
ISPs and security providers at the time treated unwanted emails more as a nuisance than as a threat. But by 1996, AOL started using the term “phishing” to warn about hackers that were creating phony AOL accounts to lure people into providing sensitive information. Those early days of phishing were akin to a Wild West environment where lone criminals frequently tried and tested new attacks.
In response to the cluttering of their customers’ inboxes with irrelevant emails, ISPs began using simple filters that looked for keywords and special patterns. At this point, the strategy was mainly to identify obvious spam mails and send them to the spam filter to reduce the risk that the email users would respond or fall for a scam. SPF (Sender Policy Framework) also started to gain adoption around 2009 and Domain Keys Identified Mail (DKIM) was introduced for email authentication.
By 2010, Symantec estimated 88 percent of the worldwide email traffic volume was spam. The next generation of email filters supported black and white lists with basic attack signature detection capabilities. These new measures put email users in greater control of their mailboxes with more sophisticated filtering features. ISPs were also able to tap into engagement metrics to better determine what emails users want to receive, enabling them to more effectively divert or block spam and scams.
Domain-based Message Authentication, Reporting and Conformance (DMARC) came about in 2012 and within one year it was protecting 60 percent of the world’s mailboxes. By the end of the same year, however, phishing had surpassed $500 million in damages and grown from 176 unique attacks in all of 2004 to 28,000 unique attacks in December of 2012 alone.
Generation 2: Phishers Bait Emails Using Links & Attachments (2012 – 2016)
The second generation of email security came about in response to spear-phishing, in which attackers deployed phishing messages with links and attachments in order to trick recipients into downloading and inadvertently installing malicious code.
Such advanced phishing techniques could not be stopped by spam filters, so secure email gateways (SEGs) and featured AV scanners, sandboxing and threat emulation solutions to detect malicious links and attachments in real-time gained in popularity. Around this time, employers also started training their employees to better identify phony emails and requests. They invested heavily in phishing awareness training to turn their front-line staff into internet security detectives.
One of the unintended consequences of more awareness was that security operations center (SOC) teams became increasingly burdened with false positives. In fact, SOC teams became overwhelmed investigating the sheer volume of incidents and often spent too much time digging through piles of reports while dangerous threats slipped through the cracks and took longer to remediate.
By the end of 2016, spear phishing was costing organizations approx. $1.5 million per incident, while SOC teams could only handle up to 8 incidents per day.
Generation 3: Business Email Compromise & Ransomware Heighten Risk (2017 – Present)
Cybercriminals responded to the increased employee awareness and SEG technology by employing new BEC attack strategies that deployed more messages without files and links, which are very difficult for SEGs and humans to identify. By gaining control of a superior or co-worker’s email, attackers could target others in the company to solicit sensitive information that would enable them to perpetrate fraudulent transfers. Adversaries also started doing more homework and creating highly-targeted spear-phishing attacks to deliver ransomware, which hit an estimated 56 percent of all businesses worldwide in 2017.
Presently, to support business email compromise protection, the third generation of email security is emerging in which humans and machines constantly work together to prevent, detect and respond to advanced phishing threats. As a pioneer of this generation, IRONSCALES has deployed a bottom-up approach to email security, using machine learning algorithms and deep scans inside the mailbox itself to understand what normal and trusted email communications look like. By having visibility into the mailbox, even the most sophisticated phishing attacks – the ones like ransomware and BEC that bypass both humans and gateway security - can now be stopped post-email delivery. This not only reduces risk but also alleviates the burden on SOC teams by supporting decisions and automating and orchestrating workflows.