As the email phishing threat landscape continues to rapidly evolve, understanding the totality of the email security and anti-phishing universe can be difficult for even the savviest of enterprise buyers. That’s because, for many years, organizations believed that they could adequately reduce cyber risk by simply deploying secure email gateway (SEG) technology along with anti-spam filters and basic employee security awareness training.

Up until 2014 or so, this sentiment was more accurate than not. But then the landscape started to change. Phishing transformed into spear-phishing, followed closely by the introduction of malware and ransomware into the mainstream. The emergence of social engineering, including Business Email Compromise (BEC), added additional complexity, now overburdening both human and gateway controls.

In response to the rising threats, email security solutions and anti-phishing tools began to evolve. Legacy signature-based tools built on YARA rules began to have their value propositions challenged by smart, self-learning technology built on artificial intelligence (AI), machine learning (ML) and automated incident response. This new generation of email security technology promised to accelerate the time from incident discovery to organization-wide remediation.

This convergence of more frequent and sophisticated phishing threats with more advanced cybersecurity solutions and services significantly increased the complexity of the anti-phishing ecosystem, making it increasingly difficult for security specialists to quantify and qualify email risks and emerging solutions versus legacy controls.

The 10 most common tactics deployed to defeat email security controls

In an attempt to declutter the ambiguity around domain vernacular and to bring clarity to the buying process, we’ve developed this four-part blog series to help readers better understand and make sense of the tactics, techniques, standards, protocols, technology and solutions that comprise the email phishing threat landscape.

This first blog post explains the differences between the 10 most common phishing tactics including:

  • Account takeover - Most commonly deployed by financially motivated attackers, account takeover occurs when an adversary obtains - either through legal or illegal actions - a person’s legitimate login credentials to a website, server or application, enabling them to commit various types of financial fraud.
  • Advanced Persistent Threat (APT) - An APT refers to a sophisticated hacker, cybercrime outfit or nation state exploiting multiple threat vectors, including email, for both reconnaissance and exploitation purposes. The method is commonly used as a means to gain unauthorized access to networks, servers or devices.
  • Credential Harvesting - A highly common phishing tactic where attackers will attempt to lure a recipient into entering their password or other compromising log-in information, usually via a web page. This is most often deployed via spear phishing.
  • Financial Fraud – Similar to credential harvesting, except that instead of trying to get someone to enter their password, the attacker’s goal is to get the recipient of the phishing email to enter compromising info that can later be used to steal money. This can include bank account information, credit card numbers, social security numbers and more.
  • Malware - Otherwise known as malicious coded software, malware is commonly deployed via email and is used to disrupt or destroy networks, servers and devices. Examples of malware include Trojan horses, spyware, adware and viruses.
  • Phishing - Delivered via phone, text, email or social media, phishing is the oldest yet most prominent tactic in which criminals attempt to trick an unsuspecting recipient into taking an action, such as wiring money. It is estimated that phishing accounts for nearly 90% of all cyberattacks worldwide.
  • Ransomware - An increasingly popular malware strain, ransomware encrypts the victim’s data and then demands a sum of money (to be paid in bitcoin) in order to receive the decryption key. The criminal typically makes a threat to release the victim’s data to the internet and/or dark web if payment isn’t made. The Justice Department reports more than 4,000 ransomware attacks per day in the U.S. alone.
  • Social Engineering - Growing in popularity, social engineering occurs when an attacker uses psychological manipulation to trick a person or company into taking an action, such as providing login credentials, paying a fraudulent invoice or sharing personally identifiable information (PII), such as a social security number. According to Verizon, social engineering now occurs in almost 60% of phishing attacks.
  • Spam - These junk and unsolicited email messages have historically been more annoying than risky. However, spam is increasingly viewed as a cybersecurity threat due to inattentional blindness, which occurs when individuals fail to perceive an unexpected change in plain sight.
  • Spear-phishing - The main difference between phishing and spearphishing is that spearphishing targets specific people and/or organizations with an ask to complete a specific task, such as downloading an attachment or clicking on a link, while phishing is often distributed at random to widespread audiences. Oftentimes, engaging with the payload enables adversaries to access the information needed to institute a major cyberattack.

Our next blog post in this series will explore both the most common and trending phishing techniques around the world, such as Business Email Comprise (BEC), CEO spoofing, typo-squatting and much more. In the meantime, click here to learn more about IRONSCALES’ self-learning email security platform, including how we use advanced technologies to stop these tactics from hitting inboxes in the first place.

Eyal Benishti
Post by Eyal Benishti
February 15, 2021