• Why IRONSCALES
  • Platform
  • Solutions
  • Learn
    New Report! Osterman Research releases their 2024 findings on Image-based/QR Code Attacks. Read the report
  • Partner
  • Pricing

It’s well known that a good security strategy calls for layers of protection to thwart bad actors from quickly accessing sensitive data. While many organizations have a secure email gateway deployed to catch threats with malicious links and attachments, many criminals have discovered that they can use various strategies to get through those systems and land in the victim’s inbox. 

Below are some threats that could be lurking in your inbox 

3 Phishing threats Lurking in your inbox 

BEC 

Business Email Compromise (BEC) is a phishing technique where the threat actor hacks into email accounts or creates an email domain that looks nearly identical to the target organization’s email domain. Many times, threat actors will pose as a vendor looking for payment or as an employee. 

One recent BEC attack targeted companies in the real estate space to get recipients to click a malicious link and enter their credentials.  

Spear Phishing 

While general phishing threats are constructed in a way where they can be sent in mass to victims to maximize the potential for success, spear phishing attempts are highly targeted phishing attacks aimed at a specific individual or organization.  

Whaling 

Whaling threats, like spear phishing emails, are highly personalized phishing emails. However, these threats target the senior leadership of an organization to access highly confidential information and accounts for financial gain. 

Due to the potential for larger payouts, cybercriminals conduct research to learn about the target—C-suite, board members, or another high-ranking executive—by combing through their social media accounts. Once they have the information, these bad actors will send a phishing email posing as another high-ranking executive or a vendor requesting payment.  

Tips for Decreasing Phishing Risks 

Audit your email environment 

If you don’t have an email security tool in place, are leveraging a traditional SEG, or are utilizing AI-only solutions, then run an audit of your organization’s email environment to discover the threats that have slipped past those barriers and landed in your employee’s inbox.  

The audit provides you with visibility into the threats that are getting through your defenses and can also identify individuals and opportunities to improve training targeted directly at those most vulnerable. 

Leverage adaptive email security solutions 

Not all phishing emails start maliciously. In fact, a popular strategy for bypassing pre-inbox solutions is to send emails with time-detonated links and attachments. After the SEGs categorize the email as safe and the email lands in the recipient’s inbox, the links are weaponized.  

The unfortunate reality is that when cybercriminals encounter a barrier, they will change their strategies, leverage new tools, and seek advice from other bad actors to overcome the obstacles. Your email security solution should use multiple approaches to learn how to detect, classify, and remediate emerging threats. 

Educate Employees 

Since threat actors change their phishing techniques, the training that your employees received may not be as relevant as it once was. To keep training relevant, conduct regular security awareness training sessions and frequently launch phishing simulation campaigns to identify additional training opportunities and phishing vulnerabilities. 

Sign up for a free 90-day scan back of your organization’s email environment to see what threats are lurking in your mailbox 

Jeff Rezabek
Post by Jeff Rezabek
November 29, 2022