Blog

Why This Popular Email Security Strategy Fails Against BEC Attacks

Written by Jeff Rezabek | Mar 30, 2023

Attackers regularly leverage email to launch their attacks on the enterprise. With new tactics and technologies to exploit vulnerabilities, like launching Business Email Compromise (BEC) attacks, enterprise organizations expect a sizable increase in the volume of advanced phishing attacks launched in the next 12 months.  

Most security leaders leverage a defense-in-depth approach to email security to combat phishing threats. According to a recent study from Osterman Research, 80% of respondents use a combination of Security Awareness Training (SAT), Secure Email Gateways (SEG), and Multi-factor Authentication to try to combat phishing attacks. Unfortunately, while leveraging a defense-in-depth approach that utilizes technology and human insights is the right approach, the solutions used have limitations that cybercriminals use to their advantage. 

This post explores the impact of these three email security solutions and how cybercriminals leverage their shortcomings to land successful attacks. 

Exploring the Impact of 3 Popular Email Security Tools 

Secure Email Gateways (SEG) 

Secure Email Gateways, or SEGs, are some of the most commonly used solutions to help defend against phishing attacks. While many SEGs are great at filtering out known threats by utilizing configurable rules and link and attachments scanners, attackers have discovered that SEGs aren’t able to defend against advanced phishing attacks like BEC that utilize text-based social engineering tactics to land in their target's inbox.  

A November 14th article reports that a researcher was able to bypass a Secure Email Gateway defense using Multipurpose Internet Mail Extensions (MIME) headers to dupe its malware scanner into passing an email through. Our research concluded that SEGs only prevent 50% of the threats they encounter. 

Whether combined with a SEG or as a replacement, utilizing an email security solution that applies AI and ML will help security leaders efficiently and more accurately detect and remediate advanced phishing threats automatically. 

Multi-Factor Authentication (MFA) 

Multi-Factor Authentication (MFA) provides an extra layer of protection and can significantly reduce unauthorized access by requiring an additional login step. According to Osterman Research, 82% of respondents leverage MFAs as part of their email security strategy.  

While they can be a source of headache for some cybercriminals, and impatient users, MFAs aren’t foolproof. Recently, it was reported that the APT29 group identified a vulnerability in the self-enrollment process for MFAs where employees set up the account but never used it. The attackers were able to use a list of emails and guess the password of the dormant account to gain access to the victim’s VPN. 

Security Awareness Training (SAT) 

When it comes to effective email security, you can’t rely on technology alone. Educating your employees on the dangers of phishing and how to identify potential threats is just as important as deploying a phishing detection tool. Security Awareness Training is a critical component in a phishing prevention program as it empowers employees to become part of the solution. 

Even though many organizations are on the right path by including SAT in their strategy, they are missing a vital step—testing. Without testing your employee's ability to spot current phishing attacks and exposing human vulnerabilities, you could leave the organization open to attacks. Leveraging a Phishing Simulation Testing (PST) tool in conjunction with a SAT solution to launch relevant campaigns based on current attack trends will keep your employees vigilant in looking for suspicious emails.  

Hardening Your Email Security 

Criminals will continue to launch sophisticated attacks through email and other communication platforms. While SEGs, MFA, and Security Awareness training tools are popular technologies used for a defense-in-depth approach to email security, cybercriminals have already found ways to weaken these defenses. Organizations can use a solution, like IRONSCALES, which combines AI-phishing detection with human insight through a community of security admins, security awareness training, and phishing simulation testing to protect against advanced threats like Business Email Compromise attacks.

Download the latest Osterman Research report, "Defending the Enterprise: The Latest Trends and Tactics in BEC Attacks," to learn more.