These mailboxes are where emails are automatically sent to organizations that have SOAR solutions (i.e., suspicious emails are automatically quarantined here rather than requiring any action by users).
Most commonly deployed by financially motivated attackers, account takeover occurs when an adversary obtains - either through legal or illegal actions - a person’s legitimate login credentials to a website, server or application, enabling them to commit various types of financial fraud.
Accidental data exposure occurs when sensitive information becomes accessible to those not meant to see it, often due to oversight or errors. Unlike deliberate data breaches, this exposure happens without malicious intent, typically stemming from human mistakes or system misconfigurations.
An APT refers to a sophisticated hacker, cybercrime outfit or nation-state exploiting multiple threat vectors, including email, for both reconnaissance and exploitation purposes. The method is commonly used to gain unauthorized access to networks, servers or devices.
A specific type of anti-phishing employee training with the goal of educating employees about common types of phishing threats and reducing the number of incidents where an employee takes the bait left out by a threat actor.
AI in cybersecurity involves the application of artificial intelligence and machine learning algorithms to analyze vast amounts of data, detect patterns, and identify potential security threats in real-time, enabling organizations to proactively defend against cyber attacks and mitigate risks. It enables automated incident response, behavioral analysis, and adaptive defense mechanisms to protect sensitive information and strengthen overall cybersecurity posture.
A general phishing tactic that involves two or more separate emails, to steal sensitive information or data from unsuspecting victims. This type of phishing has become increasingly common and is a growing concern for both individuals and organizations.
As the newest and least utilized email authentication standard, BIMI intends to reduce fraudulent brand spoofing emails by visualizing a logo as a measure of authenticity. Compliance requires DMARC configuration with active “quarantine” or “reject” policies, a positive sender reputation, and a BIMI Assertion Record.
Brute force attacks are a type of cyberattack in which a threat actor uses automated software to generate a large number of possible passwords or combinations of characters in an attempt to guess the correct password for a given system or service. Brute force attacks are often used to target password-protected systems or accounts. The attacker's software will keep trying until the correct password is found.
Business email compromise (BEC) is a type of targeted phishing (spear phishing) in which a threat actor either accesses or mimics a genuine business email account to defraud the business. This tactic relies on exploiting the assumed trust that victims have in emails coming from what appear to be genuine sources. Often, these scams target employees working in financial departments or executives who have the power to transfer money from business accounts to bank accounts under the control of the threat actor.
CEO fraud (commonly referred to as VIP impersonation and in some cases ‘whaling’) is when an attacker successfully impersonates a company executive in order to gain sensitive information or coerce a financial transaction from targeted executives or employees. According to our research, VIP impersonations penetrate SEGs about 20% of the time.
Cloud email is a type of email service that is hosted and managed by a third-party provider. Instead of running their own email servers and software, organizations can use a cloud email service to handle all of their email needs. Cloud email services are typically accessed through a web-based interface, allowing users to access their email from any device with an internet connection. Cloud email services are often preferred over traditional on-premises email solutions because they are more scalable, flexible, and cost-effective.
A list of security vulnerabilities and exposure records that allow companies to better classify, identify and organize phishing threats with the goal of accelerated remediation.
Compliance monitoring involves the continuous surveillance, review, and analysis of organizational performance and risk indicators to ensure that policies, procedures, and regulatory requirements are followed, thereby safeguarding data, maintaining privacy, and preventing costly violations or interruptions caused by non-compliance.
Clone phishing is a type of cyberattack where attackers replicate legitimate emails and modify them to spread malware or steal sensitive information. It involves tricking recipients into believing the cloned emails come from trusted sources, leading them to click on malicious links or attachments.
An advanced technology that helps to prevent credential harvesting and PII leaks by looking at visual deviations from the norm common with fake web pages. By comparing the visual similarity of legitimate landing pages to spoofed ones, computer vision provides a critical additional layer of defense since they do not rely on simple pattern-matching technologies.
A computer security technology that removes malware from code. It is commonly offered as part of a larger email security solution as a bolt-on focused on cloud-based email endpoints.
A highly common phishing tactic where attackers will attempt to lure a recipient into entering their password or other compromising log-in information, usually via a web page. This is most often deployed via spear phishing.
Credential stuffing is a type of cyberattack in which the attacker uses a list of stolen usernames and passwords to gain unauthorized access to a large number of accounts. The attacker obtains the list of stolen credentials through various means, such as purchasing them on the dark web or scraping them from publicly available data breaches. Once they have the credentials, they use automated tools to try each username and password combination on a target website or service.
A data breach refers to any incident where unauthorized individuals gain access to sensitive or confidential data. This can include personal information like social security numbers, financial data, healthcare records, or corporate information such as customer databases and intellectual property.
A data broker, often referred to as an information broker, is a business that collects, aggregates, organizes, and sells or distributes information about individuals to other businesses, organizations, or entities.
A data leak refers to the accidental exposure of sensitive information either at rest or in transit. Data leaks can occur through various avenues, including unprotected databases, misconfigured servers, or human errors like inadvertently sending an email containing confidential data to the wrong recipient.
Data loss encompasses incidents where sensitive data is unintentionally misplaced or stolen through cyberattacks or insider threats. While this definition overlaps with data breaches, data loss also includes scenarios where information cannot be retrieved due to system errors or hardware failures.
A capability of some email security solutions that prevents sensitive information or data from leaving an organization via email. This is a common add-on service offered by email providers such as Microsoft.
DMARC helps protect a company from unauthorized use of its domain name by malicious actors sending fraudulent emails. It works by evaluating messages that are sent from a particular domain and comparing them to the record published in the DNS by the owner.
This is an email security standard that uses cryptography to ensure that messages aren’t manipulated between sender and receiver. DKIM helps improve email deliverability rates, while also reducing the frequency of domain spoofing.
A type of spoofing email in which an attacker sends a malicious message from a fraudulent domain that is an exact match to the spoofed brand’s domain (Example: TimCook@apple.com). These messages are detectable by many anti-phishing technologies since the sender domain can be easily identified as false.
Email encryption is a security measure that is used to protect the confidentiality of email messages. Encryption is the process of encoding information in such a way that only authorized parties can access it. In the context of email, encryption is used to ensure that only the intended recipient of an email message can read its contents. Email encryption typically involves the use of a mathematical algorithm to encrypt the contents of the email. The sender and recipient of the email must each have a unique encryption key, which is used to encode and decode the message. When the recipient receives the encrypted email, they use their encryption key to decode the message and read its contents.
Email Security Orchestration, Automation, and Response (M-SOAR)
This solution is commonly deployed by email security companies, including IRONSCALES, with end-to-end security to identify and remediate threats while continuously learning to better improve the process.
Similar to SIEM, XDR solutions aggregate data across endpoints, including antivirus, firewall, and more. Security analysts leverage XDR to provide a full picture of an organization’s threat landscape, which, of course, includes email.
Extortion phishing scams leverage scare tactics, including blackmail, threats, or coercion, to intimidate victims into paying a ransom or providing them with a specific service. These types of scams, which are increasing in frequency, often threaten to spread sensitive information such as private photos and videos (whether the attackers actually have this compromising info).
These nefarious, yet often highly realistic-looking website pages, are an increasingly common technique deployed by attackers seeking to obtain a person’s login credentials to a legitimate website in order to harvest personal or company information and commence with illegal activity, such as credit card fraud, identity theft, and more. Adversaries are able to bypass both human and technical controls by exploiting inattentional blindness. Last year we identified more than 200 major brands significantly impacted by fake login pages in the first half of the year.
Similar to credential harvesting, except that instead of trying to get someone to enter their password, the attacker’s goal is to get the recipient of the phishing email to enter compromising info that can later be used to steal money. This can include bank account information, credit card numbers, social security numbers, and more.
Graymail is a term used to describe a type of email that is not spam but is not necessarily wanted or expected by the recipient. Examples of graymail include newsletters, promotional emails, and other types of marketing messages.
Generative AI involves the use of machine learning algorithms to generate novel content by learning from large datasets; it can be applied in various fields, in cybersecurity, generative AI is utilized for defensive purposes to enhance threat detection, response, and security training.
This technique implements hidden text with a font size of zero within a phishing email. Since a human reader cannot detect the zero-width characters, these malicious emails often appear legitimate to unsuspecting users. Invisible characters are also capable of bypassing legacy email security defenses, which is why the best way to defend against this type of attack is to turn to AI-powered email security tools that use natural language processing and computer vision to detect anomalies.
In cybersecurity, a honeypot is a network-attached system set up as a trap to attract attackers, gather data on their techniques, and divert their attention from real systems, helping organizations enhance their threat intelligence and defensive strategies.
Identity Fabric is a deployment architecture that enables individuals to securely utilize their personal identities across multiple online platforms, allowing for seamless authentication and access, while providing organizations with a unified framework for identity management and control. It ensures consistent identity and access policies across diverse cloud environments and mitigates the risks associated with identity fragmentation and vendor lock-in.
A type of spoofing attack, with or without a payload, in which adversaries take on the persona of a colleague, vendor, partner, friend, or family member to achieve a specific objective. Such attacks can be used for quick financial gains or deployed as part of an advanced persistent threat (APT) in which reconnaissance is the main objective.
Impossible travel is a cybersecurity anomaly detection method that identifies potential compromises by analyzing user login activities and correlating them with geographical locations, specifically flagging instances where a user's account is accessed from two different countries in a suspiciously short time period.
IoC-focused email defenses are commonly found in SEGs, which rely on technology to identify phishing threats that contain a malicious payload (URL, attachment). However, this technology is ineffective in remediating the rise of social engineering attacks.
An insider threat can come from a variety of sources, such as a current or former employee, contractor, or business partner who has authorized access to the organization's systems and information. Insider threats can take many forms, such as theft of sensitive information, sabotage of critical systems, or unauthorized access to confidential data. Because insiders already have access to the organization's systems and networks, they can be particularly difficult to detect and prevent.
This is where many modern email security solutions sit, including IRONSCALES. While the efficacy and integrated advanced technologies vary, most email security companies claim to offer robust advanced threat capabilities to prevent all types of phishing techniques that would normally breach Secure Email Gateways.
Invoice fraud is a well-coordinated ploy in which an attacker attempts to scam a business into paying a fake invoice–or paying a legitimate invoice to a fake account–by impersonating a vendor or partner. These targeted attempts are less likely to be flagged as spam since they don’t contain links or attachments that are deemed suspicious by most email security filters.
IP reputation is a measure of the trustworthiness of a particular IP address on the internet. IP addresses are unique numerical labels that are assigned to every device that is connected to the internet. IP reputation is used to determine whether an IP address is known to be used for malicious or fraudulent activity, such as spamming or phishing.
Large Language Models (LLMs) are advanced deep-learning models that understand and generate text in a human-like fashion, transforming the way computers process and generate language.
The Log4j exploit refers to a severe security vulnerability in the widely adopted Log4j logging library, enabling attackers to remotely execute malicious code and infiltrate systems, leading to unauthorized access and potential data breaches. This exploit poses a significant risk as it affects numerous software applications and online services that utilize Log4j for logging purposes.
Fundamentally, machine learning is the ability of machines to become smarter through experience. Machine learning makes AI possible and uses algorithms to query vast amounts of data, discover patterns and generate insights. In email security, machine learning can automate the task of phishing attack discovery via scanning messages and other proprietary analytics
Otherwise known as malicious coded software, malware is commonly deployed via email and is used to disrupt or destroy networks, servers, and devices. Examples of malware include Trojan horses, spyware, adware, and viruses.
Man-in-the-middle attacks occur when a threat actor intercepts and alters the communication between two parties without their knowledge. The attacker essentially acts as a "middleman" between the two parties, allowing them to send and receive messages as usual, but secretly modifying the messages to achieve their own ends.
MX record (Mail eXchanger record) is a type of DNS record that specifies the server that is responsible for receiving email for a particular domain. When an email is sent to an address at a specific domain, the sender's email server looks up the MX record for that domain to determine where the email should be delivered. MX records are typically stored in the DNS records for a domain, and they specify the hostname of the server that should be used to deliver email for that domain, as well as a priority value that indicates the order in which servers should be tried if multiple MX records are present.
An emerging advanced technology used in many technology sectors. In email security, it leverages advanced machine learning and neural networks to automatically detect and respond to the most common types of BEC attacks. Importantly, NLU is what allows IRONSCALES to understand both the “what” and the “who” of suspicious messages.
Outbound email protection is a security measure that monitors emails sent from within an organization to external recipients, ensuring sensitive data isn't unintentionally shared. It utilizes a combination of machine learning, predefined rules, and encryption to detect anomalies, prevent data breaches, and maintain compliance.
Pharming is a type of cyber-attack in which the attacker redirects traffic from a legitimate website to a fake one to steal sensitive information. Unlike phishing attacks, which rely on tricking individuals into providing their information, pharming attacks use technical means to redirect traffic without the victim's knowledge.
Delivered via phone, text, email, or social media, phishing is the oldest yet most prominent tactic in which criminals attempt to trick an unsuspecting recipient into taking an action, such as wiring money. It is estimated that phishing accounts for nearly 90% of all cyberattacks worldwide.
This is a common feature found across many email security products. The button empowers users who receive a suspicious email to quickly click “spam alert” or “phishing” so that the email is then routed to a phishing mailbox for further investigation.
These mailboxes received user/employee-reported email threats.
Phishing simulation testing (PST) is a type of security test that is used to assess an organization's ability to detect and defend against phishing attacks. This test involves sending simulated phishing emails to employees or other users within the organization. The goal is to see how many people click on the malicious links or attachments within the email and how quickly they report it.
This phishing technique is when a malicious actor implements slight but significant changes to an email’s artifacts, such as its content, copy, subject line, sender name, or template in conjunction with or after an initial attack has deployed. This strategic approach enables attackers to quickly develop attacks that trick signature-based email security tools that were not built to recognize such modifications to threats. With the ease associated with the development and delivery of polymorphic attacks, it is no surprise that 42% of all phishing attacks are polymorphic.
An increasingly popular malware strain, ransomware encrypts the victim’s data and then demands a sum of money (to be paid in bitcoin) in order to receive the decryption key. The criminal typically makes a threat to release the victim’s data to the internet and/or dark web if payment isn’t made. The Justice Department reports more than 4,000 ransomware attacks per day in the U.S. alone.
An extremely common solution for a variety of technologies used by engineers and other users can safely test new technologies before they are widely deployed into production. However, sandboxes differ in email security, referring to the isolation of a suspicious URL or attachment in a phishing email. This is particularly useful for zero-day attacks that bypass existing technical defenses.
Some of the most commonly deployed email security solutions, SEGs as identified by Gartner, “provide basic message transfer agent functions; inbound filtering of spam, phishing, malicious and marketing emails; and outbound data loss prevention (DLP) and email encryption.” So what is the problem with SEGs? IRONSCALES research shows advanced phishing attacks bypass leading SEGs at a nearly 50% clip.
Security awareness training is a type of educational program that helps employees and other organizational members to become more aware of security risks and learn how to protect themselves, their work, and the organization from potential attacks.
Email security solutions often integrate with SIEM tools. The email security tools send logs to the SIEM, which then consolidates logs from all connected security technologies, analyzes the data and then generates alerts for analysis and reporting.
This is a policy that protects against domain spoofing by hardening DNS servers and restricting access to senders. SPF enables Internet Service Providers (ISPs) to verify that a mail server is authorized to send an email from a specific domain. Learn how to setup SPF here.
The purpose of SMTP is to help organizations send and receive emails. While helpful for deliverability, this protocol remains highly vulnerable because it does not encrypt or authenticate messages.
Single sign-on (SSO) is a user authentication process that permits a user to enter one set of credentials (e.g. username and password) to access multiple applications or systems. In most cases, SSO uses an identity provider (IdP), which is a service that authenticates users and provides them with the necessary credentials to access different systems.
Delivered via SMS, smishing text messages are phishing attack techniques containing malicious URLs that attempt to lure recipients into visiting risky websites, downloading malware onto their mobile devices, or sharing login credentials. These text messages can sometimes appear to be from trusted senders, such as banks and online retailers, making them a real threat to people who are only accustomed to looking for phishing attempts via email attacks.
Growing in popularity, social engineering occurs when an attacker uses psychological manipulation to trick a person or company into taking an action, such as providing login credentials, paying a fraudulent invoice or sharing personally identifiable information (PII), such as a social security number. According to Verizon, social engineering now occurs in almost 60% of phishing attacks.
These junk and unsolicited email messages have historically been more annoying than risky. However, spam is increasingly viewed as a cybersecurity threat due to inattentional blindness, which occurs when individuals fail to perceive an unexpected change in plain sight.
These mailboxes are commonly found in most email clients as “spam” folders where junk and/or spam email is automatically routed.
The main difference between phishing and spear phishing is that spear phishing targets specific people and/or organizations with an ask to complete a specific task, such as downloading an attachment or clicking on a link, while phishing is often distributed at random to widespread audiences. Oftentimes, engaging with the payload enables adversaries to access the information needed to institute a major cyberattack.
Email spoofing occurs when an attacker sends a malicious message with a false sender address to steal personal information, infect computers with malware, or leverage extortion to steal money. There are four primary types of spoofing attacks, including exact sender name impersonations (the most common), similar sender name impersonations, look-alike/cousin domain spoofing, and exact domain spoofs.
Spyware is a type of malicious software that surreptitiously gains access to computer and mobile devices, stealthily capturing users' personal information and activities, which it then transmits to third parties without their knowledge or consent, posing serious privacy and security risks.
Cybersecurity threat assessment involves systematically analyzing and understanding the various threats that can compromise the security of an organization's digital assets, followed by evaluating the likelihood of those threats occurring and assessing their potential impact to prioritize and implement effective security measures.
Threat Exposure Management involves implementing a systematic program to continually evaluate and address the accessibility, exposure, and exploitability of an organization's digital and physical assets, enabling proactive risk mitigation and aligning security controls with business objectives. It encompasses processes, capabilities, and components such as external attack surface management, risk-based vulnerability management, and threat intelligence platforms to enhance visibility, prioritize remediation efforts, and improve overall security resilience.
Also known as URL hijacking, typosquatting preys on inattentional blindness by leveraging small deviations in domain names to lure them into visiting malicious websites. These deviations include scrambled letters, wrong domain endings, and other typographical errors that can easily lure victims to fake websites and fake login pages. Once lured, typosquatters have an easy opportunity to harvest personal and financial information to make quick money.
Two-factor authentication (2FA) is an additional layer of security that can be used to protect sensitive data and systems. 2FA requires users to provide two different pieces of information in order to gain access, such as a password and a one-time code generated by a mobile app.
Multi-factor authentication (MFA) is similar to 2FA, but often requires three or more different pieces of information to gain access. MFA is often used for high-security systems or data, such as financial accounts.
As a result of the internationalization of the World Wide Web and the rise of internationalized domain names (IDNs), cybercriminals can exploit Unicode domains to make dangerous websites appear safe and authentic. Unicode domain phishing replaces characters in the domain with similar characters from a foreign language, allowing the fraudulent website to bypass web browser protections and legacy email security tools.
Vendor Email Compromise (VEC), sometimes referred to as Vendor Impersonation or Vendor Spoofing, begins with an attacker gaining access to the vendor’s email, or impersonating them, in a targeted attack on their customers.
This type of phishing attack technique tricks victims into giving up sensitive personal information over the phone, such as credit card numbers and passwords. By relying on social engineering to prey on human emotions such as greed or fear, unsuspecting victims can easily be duped into giving attackers exactly what they’re looking for. The FBI has reported that vishing techniques are increasing with great frequency.
Watering Hole Attacks involve hackers exploiting vulnerabilities in popular websites to inject malware, tricking users into visiting compromised sites, and covertly infecting their computers, enabling the attackers to infiltrate targeted organizations' networks.
Directed at senior executives at mostly large corporations, Whaling attacks are targeted spear-phishing campaigns aimed at tricking high-level executives and organizational leaders into sharing confidential or proprietary information that can be used for financial fraud and other forms of exploitation.
Zero Trust is a security model that eliminates the default trust given to users and devices, implementing a continuous verification process based on user identities, device postures, and contextual factors to ensure secure access to resources, irrespective of network perimeters or locations. It rejects the assumption that internal users are inherently trustworthy and focuses on granting access only to authorized individuals and systems on a need-to-know basis.
This guide gives email security experts an exclusive access to Gartner® research to ensure their existing solution remains appropriate for the evolving landscape.
Data shows organizations deploy defense-in-depth approaches ineffective at addressing BEC attacks. Discover truly effective strategies in this report.