Email security refers to the tools, techniques, procedures, and software used to defend against malicious attempts to access and compromise sensitive data. In 2019, Verizon’s Data Breach Investigations Report found that 90% of cyber attacks can be attributed to email.
Malicious parties may attempt to steal sensitive data in several ways, including sending an email posing as a member of upper management, forwarding links and/or attachments containing malware or ransomware, or sending URLs in the email body that enable phishing for login credentials.
No organization is immune from these threats, which often cause significant damage. Back in 2015, cybercriminals assumed some of Sony’s employees’ identities and sent malware-ridden emails to unsuspecting colleagues.
The result? Over 100 TB of data was stolen, costing Sony over $100 million. Even tech giants Google and Facebook fall prey to email security attacks. Between 2013 and 2015, hackers sent convincing counterfeit invoices to both companies, collecting over $100 million in their 2-year stint.
Nearly every day, a new headline about a security breach seems to pop up. In fact, during the 2020 COVID-19 quarantine, phishing attacks increased by 350%. Your company may be sufficiently evolved, equipped with a secure email gateway, strict encryption policies, and phishing awareness and training to boost your readiness for an attack. But with the ever-evolving landscape of email threats, how prepared are you and your employees really?
Email security requires a proactive approach to threats, which may mean it’s time for you to take a hard look at your business email security stack. Discover why email security should be a high priority for all companies, how to spot advanced email threats, what essentials for email security providers, and which tips to follow to start bolstering your current email security strategy today.
So what threats does your company need to prepare for? Let’s take a closer look:
In phishing attacks, perpetrators design emails to trick people into providing sensitive personal or professional information, often by establishing a sense of urgency. Not only are 80% of reported security incidents phishing attacks, but they also are responsible for $17,700 lost every minute due to a phishing attack. Email phishing scams are cheap, so attackers can cycle through thousands of versions of an email to figure out which copy works best.
Whaling, a subtype of phishing targeted at an organization’s senior leadership, resulted in losses of over $12.5 billion in 2018, according to the FBI. Since the scammer’s end goal is convincing targets to deposit money into fake accounts, whaling requires extensive research and preparation. Scammers need to be sophisticated enough to impersonate and/or deceive people at the board or C-suite level.
With business email compromise (BEC), cybercriminals impersonate corporate email accounts or vendors and send messages to employees, clients, or partners. These messages are designed to trick people into providing credentials that facilitate wire transfers. Between 2018 and 2019, there was a 100% increase in identified global exposed losses due to BEC.
Ubiquiti Networks reported an attack in which scammers impersonated both employees and executives to initiate a transfer of $46.7 million to third-party bank accounts. It’s especially challenging to recognize BEC because of the impersonation aspect, but also because attackers send emails with fewer sketchy-looking links and attachments.
Malware is any software aimed at destroying, compromising, or accessing an operating system. Symantec reports that 1 in 13 web requests lead to malware, and Accenture points out that businesses lose 50 days of productivity for every malware attack. When a computer is exposed to malware, it’s at risk of losing sensitive data, core functionality, and privacy. Some malware spies on people’s activity without them knowing. Worms, Trojan horses, viruses, and spyware are common types of malware.
Ransomware uses malware to obstruct access to a victim’s system until a certain amount of money is deposited in the scammer’s account. Cybersecurity Ventures purports that a business will fall victim to a ransomware attack every 11 seconds, and ransomware demand costs are estimated to exceed $1.4 billion in the U.S. this year. Typically, a ransom is requested in the form of untraceable Bitcoin. This makes it easier for attackers to get away with the crime. Recent ransomware attacks have simulated antivirus software then threatened to publicly disclose harmful information or simply locked victims out of their computers altogether.
Following email security, best practices can help create a solid foundation for protection against malware, phishing, business email compromise, and more. Successful approaches often blend several tactics together. Protecting yourself proactively will require a multi-faceted approach.
Encryption, spam filters, and secure email gateways, don’t stand a chance against modern attacks. Phishing threats are ever-evolving, with new tactics like SaaS phishing, homoglyphs, and pharming.
A comprehensive email platsform needs to anticipate these changes by detecting anomalies in login pages, visual deviations, and dubious links or attachments.
An advanced email security platform uses API integrations to study the organization's communications patterns from the inside out at the mailbox level.
They have artificial intelligence and machine learning to scan inbound and outbound messages and flag authentication errors, breaches of company policy, or other malicious features. Advanced email security platforms also leverage automation to detect a phishing attack in seconds, helping your teams instantly fix any issues.
Multi-factor (MFA) or two-factor authentication (2FA) offers extra layers of protection to any business. To access a workplace application, employees must enter their password and a code they received in an authentication app or over text or both. Having multiple checkpoints makes it harder for criminals to acquire sensitive data.
The downside to MFA/2FA is that it’s inconvenient. Instead of being able to access information right away, users have to take the time to check another device and enter a code. As a result, many employees fail to actually use it, unless required by the company. And even more importantly, MFA and 2FA don’t protect against account takeover attacks either, since the attacker has access to the email account already.
Hosting regular training sessions teaches employees about new threats and the ways to keep their emails secure. Instruct them to look closely at email addresses and domains, suspicious links, or attachments with shady extensions. Send employees reminders to change passwords every month and relaunch their email application whenever updates are available. Also make sure employees know what to do when they receive a sketchy email so that your security teams can address attacks quickly.
Running regular phishing simulations can also give leadership an idea of how equipped employees are. Do keep in mind, however, that no matter how much training you offer, some employees may still fail to pick up on certain cues. You’ll need other techniques in your back pocket.
Many companies only stick to one or two of these methods, but that is simply not sufficient. As cybersecurity threats morph and gain sophistication, best practices must keep up. A layered approach to email security ensures that nothing slips through the cracks.
Layer complementary technologies, such as phishing assessments, firewalls and network protection, and a world-class secure email platform.