Email Security:
A Guide to Advanced
Threat Protection

Nearly every day a new headline about a security breach seems to pop up. In fact, during the 2020 COVID-19 quarantine, phishing attacks increased by 350%. Your company may be sufficiently evolved, equipped with a secure email gateway, strict encryption policies, and phishing awareness and training to boost your readiness for an attack. But with the ever-evolving landscape of email threats, how prepared are you and your employees really?

Email security requires a proactive approach to threats, which may mean it’s time for you to take a hard look at your email security stack. This piece will cover the reasons why email security should be a high priority for all companies, how to spot advanced email threats, and which tips to follow to start bolstering your current email security strategy today.

What is Email Security?

Email security refers to the tools, techniques, procedures, and software used to defend against malicious attempts to access and compromise sensitive data. In 2019, Verizon’s Data Breach Investigations Report found that 90% of cyber attacks can be attributed to email.

Malicious parties may attempt to secure sensitive data in several ways, including sending an email posing as a member of upper management, forwarding links and/or attachments containing malware or ransomware, or sending URLs in the email body that enable phishing for login credentials. 

No organization is immune from these threats which often cause significant damage. Back in 2015, cybercriminals assumed some of Sony’s employees’ identities and sent malware-ridden emails to unsuspecting colleagues.

The result? Over 100 TB of data was stolen, costing Sony over $100 million. Even tech giants Google and Facebook fall prey to email security attacks. Between 2013 and 2015, hackers sent convincing counterfeit invoices to both companies, collecting over $100 million in their 2-year stint.

Email Security Today - What’s Changed

Email Security Today - What’s Changed

Letters
Originally created without built-in security, email communication proved particularly vulnerable to phishing and other threats. Early on, attackers leveraged the inherent accessibility of email to develop spam prototypes, like spoofing “to” and “from” addresses.
White List / Black list

Email filters were developed  to look for specific patterns that could help weed out these suspicious emails using  white and black lists, and many companies tried using encryption keys for email authentication.

Bug

Despite that, scammers kept finding new ways to expose information. Spammers opened fake AOL accounts to send phishing messages, and eventually began creating and disseminating viruses, malware, and worms. Even 10 years ago, 88% of email was spam

Email click and win
As emails with malicious links and attachments became more prevalent, companies adopted secure email gateways to bolster their email security. Today, email still presents a huge risk to companies big and small, and remote work has only complicated the job of security professionals.
Notebook alert

Having employees work from many different locations leads to a scattered perimeter--much more to defend and much more margin for human error. A distracted employee at home may easily click on a malicious email.

Lock
Many companies have adopted multi-factor authentication, secure email gateways, and are training their employees on how to spot phishing scams in an attempt to mitigate risk.
Hook

While those strategies are useful, they only go so far. Phishing accounts for 1 in every 4,200 emails and 94% of malware is delivered through email. Failing to equip your business with the appropriate email security can have dire consequences in terms of cost and customer exposure.

FBI shield

Just this April, the FBI reported that exploitation of cloud-based email services cost the US over $2 billion. To take security to the next level, security companies have developed API-integrated email security at the mailbox-level, AI-powered phishing incident response systems and advanced URL and malware protection.

Half brain half AI
These advanced methods of protection prevent, detect, respond, and even predict attacks so that companies can be proactive about their security.
Letters
Originally created without built-in security, email communication proved particularly vulnerable to phishing and other threats. Early on, attackers leveraged the inherent accessibility of email to develop spam prototypes, like spoofing “to” and “from” addresses.
White List / Black list

Email filters were developed  to look for specific patterns that could help weed out these suspicious emails using  white and black lists, and many companies tried using encryption keys for email authentication.

Bug

Despite that, scammers kept finding new ways to expose information. Spammers opened fake AOL accounts to send phishing messages, and eventually began creating and disseminating viruses, malware, and worms. Even 10 years ago, 88% of email was spam

Email click and win
As emails with malicious links and attachments became more prevalent, companies adopted secure email gateways to bolster their email security. Today, email still presents a huge risk to companies big and small, and remote work has only complicated the job of security professionals.
Notebook alert

Having employees work from many different locations leads to a scattered perimeter--much more to defend and much more margin for human error. A distracted employee at home may easily click on a malicious email.

Lock
Many companies have adopted multi-factor authentication, secure email gateways, and are training their employees on how to spot phishing scams in an attempt to mitigate risk.
Hook

While those strategies are useful, they only go so far. Phishing accounts for 1 in every 4,200 emails and 94% of malware is delivered through email. Failing to equip your business with the appropriate email security can have dire consequences in terms of cost and customer exposure.

FBI shield

Just this April, the FBI reported that exploitation of cloud-based email services cost the US over $2 billion. To take security to the next level, security companies have developed API-integrated email security at the mailbox-level, AI-powered phishing incident response systems and advanced URL and malware protection.

Half brain half AI
These advanced methods of protection prevent, detect, respond, and even predict attacks so that companies can be proactive about their security.

Common Email Security Threats

So what threats does your company need to prepare for? Let’s take a closer look:

Phishing

In phishing attacks, perpetrators design emails to trick people into providing sensitive personal or professional information, often by establishing a sense of urgency.  Not only are 80% of reported security incidents phishing attacks, but they also are responsible for $17,700 lost every minute due to a phishing attack. Email phishing scams are cheap, so attackers can cycle through thousands of versions of an email to figure out which copy works best. 

Phishing attacks

Whaling

Whaling, a subtype of phishing targeted at an organization’s senior leadership, resulted in losses of over $12.5 billion in 2018, according to the FBI. Since the scammer’s end goal is convincing targets to deposit money into fake accounts, whaling requires extensive research and preparation. Scammers need to be sophisticated enough to impersonate and/or deceive people at the board or C-suite level. 

Whaling

Business Email Compromise

With business email compromise (BEC), cyber criminals impersonate corporate email accounts or vendors and send messages to employees, clients, or partners. These messages are designed to trick people into providing credentials that facilitate wire transfers. Between 2018 and 2019, there was a 100% increase in identified global exposed losses due to BEC

Ubiquiti Networks reported an attack in which scammers impersonated both employees and executives to initiate a transfer of $46.7 million to third-party bank accounts. It’s especially challenging to recognize BEC because of the impersonation aspect, but also because attackers send emails with fewer sketchy-looking links and attachments. 

Business Email Compromise

Malware

Malware is any software aimed at destroying, compromising, or accessing an operating system. Symantec reports that 1 in 13 web requests lead to malware, and Accenture points out that businesses lose 50 days of productivity for every malware attack. When a computer is exposed to malware, it’s at risk of losing sensitive data, core functionality, and privacy. Some malware spies on people’s activity without them knowing. Worms, Trojan horses, viruses, and spyware are common types of malware.

Malware

Ransomware

Ransomware uses malware to obstruct access to a victim’s system until a certain amount of money is deposited in the scammer’s account. Cybersecurity Ventures purports that a business will fall victim to a ransomware attack every 11 seconds, and ransomware demand costs are estimated to exceed $1.4 billion in the U.S. this year. Typically, ransom is requested in the form of untraceable Bitcoin. This makes it easier for attackers to get away with the crime. Recent ransomware attacks have simulated antivirus software then threatened to publicly disclose harmful information or simply locked victims out of their computers altogether. 

Ransomware

3 Email Security Best Practices

Following email security best practices can help create a solid foundation for protection against malware, phishing, business email compromise, and more. Successful approaches often blend several tactics together. Protecting yourself proactively will require a multi-faceted approach.
Email Security platform

Encryption, spam filters, and secure email gateways, don’t stand a chance against modern attacks. Phishing threats are ever-evolving, with new tactics like SaaS phishing, homoglyphs, and pharming

A comprehensive email platform needs to anticipate these changes by detecting anomalies in login pages, visual deviations, and dubious links or attachments. 

An advanced email security  platform uses API integrations to study the organizations communications patterns from the inside out at the mailbox-level. 

They have artificial intelligence and machine learning to scan inbound and outbound messages and flag authentication errors, breaches of company policy, or other malicious features. Advanced  email security platforms also leverage automation to detect a phishing attack in seconds, helping your teams instantly fix any issues. 

Email Security platform
MFA/2FA

Multi-factor (MFA) or two-factor authentication (2FA) offer extra layers of protection to any business. To access a workplace application, employees must enter their password and a code they received in an authentication app or over text or both. Having multiple checkpoints makes it harder for criminals to acquire sensitive data.

The downside to MFA/2FA is that it’s inconvenient. Instead of being able to access information right away, users have to take the time to check another device and enter in a code. As a result, many employees fail to actually use it, unless required by the company. And even more importantly, MFA and 2FA don’t protect against account takeover attacks either, since the attacker has access to the email account already.

MFA/2FA
Employee education

Hosting regular training sessions teaches employees about new threats and the ways to keep their emails secure. Instruct them to look closely at email addresses and domains, suspicious links, or attachments with shady extensions. Send employees reminders to change passwords every month and relaunch their email application whenever updates are available. Also make sure employees know what to do when they receive a sketchy email so that your security teams can address attacks quickly.

Running regular phishing simulations  can also give leadership an idea of how equipped employees are. Do keep in mind, however, that no matter how much training you offer, some employees may still fail to pick up on certain cues. You’ll need other techniques in your back pocket.

Employee education

Many companies only stick to one or two of these methods, but that is simply not sufficient. As cybersecurity threats morph and gain sophistication, best practices must keep up. A layered approach to email security ensures that nothing slips through the cracks.

Layering complementary technologies, such as:
Phishing Assessment
Phishing Assessment
Firewalls and network protection
Firewalls and network protection
A world-class secure email platform
A world-class secure email platform
Helps bolster your cybersecurity stack against cyber attacks.
IRONSCALES Logo

Advanced Email Security Threat Protection

No matter how strong you believe your email security stack currently is, there’s always room for improvement. IRONSCALES is a self-learning email security platform that detects advanced threats better than any other cybersecurity provider.

IRONSCALES combines several point solutions into a single platform, so your company benefits from top-of-the-line prevention, detection, and remediation solutions. Out-of-the-box BEC, ransomware, and malware protection defends against both known and unknown types of cyberattacks.

Don’t take any chances一request a free trial of IRONSCALES today.

Awards

The Good. The Bad.
And the Ugly
of Email Security
Why You Need Mailbox-Level Protection