Email threats are as old as time, and they continue to create headaches for enterprises despite the steps taken to defend themselves. While threats such as malware and malicious links haven’t changed, newer methods are employed by attackers to evade detection and have a higher likelihood of success.
According to the 2020 Trustwave Global Security Report, while 28% of inbound email was spam in 2019, a major decrease from 2010 (it was 87%), 9% of that spam was phishing, up from 3% the previous year.
Worse still, criminal hackers will shamelessly take advantage of moments of crisis and disinformation. Email campaigns have been seen posing as information and test results related to COVID-19, which may find more success given how little established information there is on the subject.
We consulted with Phil Hay, SpiderLabs Research Manager at Trustwave, to learn about the different kinds of email attacks, the impact they have on organizations, and what companies can do to better defend themselves.
Email Threats and Attacks Organizations Face
Email threats, old and new, often share a common goal – an attacker wants to steal credentials or install malware on a device for nefarious reasons, whether it’s to exfiltrate data, spy on an organization, or leverage it for further attack. Spam, the usual method of choice, has significantly decreased as most enterprises filter those emails out. In response, hackers have resorted to phishing, which, according to Phil, make up a significant percentage of email attacks.
These phishing emails seek to have a victim open an attachment containing malware or click a link that will take them to a fake login page designed to steal credentials. Attackers usually impersonate, or spoof, a known sender and/or hide malware as macros or novel file types within attachments. They can be disguised as invoices or reports in the form of excel sheets, word docs, or zip files.
Taking advantage of COVID-19, hackers are also deploying these methods and impersonating official health channels such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC). They’re also targeting organizations who are most impacted by the crisis, such as the WHO themselves and testing labs.
Phishing attacks are often carried in mass numbers but targeted attacks such as spearphishing and BEC (business email compromise) attacks are also concerning.
Spearphishing works the same way as phishing but specifically targets an individual or company. BEC attacks are, according to Phil “one of the biggest threats in terms of sheer dollars lost.” According to the FBI, BEC attacks led to $27B in losses between June 2016 and July 2019. BEC attacks usually impersonate a c-level executive and target someone in a department who could either redirect payments, send a wire transfer, or provide financial information. The end result is monetary loss. Because of the urgency and authority behind the impersonated person, the victim often doesn’t verify the request, resulting in a higher rate of success.
How Organizations Can Protect Themselves
“The traditional approach of security in layers works really well here,” says Phil. “Knowing what’s right for your environment, training your organization, testing new tools in parallel with your existing devices and software, and having a tool that can carry out a set policy is key.”
No single tool will completely protect you against email attacks - instead, an organization must have a strong process, good training, and tools to help ensure there’s defense across multiple levels. Here are some of Phil’s recommendations:
- Enable Multi-Factor Authentication MFA/2FA on accounts wherever possible to invalidate credential account attacks. Microsoft found that 99% of compromised Microsoft accounts they observed did not have MFA.
- Have a second form of verification and validation before changing bank details or sending payments over email
- Provide annual security refreshers for the whole organization. Covering phishing and overall security awareness will teach employees what attacks they may individually face and give them a plan of action.
- Use a secure email gateway (SEG), optimized for your organization.
- Set a policy on how the organization will handle different file types that are sent over email.
The last two recommendations are important enough to cover in more detail.
Finding the Right Secure Email Gateway (SEG)
An SEG helps ensure malicious emails and spam don’t make your way into your network by quarantining and flagging problematic emails and email attachments. But every SEG is different--the right one must be flexible enough to work with the policy you set in place and have comprehensive visibility into your incoming email to get ahead of hackers trying to evade detection.
It’s also important for a SEG to be able to unpack or discover items that may be hidden in other files or attachments. For example, an SEG may block emails with certain .exes but may not see that those same files are embedded in an excel document, or zipped in an archive file format such as a .zip or .rar. A SEG also must be able to find and extract potentially malicious files in complicated office document formats, such as a macro within a Word document.
Why Having A Set Policy Is Important
An email security policy is necessary to help you choose an SEG and allow your team to effectively use it. “You need to have a clear email policy on the sorts of files that are acceptable, and those that are not,” says Phil “and then you should lock things down as much as possible while minimizing the impact on your organization.”
Blocking too many files might hinder your organization and blocking too few may expose the company to risk. It’s up to you to find the right balance.
Giving Your Organization Multiple Lines of Defense
Following Phil’s recommendations will provide your organization defense at different risk points. Anti-spam and malware filters and your SEG will block, flag, and detect most malicious emails. If any come through, or if they’re BEC emails that evade detection, your security and awareness training and/or verification processes should tip off an employee and stop them from taking further action.
Even a traditional antivirus is relevant here – it may flag malware that an employee accidentally downloaded from an email and having MFA enabled will help in ensuring your accounts aren’t compromised.
When it comes to defending your organization, you can’t just rely on one tool or solution - your entire organization should have a layered and comprehensive approach to defense.
Learn more about how Trustwave’s solutions for email security can help your organization protect against today’s advanced email threat.