Security professionals have spent decades educating employees and fighting off the most pernicious forms of attacks there are—those that come through email. Many types of threats arrive through email. And as they have evolved with the threat landscape, they have become one of the most critical threat vectors, posing a significant risk to businesses.
Symantec's 2019 Internet Security Threat Report found that spearphishing emails, used by 65% of all known groups, remained the most widely used avenue for attack. The report also found that small businesses in particular were more likely to be hit by email threats, such as phishing, than were large organizations.
Prior research found that, in total, more than 8,000 businesses have been targeted by business email compromise (BEC) scams and that 30% of users have opened phishing emails.
BEC scams often incorporate techniques such as spearphishing and email spoofing. Despite security teams' best efforts, their use is rising, in part due to their success rates. Consider them a relatively low-tech form of financial fraud.
A typical scenario might involve a company's accounts payable department receiving an email, purportedly from the CEO, requesting a wire transfer. But the real sender is not the boss; it's a fraudster who has spoofed the CEO's email and is about to make off with company money.
That's just one example of how this type of attack can play out, but there are countless approaches. Thwarting them requires vigilance on the part of both employees and security pros.
According to the 2018 Internet Crime Report from the FBI Internet Crime Complaint Center (IC3), the number of complaints about BEC attacks increased nearly 30% from 2017, to 20,373 victims. Estimated financial losses totaled a record $1.2 billion, up from $675 million in 2017.
With these new findings, the IC3 reports losses from BEC attacks of nearly $5 billion since it began tracking. These threats are difficult to protect against because of their targeted nature, low volume, and lack of malicious links or code.
In 2018, Symantec joined an initiative with other members of the security industry and law enforcement to help identify and stop BEC attacks. The Symantec report found that each month, more than 5,800 distinct organizations were targeted by BEC attacks in 2018, with each organization being attacked an average of 4.5 times.
A coordinated law enforcement effort by the US Department of Justice, the US Department of Homeland Security, the US Department of the Treasury and the US Postal Inspection Service, Operation Wire Wire, resulted in the arrests of 74 people in the past few months.
While BECs are dangerous and real threats, there is a silver lining—they are generally low tech and involve manipulation and social engineering. Through a combination of training, awareness, and appropriate security technologies, BECs can be stopped.
Here are five best practices that every organization can use to raise awareness and defend against email attacks.
1. Keep employees educated on the latest threats
The first step in stopping email-based attacks is to educate employees. This may seem obvious, but even if employees have gone through some form of training, it is important to keep them up to date on the latest attacks and to regularly inform them of the dangers that can lurk in their inboxes.
Email remains the primary means of communication for most corporate employees and, as such, is a popular threat vector. Adversaries are constantly evolving their methods to try to trick users. Ongoing training should be a part of every company’s security posture, in addition to warning employees about specific threats as they arise.
2. Deploy BEC controls
Advanced email security gateways use a combination of security tools to detect BEC emails, including automated email sender authentication and impersonation controls that monitor susceptible employees' email. Another way to foil attacks is by using machine learning that analyzes the email message body to identify spoofed emails. This can drastically reduce the workload for IT departments and eliminate the need to manually manage email security configurations.
3. Isolate the threats
Even with the best training and the most robust defense, a malicious email may eventually get through. When this happens, it's imperative for security pros to quickly isolate threats and prevent them from infecting individual machines or the network.
4. Detect phishing variants
Many traditional email security gateways rely on standard signatures and blacklists to detect and block phishing attempts. That's an important step—and identifying and blocking known phishing attempts is a great start—but it's not enough. Cyber criminals are constantly developing slight variations in existing malware to help avoid detection. Being able to detect these variants is critical, and new machine-learning technologies improve your ability to do so.
5. Analyze potential threats
People send and receive millions of clean emails every day. What many don't realize is that they themselves are an asset when it comes to threat analytics. By comparing large amounts of clean and infected emails, analytics technologies can pick up on the subtle differences and identify indicators of compromise that may have gone unnoticed—and then put that into action, protecting against fresh attacks.
No end in sight, so be vigilant
Email threats aren’t slowing down, and BEC attacks represent a major challenge for companies large and small. But the combination of an engaged employee base and appropriate technologies is every company's best defense.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.