Security was never at the forefront of email design; as a service, email is intended specifically for the sharing of information. For threat actors, email has been a consistent, primary vector for attacks on organizations. From ransomware to phishing scams to business email compromise (BEC) attacks, email is a vulnerable resource that is typically critical for an organization's infrastructure.
Here are the top three email-based threats, what they have in common and how you can protect your organization.
The common thread
Email-based attacks fall into three broad categories based on methods and goals: phishing, social engineering and malware infection. Each attack can be carried out by other means, such as phone calls, text messages or malicious websites. But email messages remain a convenient and reliable vector for attackers, who often combine two or more of these types of attacks to increase their chances of success.
Most successful email-based attacks have something in common. They generally involve email spoofing, which is when an attacker fakes the sender's address to make it seem like an email message comes from a trustworthy sender. You're more likely to click on a link or open an attachment when you think it comes from someone you know or a company you trust.
Spoofing is not an attack itself but a means to an end. Fortunately, technological defenses against spoofing called DKIM, DMARC and SPF are free and widely available. Implementing them will go a long way toward making your organization's email communications, both incoming and outgoing, more secure. You can read more about these defenses against spoofing in our article "How to: Fresh strategies to secure email."
Phishing is the most common email threat and the one that's least likely to disappear with time. It tricks you into handing over private bits of information such as account usernames, passwords, email addresses, credit-card numbers or Social Security numbers.
The phisher fools you by using technology to impersonate a trustworthy entity, which can be a well-known company or a workplace colleague. Malware is rarely involved, and there's little personal interaction. The best phishing scams blend into your daily routine so that you never notice anything is wrong.
In an email-security study conducted by CyberRisk Alliance in early 2022, 60% of CISOs and other IT managers surveyed cited phishing and spoofing as among their top three email-security concerns, right behind ransomware. And Microsoft in July 2022 found that a phishing campaign had targeted 10,000 companies with the aim of committing BEC attacks.
In the most common scenario, a phisher's email message tells you there's something wrong with one of your accounts and that you need to log in immediately. The message includes what seems to be a link to the account login page but is really a clever mockup. As soon as you type in your credentials, the attacker has them.
Phishing can also be done via SMS text messages, in which case it's called "smishing," or through voice calls, i.e. "vishing." But phishing first arose with email messages, which are still the primary vector of attack.
Targeted phishing attacks aimed at a single person or a small group of people, such as company executives or human-resources or IT staffers, are called "spear phishing." In these cases, attackers often research their targets beforehand and personalize the malicious messages to make them more likely to succeed.
"They are no longer sending one-size-fits-all," said one CISO interviewed by CyberRisk Alliance. "They are researching people to target and tailor their approach to increase the likelihood of a successful attack."
While anti-spoofing defenses like DMARC will greatly reduce the number of phishing messages that reach your staffers, they won't stop them all. If an attacker gets access to an employee's internal network account, possibly by spear phishing, then they can send phishing emails to other staffers that genuinely come from that employee's account.
Your correspondent once fell for an email that seemed to come from an HR staffer and asked all staffers to address a payroll issue. A link in the message led to what looked like the Office 365 login page. Antivirus software blocked the site for some staffers, but other employees weren't so lucky and had their paycheck direct deposits rerouted to other bank accounts.
Aside from anti-spoofing protocols, protections against phishing are numerous. Endpoint protection, antivirus software and web browsers block known malicious websites. Multi-factor authentication (MFA) can prevent account takeovers even if a username and password are successfully phished.
Just as important, however, is employee training. Teach your staffers about how to watch out for phishing attacks and what to do if they fall for one. None of these methods is foolproof, but by combining them you'll greatly increase your email-security stance.
“Employees are able to recognize and flag fraudulent emails because we see that in analytics and test them thru simulated phishing emails,” a CISO working in the tech sector told CyberRisk Alliance. (Read more about next-generation training in our eBook, “Don’t Call It Training: Achieving Cyber Resilience Through Workforce Optimization.”)
BEC and other forms of social engineering
Social engineering is a new name for old-school confidence tricks that don't always involve technology. If you've ever talked your way into an exclusive party or event you weren't invited to, that's social engineering. So are Ponzi schemes and the well-worn "Nigerian prince" advance-fee scam.
Today, crooks are using high-level social engineering to carry out business email compromise (BEC) attacks, aka "CEO fraud." They impersonate company CEOs or CFOs and convince employees to pay phony invoices or make wire transfers to random bank accounts. The attacks usually include spoofing and may be facilitated by phishing, but do not generally involve malware; the goal is money.
BEC attacks can be done in a number of ways, including by sending text messages to staffers after hours (not many people will recognize their CEO's cellphone number) or by dialing into video conferences.
"In those meetings, the fraudster would insert a still picture of the CEO with no audio, or a 'deep fake' audio through which fraudsters, acting as business executives, would then claim their audio/video was not working properly," said the FBI in its 2021 Internet Crime Report.
But the most common vector for BEC attacks is via email. Often, the attackers compile lists of company employees authorized to make payments, which can be obtained from LinkedIn or company websites or harvested by information-stealing malware.
Then the attackers target employees with spoofed emails that seem to come from the boss and demanding urgent wire transfers to a specific companies or bank accounts. If the employees who get the emails believe the scam and can make the payments, then the money may be gone for good.
The FBI estimates that U.S. businesses and individuals lost $2.4 billion to BEC scams in 2021, with losses rising 65% from July 2019 to December 2021. The worldwide cumulative damage since June 2016 reached $43 billion.
"It's the BEC attacks that are rising most dramatically," one CISO told CyberRisk Alliance. Another cited "a strange email saying our sales VP authorized this payment invoice" that amounted to "a few ten thousands" of dollars, and thwarted only when an accountant double-checked with the sales VP.
Anti-spoofing technologies will help reduce BEC emails, as will company policies that mandate multiple staffers signing off on large payments. Again, you may get the best results by training employees to spot BEC attempts, although some may need more training than others.
"We have a mixture of older and younger employees; the younger employees tend to recognize phishing emails more than our older employees," a CISO in the education sector told CyberRisk Alliance.
This training will also cut down on other forms of social engineering, such as when a trusted supplier suddenly seems to demand payment of an overlooked invoice.
However, a CISO in business and professional services said that even with training sessions, some staffers "still click on things they shouldn't, open up emails or attachments when they shouldn't."
"If they don't get a big red warning from the security systems," the CISO added, "they just don't think about every email they touch."
Malware and booby-trapped attachments
In 2011, a large information-security vendor was hit by Chinese state-sponsored attackers who sent email messages to just a few people in the company, spoofing addresses so that the staffers seemed to be emailing each other. Attached to the messages was a Microsoft Excel file that exploited a previously unknown vulnerability in Adobe Flash and gave the attackers full control of the employees' machines.
The attackers used that access to penetrate the vendor's networks and compromise its leading security product, which was used by U.S. defense contractors and thousands of other organizations to protect their networks. The security company had to make good with its clients and took a $66 million charge as a result of the attack.
Email-delivered malware is perhaps the most dangerous email threat of all. It can deeply penetrate an organization's systems, quietly stealing information for months or even years. If the goal is money rather than information, then it can install ransomware that locks up those systems and demands payment to free them or steal proprietary data and ransom that too.
Such malware often comes in the form of an attachment that looks innocuous, like an invoice or a resume. The accompanying message may urge that the attachment be opened immediately. In other cases, the message contains a link that takes the recipient to a website that silently tries to install malware through a web browser.
Aside from anti-spoofing measures, the best defenses against email-borne malware are strong endpoint protection software that automatically scans all email attachments, regular application and operating-system updates, and strict network segmentation and identity and access management (IAM) policies.
And of course, you should train your employees to be suspicious of emails that come from outside the company — and sometimes those that come from inside as well.
"We have trained our users to be very paranoid and not only to delete suspicious emails but to be very proactive about reporting suspicious emails," one CISO told CyberRisk Alliance. "Every user is incredibly skeptical about anything that is even halfway sketchy."