The latest figures from the FBI Internet Crime Complaint Center (IC3) paint a gloomy picture of the rising volume, intensity, and success of email attacks. Every critical infrastructure sector has become vulnerable, and with $43 billion in exposed losses over the past few years, the threat is more prevalent than ever.
Attackers have honed their skills and are ingenious at misleading even the most vigilant, well-trained employees. Today’s phishing attacks have evolved from clumsy attempts filled with misspellings to sophisticated, nearly undetectable strikes that include legitimate accounts, proper English, and realistic lures. By weaponizing email, threat actors have turned this convenient, popular communication channel into a massive game of “gotcha” in which the stakes keep soaring.
So while it’s important that employees know the risks, companies can only hope to stop a percentage of attacks via security awareness training. And although awareness training will always be an important element of an effective cybersecurity strategy, it’s time to adopt an advanced approach that stops attacks before they reach inboxes—ensuring users don’t even have the chance to make a costly mistake. Here’s why.
Enable both employees and the SOC team to focus
The workforce needs to do their jobs effectively, focusing on what they’re trained to do. An accounts payable specialist should manage invoices and process payments, while an HR professional should respond to employee matters. Neither should have to worry about the security implications of each message they receive in the normal course of their workday.
Nobody wants to find themselves the unwitting conduit for a headline-grabbing cybercrime. That fear has spawned what I call a mentality of distrust, in which every email gets seen as a potential attack, and every click can lead to disaster. No matter how sensible and useful a message appears, employees often assume it’s safer to send it to security for a manual review. Before long, everything looks suspicious—and security teams are overwhelmed.
In previous roles, I’ve seen security teams barraged by perfectly valid emails, requiring them to respond to the user with a note like: “Thanks for reporting this, but there was no problem.” Except there was a problem, in the form of lost productivity and wasted time. It diverts the attention and energy of teams that should focus on securing the organization from all types of threats—not just email.
Overreaction and distraction benefit the hackers
Nobody can blame a user who falls victim to a slick targeted attack. Business email compromise, in which threat actors impersonate executives and other trusted parties with eerie accuracy, has almost become a science. These attacks are not easily detectable by employees, and it can be extremely difficult to determine the true sender.
To complicate matters, users are increasingly preoccupied, especially with the move to hybrid work where distractions are all around us. We have our phones in our hands, or our eyes fixed on the Amazon delivery driver. We have a dozen different activities going on simultaneously while also being bombarded with constant Slack notifications and impromptu Zoom calls.
Even if I were the smartest, best-trained person on the planet, I would likely miss an attack or two each year. Well-intentioned humans are error-prone, and we aren’t inherently great multitaskers. We can train people all day long with smart defenses—but in cybersecurity, there are no guarantees.
The bottom line: people are vulnerable, and we shouldn’t blame or shame an employee for succumbing to an attack. We have to remember who the villains are, and not let hackers exacerbate the damage by making well-intentioned employees feel guilty.
Technology + Training: A powerful one-two punch
Users will always find it challenging to tell the difference between a real email and a malicious one—particularly when it’s a well-crafted email that comes from a legitimate account, referencing ongoing conversations or using actual invoices. Companies can prevent employees from falling victim by stopping them from ever needing to make a call on it.
New technologies are available, and they use behavioral AI to understand identity, detect slight changes in tone, and uncover new tactics better than ever. By implementing tools that develop a known-good baseline across the organization, the security team can better detect the anomalies and stop these advanced attacks that bypass traditional tools.
It’s a difficult challenge to stay ahead of cybercriminals and their ever-evolving tactics. But with the right email security partner, security teams can ensure that the organization stays safe and its users never have to worry about their email again—allowing them to focus on what really matters.
Mike Britton, chief information security officer, Abnormal Security
