A warning from Google underscores the risk posed by ignored or little used email infrastructure.
Today, after 4 decades in existence, and more than 25 years’ worth of consistent, daily use, email remains the most reliable, ubiquitous, and constant communication platform for both personal and professional interaction. As users, we may grumble about its ubiquity or its misuse, but we have an inherent trust in email bred from familiarity and functionality.
So it’s of little surprise that email has also become the single largest platform for Internet Crime, at least as reported by the FBI in its annual Internet Crime Report. Business email compromise alone represents 48% of the reported $1.4B financial losses from Internet crime in 2017. That’s 10x more than the reported losses from identity theft, and 3x more than the second most lucrative Internet crime technique (confidence fraud / romance).
Defined by the FBI as “sophisticated scams [that] are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds,” business email compromise is just one of many email-based threats facing organizations today.
So why are such scams so successful? In June, GreatHorn conducted a survey of 300 business professionals – most of whom were involved in email security in some way – to understand the current email security involvement. We benchmarked threat frequency, prevalence, types, defenses, and remediation requirements to see what kind of patterns we could find.
As you see in this infographic, we found a number of clues that pointed to the root cause behind the success of social engineering scams such as business email compromise and other spear phishing techniques.
For example, we learned that the “average” user either doesn’t recognize email threats for what they are or they dismiss it under the rather innocuous heading of “spam.” We know this because two-thirds (66%) of average users could not recall seeing any of the following email threats in their inboxes:
- Executive or internal impersonations
- External impersonations (e.g. customers, vendors, partners)
- Wire transfer requests
- W2 requests
- Payload / malware attacks
- Business services spoofing (e.g. ADP, Docusign, UPS)
- Credential theft
And yet when asked the same question (explicitly about what reaches inboxes, not a quarantine folder), 85% of respondents that had some involvement in email security indicated that one or more of those threats was hitting inboxes.
That discrepancy demonstrates a dangerous perception gap within organizations – the exact perception gap that criminals exploit. We’ve moved beyond the easy-to-spot Nigerian prince schemes of yesteryear. Sure, there are still mass phishing attacks that are easy-to-spot, but such attacks in some ways increase the danger precisely because they are so easy to see. The user quickly identifies them as a danger, dismisses them as obvious, and pats themselves on the back for being perceptive enough to see them.
That self-congratulatory complacency may lead to an inability to recognize the real threats – the highly targeted, sophisticated, and well planned attacks that uses social engineering and research to replicate, impersonate, and redirect “real” communication. Our research indicates that most existing email security solutions are failing to catch impersonations (nearly half of our respondents – 46% – report impersonations; including 64% of email security professionals). Such emails often come without obvious triggers such as an attachment or even a link – they use urgency (5pm on a Friday), conciseness (typically just a couple of sentences), seniority (often impersonating a superior), and fear to drive the desired outcome. That’s why it makes sense that impersonations are the email threat that email security pros worry most about.
More concerningly, our study indicates that 1 in 5 organizations have to take some kind of significant remediation action (e.g. suspending compromised accounts, PowerShell scripts, resetting compromised third-party accounts, etc.) on a weekly basis as a result of email threats that bypassed their security defenses. And on average, our panel deployed approximately three separate security tools to protect their environment from email threats.
Given the remediation requirements, it’s no wonder, however, that 56% reported major technical issues with their email security solution today, including:
- “Doesn’t stop internal threats (e.g. if a user account is compromised)” – 35%
- “Missing payload attacks” – 16%
- “Missing payload-free attacks (e.g. impersonations, social engineering)” – 20%
- “Weak or no remediation capabilities” – 19%
- “Negative impact on business operations (e.g. too many false positives)” – 21%
We’ll dive more into the challenges with today’s common email security platforms and our results in upcoming blogs. In the meantime, however, we’d love to hear what you think. What do these numbers mean to you?
Want to download the full report? You can do so here.
There’s no debate that phishing attacks are on the rise. In fact, 90% of data breaches start with a targeted email attack. However, relying on legacy email security tools simply does not work when faced with the trifecta of business email compromise, malicious URL delivery, and malware/ransomware attacks. Modern cloud email platforms require a modern email security solution that can protect against spear phishing and social engineering attacks.
Here are four common misperceptions or “myths” about email security and a brief explanation to dispel them.
1. Microsoft or Google Will Fix It – Two tech giants in charge of billions of corporate mailboxes will surely find a solution to spear phishing, right? Both Microsoft and Google do a tremendous job addressing the security challenges presented by their own infrastructure such as data loss from someone hacking into a server or stealing information from a physical data center.
Think of Microsoft and Google as property management companies for a residential building. They can try to secure the property by installing cameras and modern entry systems but if a tenant gives their keys away and has their condo robbed, there’s not much they can do. Phishing will always be the purview of individual businesses.
2. Our Secure Email Gateway (SEG) Will Protect Us – Email gateways have seen their efficacy erode as enterprise infrastructure has migrated to the cloud. SEGs route mail through their systems, analyze it to see if the emails are “good” or “bad,” and then deliver or block it. By making it a binary decision, these tools allow phishing emails to reach employees at an alarming rate. Cybercriminals craft their attacks with SEGs in mind knowing they have difficulty catching phishing or social engineering attacks.
3. Security Training Will Keep us Safe – Training is certainly a part of compliance but it has not proven to be effective at preventing data breaches. That’s because, according to a recent CSO article, ⅔ of inbound phishing attacks use a company’s own domain name in the ‘From’ field, making them extremely hard to detect. A well-crafted phishing attack delivered to the right person, at the right time will work regardless of the time, resources and effort invested in training them. Employees are soft targets.
4. We Haven’t Been Owned (Yet) – The phishing epidemic will continue — it has proven to be an extremely effective attack vector. And there is no such thing as a company that is too small or inconsequential to be the target of a cyber attack. The Ponemon Institute hammered that point home when they unveiled research that showed there was a 27% probability that a US company will experience a breach in the next 24 months that costs them between $1.1 million and $3.8 million. Just because a cyber criminal hasn’t tested your business’ email security posture yet does not mean you shouldn’t be ready when the time comes.
Learn more about these common misperceptions in our most recent webinar, 4 Reasons Why It’s Time to Rethink Email Security. Also hear GreatHorn CEO Kevin O’Brien explain how targeted phishing attacks work, how they’re evolving and what can be done to protect important assets from business email compromise.
If Even Top White House Officials Are Falling for Spear Phishing Emails, What Hope Do the Rest Of Us Have?
Last night, news broke that Homeland Security Adviser Tom Bossert was fooled by a spear phishing email impersonating the president’s senior advisor, Jared Kushner. After “Kushner” — in reality, the sender of the email was self-described “lazy anarchist” @SINON — REBORN — invited him to a party, Bossert replied with a friendly note and volunteered his personal email address.
Bossert isn’t the only White House official to fall for SINON’s tricks: using a mail.com email address, the prankster targeted ex-communications chief Anthony Scaramucci with messages purporting to come from former chief of staff Reince Priebus, and Jon Huntsman, who is Trump’s pick for U.S. Ambassador to Russia. In both cases, Scaramucci took the bait and replied; Huntsman himself, along with Trump’s son Eric, were also fooled by the phishing scheme.
That the impersonations were successful at all point to serious flaws in the White House’s cybersecurity posture. Government officials are high-profile targets who have certainly been trained on cybersecurity best practices, and the White House is one of the most protected locations on Earth — if targeted phishing is effective even in this highly secure environment, it’s further confirmation that something is very seriously wrong with the current state of email security.
The Implications of a Successful Phish
Targeted social engineering attacks like this one — phishing, business email compromise, and impersonation — have become the single most effective attack type in the world.
Earlier this year, we at GreatHorn conducted a survey of the threat landscape across approximately 115,000 mailboxes from our clients, comprising nearly 375 million messages. Our focus in conducing this research (published in the 2017 Cloud Email Report) was to establish a baseline of how many suspicious, anomalous, and potential phishing emails were received by our client base. The results are sobering: out of those 375 million messages, approximately 0.016% were statistically anomalous in a significant way, containing indicators of phishing threat.
Mail without a classically malicious payload — typical of today’s whaling, business email compromise, and spear phishing attacks — can be devastatingly effective in the theft of sensitive data, intellectual property, and (of course), money. An FBI Public Service Announcement published in May puts the financial losses of business email compromise scams at over half a billion dollars annually, and warns that the volume of attacks is only going up.
Why Can’t We Stop Getting Owned — And What Should We Do About It?
Three key trends are driving modern threat:
The rapid adoption of cloud infrastructure, particularly cloud email like Microsoft’s O365 and Google’s G Suite.
Email has perhaps changed the most of any system used on a daily basis by the modern workforce. Since 2012, the landscape for email infrastructure has shifted dramatically towards cloud — Microsoft Office 365 and Google G Suite dominate this space — but legacy security solutions like Secure Email Gateways (SEGs) have been slow to adapt to these newer platforms.
SEGs offer only single-point-in-time protection, meaning that they provide no visibility or control over threats that successfully bypass the perimeter, and they struggle to detect deception-based social engineering threats like those involved in the White House prank, leaving users vulnerable to the most difficult-to-detect types of threats.
Cloud email providers themselves also struggle to stop targeted phishing attacks. If your organization was one of the many hundreds of thousands of recipients of the Google Drive phishing attempt that hit the world’s businesses in May, or the subsequent Docusign data breach and phishing attempts, you likely saw that even Google and Microsoft were not able to block every instance of these messages.
The demonstrable inefficacy of security awareness training programs.
Many organizations attempt to bridge the gap left by insufficient security technologies through security training programs, which include “realistic” fake emails that chastise users who click on an embedded link, automated video trainings, and Outlook plugins that require that users self-report phishing attempts.
Unfortunately, while training is helpful (and an important part of many compliance strategies), it’s been proven ineffective. Forrester ran a study of a wide range of organizations which had experienced a security breach; statistically, there is almost no difference in breachability correlated to the use of these types of training programs.
The pervasiveness of email, the proliferation of self-owned devices,and the always-on-nature of modern work makes it impossible forpeople to be constantly vigilant. There’s no way to transform peopleinto hard targets for hackers; they’re all soft.
An unprecedented lack of trained information security talent.
Last but not least: cybersecurity has a capacity problem.
Today, there are at least 1 million unfilled information security analyst jobs, and the number is expected to rise to between 1.5 and 2 million by 2020. Over a quarter of all organizations surveyed report that that simply cannot fill their open positions at all.
The result is that information security teams are understaffed like never before, and this critical skills shortage has played a significant role in the increasing distance between how little time it takes an attacker to work their way past cybersecurity defenses, and how long it takes for those incursions to be detected and remediated.
Since neither end-user training nor information security analyst teams can keep up, what can we do to protect ourselves?
Automation Is the Only Way to Keep Up
What’s needed is an entirely new way of stopping these attacks — automatically, and at scale.
Research findings from the 2017 Cloud Email Security Report show that a 50,000 person organization can expect to field thousands of phishing threats per week — and that time spent investigating and (if applicable) remediating them can add up to hundreds of hours.
Reducing time to detection and response is the goal for the modern information security operations center, from establishing a baseline of visibility and control to measuring the reduction of risk with, is clearly a priority for the White House. As the May 2017 Executive Order on on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure notes, one of the key goals of the current administration is for the selection and implementation of “risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.”
In accomplishing this mission, automation techniques are increasingly being looked to as one of the core capabilities available to organizations in the pursuit of identifying and reducing the potential for harm from these types of attacks.
Doing so will require dedicated technological resources, with deep automation workflows, to aid in the detection of patterns and anomalies that humans might otherwise miss. Until such systems are in place, a simple consumer email address a penchant for mischief may be all that stands between our most sensitive personnel and an increasingly dangerous digital world.
Subscribe to the GreatHorn Blog
We'll email you when we publish new content, but we'll never spam you or share your information.
Over the past two weeks, we have seen multiple variations on impersonated DocuSign phishing campaigns. While GreatHorn Inbound Email Security clients have been fully protected in both circumstances, DocuSign has confirmed that both incidents were the result of a data breach by criminal hackers, resulting in the loss of client email addresses and names.
Coming within weeks of both a sophisticated impersonation of Google Drive, a worldwide ransomware attack that took down the NHS, and an increasing focus on cybersecurity globally, this attack is an example of a new kind of threat: business service spoofing, or BSS.
We are currently tracking a new Docusign impersonation attack that began around 10:45AM ET. The attack utilizes a number of phishing links, all of which are coming from [email protected].
GreatHorn Inbound Email Security customers are protected: as with previous examples of this attack type, we are removing all instances of this email from inboxes, moving them to the Danger-Phishing folder, and will be deploying a policy to all customer instances of Inbound Email Security that will mitigate further email from this address.
Subscribe to the GreatHorn Blog
We'll email you when we publish new content, but we'll never spam you or share your information.