Email Security Threat Report

Uploaded on 2022-06-22 in TECHNOLOGY--Resilience, FREE TO VIEW

The new State of Email Security Threat Report from Armorblox offers security leaders a deeper understanding of the emerging threats, threat trends that happen over email and highlights some of the significant changes in the threat landscape in the past year. 

The Report also provides a common reference point for defining commonly misused terms around the nature of these attacks and so the industry has a framework for classifying these emerging threats.

Key Insights

  • Language based attacks have become the new normal for business email compromise (BEC). 3 out of 4 (74%) business email compromise attacks used language as the main attack vector.
  • Email-based financial fraud has become very sophisticated. 2 out of 5 (44%) financial fraud attempts happen as wire fraud, invoice fraud, or vendor fraud.
  • Attackers have realised that so many critical business workflows happen over emails, and this has become the primary attack mechanism for credential phishing. 9 out of 10 (87%) credential phishing attacks looked like legitimate common business workflows in order to trick end users to engage with the email.
  • Security teams spend a lot of time configuring rules and exceptions in their native email security solutions to block impersonation emails — both for executives and other employees.
  • Despite all that manual work and rule writing, 3.5 out of 5 (70%) impersonation emails slipped past native email security controls.
  • The rise of SaaS solutions driving business workflows has also created a big surge in brand impersonation of companies in this space. Dropbox, Microsoft, and DocuSign were among the most impersonated brands in 2021.

State of Email Security Threats

During the time that that report was compiled, the latest IC3 report from the FBI was released. Based on reported complaints between June 2016 and December 2021, domestic and international exposed dollar losses due to business email compromise stands at $43.3 billion. Also, the volume of disclosed losses has exponentially increased year after year during this time as well.

This also echoes the challenges that we hear from security teams - that despite increasing security budgets every year, email-based attacks remain the top attack vector within organisations.  We are witnessing a significant shift in the market landscape as well.

The top two legacy email security vendors were both taken private by private equity firms in 2021, representing $1.5 billion in revenue. Several other legacy vendors were acquired and taken out of the market by larger players as well.

These trends also indicate that legacy approaches are not working and too many attacks are slipping through. Why is this? What has changed in how attackers target organisations? Armorblox highlight some of the significant trends:

  • Attackers are moving away from tried and tested approaches from prior decades of using malicious links or attachments in broad based attack campaigns, to targeted attacks where the language in the email is used to compromise a user’s trust. This could manifest itself as fake wire transfer instructions, direct deposit change requests, password reset emails, or other common business workflows that happen over email.
  • Whack-a-mole approaches of manual rule writing to block these newer attack types have remained unsuccessful and have caused repetitive, redundant, manual work for security teams.
  • SOC teams have to comb through large volumes of potential phishing emails that users have reported to see which are legitimate emails and which need to be immediately deleted and removed from user mailboxes.

Moreover, as more security infrastructure moves into the cloud, security teams have become more loath to manually configure and maintain DNS and MX record rules to route emails through inline secure email gateways.

Business Email Compromise

Business Email Compromise (BEC) attacks are notoriously difficult to prevent. Attackers rely on social engineering techniques to persuade people into acting on the attacker’s behalf. As a result, traditional email security solutions that analyse email headers, links, and metadata often miss these attacks.

Armorblox' research suggests that the number of BEC attacks targeting organisations increased by 74% in 2021. These BEC attacks target organisations across sectors and use language, malicious links, and common business workflows as the proxy to compromise employees and steal money, credentials, or sensitive data. 

Researching the most prevalent strategies for BEC attacks identifies the following trends

  •  74% of BEC attacks were language-based
  • 15% of BEC attacks had a malicious payload
  •  4% of BEC attacks related to common business workflows
  • 7% of BEC attacks were unwanted solicitation or graymail

One of the challenges in how BEC is used in the industry is that it represents a broad swathe of attack types. In addition to the socially engineered emails that pose an immediate threat, graymail is emerging as a category that can lead to malicious attacks.

Financial Fraud

Email-based financial fraud attacks attempt to steal money from targeted organisations. The most common categories identified were payment fraud, vendor fraud, and payroll fraud.

  • Payment fraud attacks are email attacks that contain requests for inflated, duplicate, or fake invoices or fake wire transfer requests.
  • Payroll fraud attacks happen when attackers email an organization’s payroll, finance, or human resources department, impersonating a legitimate employee with a request to update direct deposit information for their paychecks.
  • Vendor fraud attacks are the result of compromised third-party accounts, utilising the trusted reputation of the vendor or end clients. These can also happen through vendor domain impersonation plus social engineering tactics in an effort to steal money and sensitive data.

There has been a 73% increase in financial fraud email threats year-over-year from 2021 to 2022.

Financial Fraud Attack Types in 2021

  • Payroll fraud 44%
  • Payment fraud (internal and external) 31%
  • Vendor Fraud 25%

Organisations that communicate with vendors or third-party contacts can find themselves the target of financial fraud through compromised emails with trusted third party senders.

These compromised communications are the result of impersonated vendor domains and emails. The vendor fraud attacks that equate to 25% of financial fraud attacks include the following three attack vectors: vendor domain spoofing, vendor account compromise, and vendor impersonation.

Of the total number of financial fraud attacks seen over 2021, the financial industry was the target of 46% of these attacks. Compared to education and healthcare industries, we see the following breakdown for percent of financial fraud attacks targeting all three industries:

  • Financial 46%
  • Education 34%
  • Healthcare 20%

These verticals also face unique email security challenges - they conduct business with large sets of vendors, facilitate email workflows that deal with money, and store large volumes of customer data.

Phishing Attacks

Phishing is another broad category that combines several common types of attacks. Spear phishing refers to targeted attacks aimed at specific individuals, especially executives.Then there are the non-email phishing attacks - “vishing” that focuses on voicemail messages, “smishing” that tracks SMS based attacks, and even “quishing” that tracks the emerging category of QR code based attacks.

The phishing simulation and awareness industry focuses predominantly on training users to identify these kinds of attacks. Users get sent surprise phishing emails as part of a simulated phishing campaign and those unsuspecting users that click on the fake link get sent to take hours of training videos to get better.

Studies show that despite five consecutive training sessions, 1 out of 7 users still click on the bad link. 

As organisations work to protect their employees against common types of phishing scams, cybercriminals seem to stay one step ahead by adapting their tactics.

Phishing attacks (including smishing and vishing) increased 63% year-over-year from 2021 to 2022. These sophisticated attacks mimic common business workflows, targeting and taking advantage of unsuspecting employees through social engineered payloads.

Most Common Business Workflows Used In  Phishing Attacks In 2021

  • 87% related to common business workflows
  • 7% mimic password reset emails
  • 6% notifications & alerts from applications

Criminals target unsuspecting users with emails that include malicious URLs but look like legitimate common workflows. These phishing email attacks pry on the victims’ longing to participate in email workflows that they have commonly seen before without taking a step back to question authenticity.

Rise in Remote Work-Related Threats

As organisations have shifted the way they work in the midst of the pandemic, cyber criminals have followed suit. With more reliance on email communication while working remotely, several new attack surfaces have opened up for cyber criminals to exploit.

  • Socially engineered, targeted attacks have advanced, presenting a higher likelihood of getting past native security layers that still rely on manually configured rules and exception lists.
  • Stopping targeted attacks requires custom models that understand good and bad patterns of communications in each organization using the content and context inside of email communications.

Most Commonly Spoofed Workflows

With the increase of remote work, attackers are dialing into the patterns of communication and common business-related email workflows employees engage in daily due to remote work, in order to craft targeted emails attacks.

Users Forget How Much Routine Daily Work Is Done By Email.

View Document - These are emails that send us notifications asking us to review a document that someone has shared with us.

Email Notifications - These are notifications from the email provider about the status of our mailbox. Examples - Email has been quarantined, mailbox is full.

Application Notifications - Examples are shipment notifications from Amazon, UPS, USPS. Or account alerts from Amex or other providers.

Password Reset - These are notifications from services that we use that ask us to reset or update our passwords.

Voicemail Notifications - These alert us to go listen to a voicemail or that our inbox is full.

We looked at threats detected between April and November 2021 to identify the most commonly spoofed email-based workflows. Here is what we found.

Business Workflow Based Attacks in 2021

Email-based business workflows are at the heart of how organizations operate today. A lot of the context around determining whether an email is legitimate or not does not reside solely in the headers and metadata any more.

To effectively protect against targeted email attacks, the following characteristics are necessary in any effective email security solution:

  • Ability to look at historical data and identify good and bad patterns of communications.
  • Breadth of models to be able to track threats not just based on user identities and behavioral patterns, but also the language in emails to understand the content and the context of the communications.
  • Customisable models that can be trained to detect attacks in a particular organisation, specifically based on communication patterns in that organization, as opposed to a horizontal approach that tries the same sets of rules and exceptions across all customers.

The Armorblox Natural Language Understanding Platform  protectsover 58,000 organisations against targeted email attacks and sensitive data loss. For more information, visit www.armorblox.com/product

You Might Also Read:

The Frailty Of Email:

 

« REvil Have Returned - Or Have They?
Russia - Unplugged »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ComSec LLC

ComSec LLC

ComSec perform threat assessments to identify vulnerabilities and help protect businesses against corporate espionage via electronic eavesdropping.

Zadara Storage

Zadara Storage

Zadara provide complete data backup and protection delivered as a fully-managed service.

Mixed Mode

Mixed Mode

Mixed Mode is a specialist in embedded and software engineering for applications including IoT and secure embedded systems.

Dataprovider.com

Dataprovider.com

Our Brand Protection Suite gives you the tools to discover trademark infringement on the Internet, such as websites selling counterfeit products, even when this is not immediately noticeable.

Duality Technologies

Duality Technologies

Duality Technologies combine Advanced Cryptography with Data Science to deliver High-Performance Privacy-Protecting Computing to Regulated Industries.

Infosec Global

Infosec Global

Infosec Global provides technology innovation, thought leadership and expertise in cryptographic life-cycle management.

Syndis

Syndis

Syndis is a leading information security company helping to defend organizations by providing bespoke services and innovative security solutions in the global market.

Fastcomcorp

Fastcomcorp

Fastcomcorp offers a world-class proactive cyber security defense and risk management consulting. Including Darkweb monitoring and posture assessments.

Netography

Netography

Netography provides a scalable and reliable platform for detection & remediation of cyber threats found on your network.

Corsica Technologies

Corsica Technologies

Corsica Technologies is recognized as one of the top managed IT and cybersecurity service providers. Our integrated IT and cybersecurity services protect companies and enable them to succeed.

Cornami

Cornami

Cornami delivers real-time computing on encrypted data sets, which is vital for data privacy and cloud security.

Lumifi

Lumifi

Lumifi provide end-to-end cybersecurity resilience solutions with a specialty in managed detection and response (MDR) services.

ImmuneBytes

ImmuneBytes

ImmuneBytes is a cutting-edge security startup that aims to provide a secure blockchain environment for a dependable and open Web3 ecosystem.

XpertDPO

XpertDPO

XpertDPO provides data security, governance, risk and compliance, GDPR and ISO consultancy to public and private sector organisations.

Jera IT

Jera IT

Jera IT provide fully managed IT support, cybersecurity services, telecoms systems, and IT strategy consultancy to businesses based in Aberdeen and the surrounding area.

Frontal

Frontal

Frontal is a specialized unit in Blockchain and Web3.0 cybersecurity. Securing Digital Assets, Cryptocurrency, DeFi, Blockchain and Web3.0 ecosystem.