Email Security Threat Report

Uploaded on 2022-06-22 in TECHNOLOGY--Resilience, FREE TO VIEW

The new State of Email Security Threat Report from Armorblox offers security leaders a deeper understanding of the emerging threats, threat trends that happen over email and highlights some of the significant changes in the threat landscape in the past year. 

The Report also provides a common reference point for defining commonly misused terms around the nature of these attacks and so the industry has a framework for classifying these emerging threats.

Key Insights

  • Language based attacks have become the new normal for business email compromise (BEC). 3 out of 4 (74%) business email compromise attacks used language as the main attack vector.
  • Email-based financial fraud has become very sophisticated. 2 out of 5 (44%) financial fraud attempts happen as wire fraud, invoice fraud, or vendor fraud.
  • Attackers have realised that so many critical business workflows happen over emails, and this has become the primary attack mechanism for credential phishing. 9 out of 10 (87%) credential phishing attacks looked like legitimate common business workflows in order to trick end users to engage with the email.
  • Security teams spend a lot of time configuring rules and exceptions in their native email security solutions to block impersonation emails — both for executives and other employees.
  • Despite all that manual work and rule writing, 3.5 out of 5 (70%) impersonation emails slipped past native email security controls.
  • The rise of SaaS solutions driving business workflows has also created a big surge in brand impersonation of companies in this space. Dropbox, Microsoft, and DocuSign were among the most impersonated brands in 2021.

State of Email Security Threats

During the time that that report was compiled, the latest IC3 report from the FBI was released. Based on reported complaints between June 2016 and December 2021, domestic and international exposed dollar losses due to business email compromise stands at $43.3 billion. Also, the volume of disclosed losses has exponentially increased year after year during this time as well.

This also echoes the challenges that we hear from security teams - that despite increasing security budgets every year, email-based attacks remain the top attack vector within organisations.  We are witnessing a significant shift in the market landscape as well.

The top two legacy email security vendors were both taken private by private equity firms in 2021, representing $1.5 billion in revenue. Several other legacy vendors were acquired and taken out of the market by larger players as well.

These trends also indicate that legacy approaches are not working and too many attacks are slipping through. Why is this? What has changed in how attackers target organisations? Armorblox highlight some of the significant trends:

  • Attackers are moving away from tried and tested approaches from prior decades of using malicious links or attachments in broad based attack campaigns, to targeted attacks where the language in the email is used to compromise a user’s trust. This could manifest itself as fake wire transfer instructions, direct deposit change requests, password reset emails, or other common business workflows that happen over email.
  • Whack-a-mole approaches of manual rule writing to block these newer attack types have remained unsuccessful and have caused repetitive, redundant, manual work for security teams.
  • SOC teams have to comb through large volumes of potential phishing emails that users have reported to see which are legitimate emails and which need to be immediately deleted and removed from user mailboxes.

Moreover, as more security infrastructure moves into the cloud, security teams have become more loath to manually configure and maintain DNS and MX record rules to route emails through inline secure email gateways.

Business Email Compromise

Business Email Compromise (BEC) attacks are notoriously difficult to prevent. Attackers rely on social engineering techniques to persuade people into acting on the attacker’s behalf. As a result, traditional email security solutions that analyse email headers, links, and metadata often miss these attacks.

Armorblox' research suggests that the number of BEC attacks targeting organisations increased by 74% in 2021. These BEC attacks target organisations across sectors and use language, malicious links, and common business workflows as the proxy to compromise employees and steal money, credentials, or sensitive data. 

Researching the most prevalent strategies for BEC attacks identifies the following trends

  •  74% of BEC attacks were language-based
  • 15% of BEC attacks had a malicious payload
  •  4% of BEC attacks related to common business workflows
  • 7% of BEC attacks were unwanted solicitation or graymail

One of the challenges in how BEC is used in the industry is that it represents a broad swathe of attack types. In addition to the socially engineered emails that pose an immediate threat, graymail is emerging as a category that can lead to malicious attacks.

Financial Fraud

Email-based financial fraud attacks attempt to steal money from targeted organisations. The most common categories identified were payment fraud, vendor fraud, and payroll fraud.

  • Payment fraud attacks are email attacks that contain requests for inflated, duplicate, or fake invoices or fake wire transfer requests.
  • Payroll fraud attacks happen when attackers email an organization’s payroll, finance, or human resources department, impersonating a legitimate employee with a request to update direct deposit information for their paychecks.
  • Vendor fraud attacks are the result of compromised third-party accounts, utilising the trusted reputation of the vendor or end clients. These can also happen through vendor domain impersonation plus social engineering tactics in an effort to steal money and sensitive data.

There has been a 73% increase in financial fraud email threats year-over-year from 2021 to 2022.

Financial Fraud Attack Types in 2021

  • Payroll fraud 44%
  • Payment fraud (internal and external) 31%
  • Vendor Fraud 25%

Organisations that communicate with vendors or third-party contacts can find themselves the target of financial fraud through compromised emails with trusted third party senders.

These compromised communications are the result of impersonated vendor domains and emails. The vendor fraud attacks that equate to 25% of financial fraud attacks include the following three attack vectors: vendor domain spoofing, vendor account compromise, and vendor impersonation.

Of the total number of financial fraud attacks seen over 2021, the financial industry was the target of 46% of these attacks. Compared to education and healthcare industries, we see the following breakdown for percent of financial fraud attacks targeting all three industries:

  • Financial 46%
  • Education 34%
  • Healthcare 20%

These verticals also face unique email security challenges - they conduct business with large sets of vendors, facilitate email workflows that deal with money, and store large volumes of customer data.

Phishing Attacks

Phishing is another broad category that combines several common types of attacks. Spear phishing refers to targeted attacks aimed at specific individuals, especially executives.Then there are the non-email phishing attacks - “vishing” that focuses on voicemail messages, “smishing” that tracks SMS based attacks, and even “quishing” that tracks the emerging category of QR code based attacks.

The phishing simulation and awareness industry focuses predominantly on training users to identify these kinds of attacks. Users get sent surprise phishing emails as part of a simulated phishing campaign and those unsuspecting users that click on the fake link get sent to take hours of training videos to get better.

Studies show that despite five consecutive training sessions, 1 out of 7 users still click on the bad link. 

As organisations work to protect their employees against common types of phishing scams, cybercriminals seem to stay one step ahead by adapting their tactics.

Phishing attacks (including smishing and vishing) increased 63% year-over-year from 2021 to 2022. These sophisticated attacks mimic common business workflows, targeting and taking advantage of unsuspecting employees through social engineered payloads.

Most Common Business Workflows Used In  Phishing Attacks In 2021

  • 87% related to common business workflows
  • 7% mimic password reset emails
  • 6% notifications & alerts from applications

Criminals target unsuspecting users with emails that include malicious URLs but look like legitimate common workflows. These phishing email attacks pry on the victims’ longing to participate in email workflows that they have commonly seen before without taking a step back to question authenticity.

Rise in Remote Work-Related Threats

As organisations have shifted the way they work in the midst of the pandemic, cyber criminals have followed suit. With more reliance on email communication while working remotely, several new attack surfaces have opened up for cyber criminals to exploit.

  • Socially engineered, targeted attacks have advanced, presenting a higher likelihood of getting past native security layers that still rely on manually configured rules and exception lists.
  • Stopping targeted attacks requires custom models that understand good and bad patterns of communications in each organization using the content and context inside of email communications.

Most Commonly Spoofed Workflows

With the increase of remote work, attackers are dialing into the patterns of communication and common business-related email workflows employees engage in daily due to remote work, in order to craft targeted emails attacks.

Users Forget How Much Routine Daily Work Is Done By Email.

View Document - These are emails that send us notifications asking us to review a document that someone has shared with us.

Email Notifications - These are notifications from the email provider about the status of our mailbox. Examples - Email has been quarantined, mailbox is full.

Application Notifications - Examples are shipment notifications from Amazon, UPS, USPS. Or account alerts from Amex or other providers.

Password Reset - These are notifications from services that we use that ask us to reset or update our passwords.

Voicemail Notifications - These alert us to go listen to a voicemail or that our inbox is full.

We looked at threats detected between April and November 2021 to identify the most commonly spoofed email-based workflows. Here is what we found.

Business Workflow Based Attacks in 2021

Email-based business workflows are at the heart of how organizations operate today. A lot of the context around determining whether an email is legitimate or not does not reside solely in the headers and metadata any more.

To effectively protect against targeted email attacks, the following characteristics are necessary in any effective email security solution:

  • Ability to look at historical data and identify good and bad patterns of communications.
  • Breadth of models to be able to track threats not just based on user identities and behavioral patterns, but also the language in emails to understand the content and the context of the communications.
  • Customisable models that can be trained to detect attacks in a particular organisation, specifically based on communication patterns in that organization, as opposed to a horizontal approach that tries the same sets of rules and exceptions across all customers.

The Armorblox Natural Language Understanding Platform  protectsover 58,000 organisations against targeted email attacks and sensitive data loss. For more information, visit www.armorblox.com/product

You Might Also Read:

The Frailty Of Email:

 

« REvil Have Returned - Or Have They?
Russia - Unplugged »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Lumeta

Lumeta

Lumeta’s cyber situational awareness platform is the unmatched source for enterprise network infrastructure analytics and security monitoring for breach detection.

Fraunhofer Institute for Secure Information Technology (SIT)

Fraunhofer Institute for Secure Information Technology (SIT)

Fraunhofer SIT is a research centre specialising in all areas of IT security.

Granite Partners

Granite Partners

Granite is a cloud service for the development of business risk management, cyber security and privacy and occupational safety and health.

Cyscale

Cyscale

Cyscale automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Outsource UK

Outsource UK

Outsource UK is an independent recruitment company supplying highly-skilled technology, change and engineering talent to clients within a range of specialist sectors including Cyber Security.

Risk Based Security (RBS)

Risk Based Security (RBS)

Risk Based Security provide the most comprehensive and timely vulnerability intelligence, breach data and risk ratings.

oneM2M

oneM2M

oneM2M is a global organization creating a scalable and interoperable standard for communications of devices and services used in M2M applications and the Internet of Things.

Gallarus Industry Solutions

Gallarus Industry Solutions

Gallarus leads innovation within industrial Manufacturing, Production and Management Systems, including Cyber Security solutions specifically developed to protect against the latest cyber criminality.

Hazy

Hazy

Hazy specialises in financial services, helping some of the world’s top banks and insurance companies reduce compliance risk.

Aryaka

Aryaka

Aryaka’s SmartServices offer connectivity, application acceleration, security, cloud networking and insights leveraging global orchestration and provisioning.

Center for Information Technology Policy (CITP) - Princeton University

Center for Information Technology Policy (CITP) - Princeton University

The Center for Information Technology Policy at Princeton University is a nexus of expertise in technology, engineering, public policy, and the social sciences.

Opora

Opora

Opora is the leading cybersecurity provider of adversary behavior analytics “ABA” and preemptive security solutions.

Apex Systems

Apex Systems

Apex Systems is a world-class technology services business that incorporates industry insights and experience to deliver solutions that fulfill our clients’ digital visions.

Arakyta

Arakyta

Arakÿta specializes in business strategy, work flow process and IT systems for organizations.

Lakera

Lakera

Lakera empowers developers and organizations to build GenAI applications without worrying about AI security risks.

SignalRed

SignalRed

SignalRed provides the cutting edge next-generation penetration testing and secure development solutions to startups and large enterprises.