Email Security Threat Report

Uploaded on 2022-06-22 in TECHNOLOGY--Resilience, FREE TO VIEW

The new State of Email Security Threat Report from Armorblox offers security leaders a deeper understanding of the emerging threats, threat trends that happen over email and highlights some of the significant changes in the threat landscape in the past year. 

The Report also provides a common reference point for defining commonly misused terms around the nature of these attacks and so the industry has a framework for classifying these emerging threats.

Key Insights

  • Language based attacks have become the new normal for business email compromise (BEC). 3 out of 4 (74%) business email compromise attacks used language as the main attack vector.
  • Email-based financial fraud has become very sophisticated. 2 out of 5 (44%) financial fraud attempts happen as wire fraud, invoice fraud, or vendor fraud.
  • Attackers have realised that so many critical business workflows happen over emails, and this has become the primary attack mechanism for credential phishing. 9 out of 10 (87%) credential phishing attacks looked like legitimate common business workflows in order to trick end users to engage with the email.
  • Security teams spend a lot of time configuring rules and exceptions in their native email security solutions to block impersonation emails — both for executives and other employees.
  • Despite all that manual work and rule writing, 3.5 out of 5 (70%) impersonation emails slipped past native email security controls.
  • The rise of SaaS solutions driving business workflows has also created a big surge in brand impersonation of companies in this space. Dropbox, Microsoft, and DocuSign were among the most impersonated brands in 2021.

State of Email Security Threats

During the time that that report was compiled, the latest IC3 report from the FBI was released. Based on reported complaints between June 2016 and December 2021, domestic and international exposed dollar losses due to business email compromise stands at $43.3 billion. Also, the volume of disclosed losses has exponentially increased year after year during this time as well.

This also echoes the challenges that we hear from security teams - that despite increasing security budgets every year, email-based attacks remain the top attack vector within organisations.  We are witnessing a significant shift in the market landscape as well.

The top two legacy email security vendors were both taken private by private equity firms in 2021, representing $1.5 billion in revenue. Several other legacy vendors were acquired and taken out of the market by larger players as well.

These trends also indicate that legacy approaches are not working and too many attacks are slipping through. Why is this? What has changed in how attackers target organisations? Armorblox highlight some of the significant trends:

  • Attackers are moving away from tried and tested approaches from prior decades of using malicious links or attachments in broad based attack campaigns, to targeted attacks where the language in the email is used to compromise a user’s trust. This could manifest itself as fake wire transfer instructions, direct deposit change requests, password reset emails, or other common business workflows that happen over email.
  • Whack-a-mole approaches of manual rule writing to block these newer attack types have remained unsuccessful and have caused repetitive, redundant, manual work for security teams.
  • SOC teams have to comb through large volumes of potential phishing emails that users have reported to see which are legitimate emails and which need to be immediately deleted and removed from user mailboxes.

Moreover, as more security infrastructure moves into the cloud, security teams have become more loath to manually configure and maintain DNS and MX record rules to route emails through inline secure email gateways.

Business Email Compromise

Business Email Compromise (BEC) attacks are notoriously difficult to prevent. Attackers rely on social engineering techniques to persuade people into acting on the attacker’s behalf. As a result, traditional email security solutions that analyse email headers, links, and metadata often miss these attacks.

Armorblox' research suggests that the number of BEC attacks targeting organisations increased by 74% in 2021. These BEC attacks target organisations across sectors and use language, malicious links, and common business workflows as the proxy to compromise employees and steal money, credentials, or sensitive data. 

Researching the most prevalent strategies for BEC attacks identifies the following trends

  •  74% of BEC attacks were language-based
  • 15% of BEC attacks had a malicious payload
  •  4% of BEC attacks related to common business workflows
  • 7% of BEC attacks were unwanted solicitation or graymail

One of the challenges in how BEC is used in the industry is that it represents a broad swathe of attack types. In addition to the socially engineered emails that pose an immediate threat, graymail is emerging as a category that can lead to malicious attacks.

Financial Fraud

Email-based financial fraud attacks attempt to steal money from targeted organisations. The most common categories identified were payment fraud, vendor fraud, and payroll fraud.

  • Payment fraud attacks are email attacks that contain requests for inflated, duplicate, or fake invoices or fake wire transfer requests.
  • Payroll fraud attacks happen when attackers email an organization’s payroll, finance, or human resources department, impersonating a legitimate employee with a request to update direct deposit information for their paychecks.
  • Vendor fraud attacks are the result of compromised third-party accounts, utilising the trusted reputation of the vendor or end clients. These can also happen through vendor domain impersonation plus social engineering tactics in an effort to steal money and sensitive data.

There has been a 73% increase in financial fraud email threats year-over-year from 2021 to 2022.

Financial Fraud Attack Types in 2021

  • Payroll fraud 44%
  • Payment fraud (internal and external) 31%
  • Vendor Fraud 25%

Organisations that communicate with vendors or third-party contacts can find themselves the target of financial fraud through compromised emails with trusted third party senders.

These compromised communications are the result of impersonated vendor domains and emails. The vendor fraud attacks that equate to 25% of financial fraud attacks include the following three attack vectors: vendor domain spoofing, vendor account compromise, and vendor impersonation.

Of the total number of financial fraud attacks seen over 2021, the financial industry was the target of 46% of these attacks. Compared to education and healthcare industries, we see the following breakdown for percent of financial fraud attacks targeting all three industries:

  • Financial 46%
  • Education 34%
  • Healthcare 20%

These verticals also face unique email security challenges - they conduct business with large sets of vendors, facilitate email workflows that deal with money, and store large volumes of customer data.

Phishing Attacks

Phishing is another broad category that combines several common types of attacks. Spear phishing refers to targeted attacks aimed at specific individuals, especially executives.Then there are the non-email phishing attacks - “vishing” that focuses on voicemail messages, “smishing” that tracks SMS based attacks, and even “quishing” that tracks the emerging category of QR code based attacks.

The phishing simulation and awareness industry focuses predominantly on training users to identify these kinds of attacks. Users get sent surprise phishing emails as part of a simulated phishing campaign and those unsuspecting users that click on the fake link get sent to take hours of training videos to get better.

Studies show that despite five consecutive training sessions, 1 out of 7 users still click on the bad link. 

As organisations work to protect their employees against common types of phishing scams, cybercriminals seem to stay one step ahead by adapting their tactics.

Phishing attacks (including smishing and vishing) increased 63% year-over-year from 2021 to 2022. These sophisticated attacks mimic common business workflows, targeting and taking advantage of unsuspecting employees through social engineered payloads.

Most Common Business Workflows Used In  Phishing Attacks In 2021

  • 87% related to common business workflows
  • 7% mimic password reset emails
  • 6% notifications & alerts from applications

Criminals target unsuspecting users with emails that include malicious URLs but look like legitimate common workflows. These phishing email attacks pry on the victims’ longing to participate in email workflows that they have commonly seen before without taking a step back to question authenticity.

Rise in Remote Work-Related Threats

As organisations have shifted the way they work in the midst of the pandemic, cyber criminals have followed suit. With more reliance on email communication while working remotely, several new attack surfaces have opened up for cyber criminals to exploit.

  • Socially engineered, targeted attacks have advanced, presenting a higher likelihood of getting past native security layers that still rely on manually configured rules and exception lists.
  • Stopping targeted attacks requires custom models that understand good and bad patterns of communications in each organization using the content and context inside of email communications.

Most Commonly Spoofed Workflows

With the increase of remote work, attackers are dialing into the patterns of communication and common business-related email workflows employees engage in daily due to remote work, in order to craft targeted emails attacks.

Users Forget How Much Routine Daily Work Is Done By Email.

View Document - These are emails that send us notifications asking us to review a document that someone has shared with us.

Email Notifications - These are notifications from the email provider about the status of our mailbox. Examples - Email has been quarantined, mailbox is full.

Application Notifications - Examples are shipment notifications from Amazon, UPS, USPS. Or account alerts from Amex or other providers.

Password Reset - These are notifications from services that we use that ask us to reset or update our passwords.

Voicemail Notifications - These alert us to go listen to a voicemail or that our inbox is full.

We looked at threats detected between April and November 2021 to identify the most commonly spoofed email-based workflows. Here is what we found.

Business Workflow Based Attacks in 2021

Email-based business workflows are at the heart of how organizations operate today. A lot of the context around determining whether an email is legitimate or not does not reside solely in the headers and metadata any more.

To effectively protect against targeted email attacks, the following characteristics are necessary in any effective email security solution:

  • Ability to look at historical data and identify good and bad patterns of communications.
  • Breadth of models to be able to track threats not just based on user identities and behavioral patterns, but also the language in emails to understand the content and the context of the communications.
  • Customisable models that can be trained to detect attacks in a particular organisation, specifically based on communication patterns in that organization, as opposed to a horizontal approach that tries the same sets of rules and exceptions across all customers.

The Armorblox Natural Language Understanding Platform  protectsover 58,000 organisations against targeted email attacks and sensitive data loss. For more information, visit www.armorblox.com/product

You Might Also Read:

The Frailty Of Email:

 

« REvil Have Returned - Or Have They?
Russia - Unplugged »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

SecPoint

SecPoint

SecPoint provides products to secure & protect your network from remote and local attacks.

Contrast Security

Contrast Security

Contrast Security is the leader in modernized application security, embedding code analysis and attack prevention directly into software.

IT Security Guru

IT Security Guru

IT Security Gurus publish daily breaking news. interviews with the key thinkers in IT security, videos and the top 10 stories as picked by our Editor.

Engineering Ingegneria Informatica

Engineering Ingegneria Informatica

Ingegneria Informatica is a leading Italian provider of Information Technology consulting, services and solutions including cyber security.

Sentropi

Sentropi

Sentropi is an online protection solution against charge backs, account takeovers, identity thefts and online scams.

ProtonMail

ProtonMail

ProtonMail is an easy to use secure email service with built-in end-to-end encryption and state of the art security features.

National Cyber Security Authority (NCA) - Saudi Arabia

National Cyber Security Authority (NCA) - Saudi Arabia

The NCA is the government entity in charge of cybersecurity in Saudi Arabia and serves as the national authority on its affairs.

ThreatAware

ThreatAware

Total visibility of your business cybersecurity. Monitoring, management and compliance for your cybersecurity tools, people and processes from one easy to use dashboard.

FirstPoint Mobile Guard

FirstPoint Mobile Guard

FirstPoint Mobile Guard has developed the market’s most advanced solution for securing cellular devices, including mobile phones and IoT products, by blocking malicious data leakage.

Celerium

Celerium

Celerium transforms cyber defense for both companies and industry sectors by leveraging cyber threat intelligence to defend against cyber threats and attacks.

Acumera

Acumera

Acumera is a leader in managed network security, visibility and automation services.

CSIOS Corp.

CSIOS Corp.

At CSIOS we help our customers achieve and sustain information and cyberspace superiority through a full range of defensive and offensive cyberspace operations and cybersecurity consulting services.

PatchAdvisor

PatchAdvisor

PatchAdvisor core services include Vulnerability Assessments/Penetration Testing, Application Vulnerability Assessments, and Incident Response.

Dataminr

Dataminr

Dataminr Pulse helps organizations strengthen business resilience with AI-powered, real-time risk and event discovery—and the integrated tools to manage responses.

Prescott

Prescott

Prescott acts as your guiding light in the preparation for your CMMC assessment and long after by governing your cybersecurity practice.

Blue Bastion

Blue Bastion

Don’t give cybercriminals the chance to find weaknesses in your company’s cyber security system. Defend your institution from all attacks from all directions with Blue Bastion.