What do all businesses and almost all private individuals have in common? Email. There is a range of messaging apps in use: WhatsApp is very popular, but people also use Messenger, traditional SMS, WeChat, Snapchat and other chat platforms. Businesses use multiple platforms for chat, video conferencing, document sharing and workflow management, e.g., Trello, Slack, Box, MS Teams, SharePoint, etc. For both personal and business use, there is no one single application used universally…except email. Everyone uses email, even though it is quite old technology, compared to some of the alternatives.
As a result, email is the premier attack vector for cybercriminals. Email is so pervasive, and email addresses so easy to obtain, that 60% of organisations think they will suffer from a cyberattack via email in the coming year. What is the state of email threats and email security? In this article, we’ll look at the widespread use of email to penetrate your security; and in the next one, we’ll show you how you can protect your network and your organisation.
Mimecast, a cybersecurity firm specialising in email security, commissioned a survey of 1,025 IT decision-makers in representative countries around the world (US, UK, Germany, Netherlands, Australia, South Africa, United Arab Emirates, and Saudi Arabia) to understand the current state of email security. The research took place in February and March this year, just before COVID-19 struck. The study revealed that 58% of respondents believe phishing attacks are on the increase; 51% have been affected by ransomware in the past year; 82% have experienced downtime from an attack, and 85% expect to experience the same or greater volume of web and email spoofing in the next year.
These are daunting statistics. We wrote recently about the various types of cyber threats businesses are exposed to on a regular basis. Although we listed phishing as a threat, it is more accurate to describe email as a vehicle for attacks rather than a specific cyberthreat itself. The damage perpetrated via email could be the installation of ransomware or other malware, or it could be the collection of sensitive data that might be used to compromise your reputation. Phishing by definition is a type of cybercrime where victims are contacted by email (also by phone or SMS, but email is the most common) and persuaded to reveal financially sensitive information, such as credit card details. The target individuals comply because the spoof email looks like it comes from a legitimate source, often a bank. While many phishing attacks are still designed to collect credentials, the term also refers to the use of email to introduce malware into a system.
Although phishing has been around since 1996, and most email users are familiar with the 419 scams and other crude and self-evident efforts to defraud, cybercriminals are becoming more and more sophisticated, and spoof emails and websites more and more credible. As a result, conscientious and upstanding individuals who would never knowingly visit unsavoury websites are being tricked into opening attachments or links in suspicious emails.
Your employees may be knowledgeable about the risks of phishing. They may be cautious when they receive an email from an unknown individual in an unknown organisation. But what if the email comes from a co-worker? Or from you? The cyber villain sends emails that look trustworthy. The sender may be a customer or supplier company, or it could be a friend, colleague, or line manager. The attacker banks on the fact that most employees won’t question an email from a superior or a regular contact. The recipient opens the email and unhesitatingly opens the attachment (or clicks on the link). PDFs are often used maliciously as they can execute code. Bam! The attacker is in your system. This is known as spoofing, or, more formally, impersonation.
Website spoofing is closely linked to email spoofing. The link your employee visits in the spoofed email they have received takes them through to an impersonated website, one that looks nearly identical to the real thing. Imagine the email is to your procurement department, from a supplier. An invoice is attached, with payment details, or with a link to make payment online (this is becoming increasingly common). Your diligent procurement manager makes prompt payment – to the fraudster. Meanwhile, your supplier is still waiting to be paid. This very scenario took place not long ago at a large educational institution.
Spear-phishing is just what its name suggests…the cyber equivalent of real spear-fishing. It is a carefully targeted attack, rather than a broadcast approach. Spear-phishing has a specific individual or organisation in its sights. It is a thoroughly researched strike. Spear-phishing often aims to steal data for malicious purposes, but can also be used to install malware on the target’s computer.
Spear-phishing will always appear to come from a trustworthy source and lead the recipient to a bogus website. Spear-phishers are much more clever than first-generation phishers. They have been known to use highly emotive tactics, including posing as the National Center for Missing and Exploited Children in the US.
If email is so risky, why do we still use it? The main reason is its interoperability. To chat on WhatsApp, both parties need to have the app installed on their phones. To share a document via Box, both need a Box account. To manage the workflow on Trello, all parties have to use Trello. But someone using Gmail can send an email to someone using Outlook, who can forward it to someone using ProtonMail, and so on and so forth. Any email address can communicate with any other email address (this wasn’t always the case!). And while it is not the perfect medium for document sharing, often throwing up its hands at overly large file sizes (and then then you have to resort to Box, Google Drive, OneDrive, wetransfer.com, etc.), it is still the most expedient way to send a document, whether to a colleague at the next desk or to a customer on another continent.
It’s true that other modes of communication have traction among young people. Only 6% of teenagers exchange email daily. Possibly when today’s teens are in the prime of their careers, email may seem as antiquated as the fax machine seems to us. But for the time being, although email is no longer the default communications medium of choice for consumers, due to the rise of social media platforms, it is still the basis of how companies do business.
Email itself is safe. “What?” you cry, after the stats quoted earlier. Yes, opening an email does not expose you to risk. This was not always so, but it is now. Once upon a time, Microsoft Outlook had security issues. An Outlook loophole allowed emails to run JavaScript code and infect a recipient’s computer, making it dangerous to open an email. But this was soon fixed. Emails now do not use JavaScript, and many email clients don’t automatically display images. Provided your organisation’s software is up to date, including your email client, browser and operating system, email messages in themselves don’t expose you to risk.
Email poses a threat because of its popularity as a vehicle for sending attachments and hyperlinks. It is a risk because emails are transmitted between humans, and human behaviour cannot be controlled. The attachments and links contained in emails are vectors, and human error plays a role in half of the world’s data breaches. But we shouldn’t be too quick to blame our employees for being careless or unobservant. Cybercriminals are simply very smart, and in the case of spear-phishing, the threat actor may have spent a lot of time researching your organisation, so they will be sure to appear entirely credible.
Regular, consistent, cybersecurity awareness training should be a critical component of your IT security strategy. It is not enough to include phishing training in new employees’ induction or post reminders on the intranet every six months. Experts believe the gold standard is monthly training because attackers are constantly evolving their tactics and techniques. A first-rate awareness programme should include frequent test emails (known as phishing simulation), to help staff gain confidence in recognising bogus emails.
You can’t control your employees; you can only educate them. But you can control your endpoint security. This is the practice of securing the entry points into your network of end-user devices such as desktops, laptops, and mobile devices from being exploited by hackers. Endpoint security has its roots in antivirus software but now provides much more sophisticated protection from malware and other threats.
In our next article, we’ll tell you how you can create a robust cybersecurity awareness training programme for your staff, including simulation emails. You’ll never eliminate the risk of human error, but with the right training, you can significantly reduce it.
