FBI: Existing Cloud Email Protection Inadequate Against Phishing, Ransomware
- by Brittany Day
For the second time within a month, the FBI is warning of sophisticated COVID-19 related business email compromise (BEC) scams exploiting cloud email services to steal users’ account credentials, and is urging businesses to take immediate action by implementing critical additional layers of protection in Office 365 and G-Suite.
More organizations than ever are migrating to cloud-based email - especially with many employees being asked to work from home in the midst of the current pandemic - and threat actors are keeping pace, directing more attacks than ever at Microsoft Office 365 and G-Suite users than ever before. Guardian Digital has identified and blocked more malicious emails targeting Office 365 users in March of 2020 than in any other month since the company’s inception in 1999.
Although the threat that BEC and credential theft pose in Office 365 and G Suite has been heightened by the recent COVID-19 outbreak, attacks targeting cloud email are nothing new. Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses due to BEC scams targeting Microsoft Office 365 and Google G-Suite. Both the prevalence and the success of these attacks can be attributed to the fact that, without additional layers of security, these cloud platforms are inherently vulnerable - making them a highly attractive target for cyber criminals. According to the FBI, “Thirty percent of phishing attacks make it through existing systems and are opened by target users.” Clearly, the security features that constitute Microsoft Exchange Online Protection (EOP) - the default protection in Office 365 - are glaringly inadequate, leaving users susceptible to credential theft, account takeovers and other advanced exploits. Is insufficient cloud email protection leaving your users - and your business - in danger?
How BEC Scams Targeting Cloud Email Services Work
To abuse cloud email services, threat actors use email service-aware phish kits that closely imitate the services' interface. The phish kits are designed to deceive employees into handing over account credentials. Targets are directed to these phish kits via large-scale phishing campaigns.
Once employees’ credentials are in the hands of attackers, they are able to analyze the compromised accounts for financial transactions. The FBI elaborates, “Using the information gathered from compromised accounts, cybercriminals impersonate email communications between compromised businesses and third parties, such as vendors or customers. The scammers will then impersonate employees or business partners, with the end goal of redirecting payments to bank accounts they control.” Thieves will also use compromised information to launch additional phishing attacks and compromise other businesses, enabling them to easily target other organizations within the same or similar industry sectors.
Email Risk is Magnified for Small Businesses
Guardian Digital has noticed that these dangerous BEC attacks designed to exploit the COVID-19 pandemic are targeting businesses of all sizes in all industry sectors, with a disproportionate amount of exploits victimizing small businesses. This trend is consistent with the FBI’s findings: “Although Google G Suite, Microsoft Office 365, and other popular cloud-based email services come with built-in security features that could help block BEC attempts, many of these features aren't enabled by default and have to be manually configured or toggled on by IT admins and security teams. Because of this, small and medium-size organizations, or those with limited IT resources, are most vulnerable to BEC scams.” Thus, additional protection for cloud email is especially critical for small businesses. Guardian Digital CEO Dave Wreski explains, “It is crucial that small companies with limited resources and funding to put toward security implement a fully-managed email security solution designed to fortify cloud email with the additional layers of security necessary to combat today’s sophisticated attacks. Guardian Digital EnGarde Cloud Email Security makes enterprise-grade email protection available to small- and medium-sized businesses at affordable prices, eliminating the need for a full-time IT department or mail administrator.”
Best Practices for Mitigating BEC Risk in Office 365 and G Suite
In addition to implementing a solution that provides the critical additional layers of security that are necessary to defend against attacks exploiting cloud email, the FBI urges users to engage in the following best practices to prevent BEC attacks:
- Enable multi-factor authentication for all email accounts.
- Verify all payment changes and transactions in-person or via a known telephone number.
- Educate employees about BEC scams, including preventative strategies such as how to identify phishing emails and how to respond to suspected compromises.
The FBI suggests that IT administrators take the following measures to mitigate BEC risk:
- Prohibit automatic forwarding of email to external addresses.
- Add an email banner to messages coming from outside your organization.
- Prohibit legacy email protocols such as POP, IMAP, and SMTP that can be used to circumvent multi-factor authentication.
- Ensure mailbox logon and settings changes are logged and retained for at least 90 days.
- Enable alerts for suspicious activity such as foreign logins.
- Enable security features that block malicious email such as anti-phishing and anti-spoofing policies.
- Configure Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) to prevent spoofing and to validate email.
- Disable legacy account authentication.
Defense-in-Depth: The Key to Protecting Office 365 and G Suite Users
Defense-in-depth is essential to safeguarding users in Office 365, G Suite and other cloud platforms. The default security provided within these platforms is no match for today’s advanced exploits, and organizations cannot rely on administrators to configure their email service to be 100 percent secure. Multiple layers of additional protection working harmoniously to detect and stop threats to cloud email in real-time and are most effective in protecting users in these platforms.
The need for effective, multi-layered cloud email protection has never been greater. Guardian Digital recognizes the importance of fortifying cloud email with additional layers of real-time protection and offers clients comprehensive, full-managed email vigilance in Office 365 and G Suite, providing companies with the invaluable peace of mind that their employees are safe in this dangerous, frightening time.
Key benefits of choosing Guardian Digital to secure your cloud email include:
- Multi-layered, real-time defense against social engineering and impersonation attacks
- Tighter security, adaptive implementation and eliminated risk of vendor lock-in through the use of a transparent, collaborative development approach
- Scalable cloud-based system simplifies deployment and increases availability
- Expert, caring around-the-clock customer support services and remote system monitoring
Download Guardian Digital’s free Office 365 protection guide to learn more about the inherent vulnerability of cloud email services and how EnGarde Cloud Email Security safeguards users in Office 365.
- Effectively Securing Business Email Accounts: Are Employees the Weakest Link?
- Encryption: An Essential Yet Highly Controversial Component of Digital Security
- Business Email Security Redefined: Key Benefits of Securing Your Business Email with Guardian Digital
- 8 Business Email Security Best Practices
- Demystifying Email Encryption: Stop Sender Fraud
- Demystifying Phishing Attacks: How to Protect Yourself Now
- Demystifying Tax Fraud: How to Avoid Falling Victim to Deceptive, Costly Scams This Tax Season
- Coronavirus Phishing Scams are On the Rise - Is Your Business Email at Risk of Infection?
- Dave Wreski: Founder of Guardian Digital – Open Source Cloud Email Security
- NJ DHS: Email Security for Businesses Beyond COVID-19
- New Ransomware Warnings: Is Your Business Safe from This Silent Threat?
- FBI: Existing Cloud Email Protection Inadequate Against Phishing, Ransomware
- Email Risk is Universal: Securing Business Email in Every Industry Sector
- How To Safely Navigate Office 365 While Working Remotely
- Tips and Advice for Staying Safe Online During COVID-19
- Why Your Business Needs Better Email Security
- Defending Against COVID Email Spoofing Attacks with DMARC
- You’ve Got Mail: How To Tell If It’s Fraud
- Open-Source Security Is Opening Eyes
- Think Like A Criminal: How To Write A Phishing Email
- The Four Biggest Email Threats Your Business Faces Today
- Learn About DocuSign Phishing Attacks in 3 Minutes
- Understanding Payload-Less Email Attacks in Under 3 Minutes
- Demystifying Fileless Malware in Less than 3 Minutes
- How to Protect Sensitive Data & Maintain Client Trust in Financial Services Industry
- Exchange Servers Are Vulnerable - Learn How To Secure Your Email Server Now
- Apache SpamAssassin Leads A Growing List of Open-Source Projects Taking Steps to Correct Instances of Racism and White Privilege
- Cyber Risk Is Greater than Ever in the Legal Industry
- Your Current Approach to Email Security May Not Be Enough
- Ways to Prevent Email Account being compromised in a Breach
- Celebrating 20 Years of Revolutionizing Digital Security
- IBM Closes its $34 Billion Acquisition of Red Hat
- Interview with Security Expert and Author Ira Winkler
- What is Phishing Email? How to prevent Phishing email scams?
- Ways Our Business Email Exceed Your Expectations
- Spear Phishing Protection - Definition & How To Recognize Spear Phishing Email
- What is Whaling (Whaling Phishing)? & How to Prevent Whaling attacks?
- Ransomware Attack Explained - Best Practices For Ransomware Protection
- Business Email Compromise (BEC) - Definition & Prevention From BEC Attacks
- Wire Transfer Scams Involving Real Estate Transactions: How to Prevent Fraud with Effective Email Security
- Guardian Digital and Mautic: A Dynamic Open-Source Duo
- Email Malware - How to Recognize & Prevent Malware Email Attack
- An Open-Source Success Story: Apache SpamAssassin Celebrates 18 Years of Effectively Combating Spam Email
- What is Spam Email - Types & How to Prevent Spam Emails?
- Email Virus - Complete Guide to Email Viruses Plus Best Practices
- What Is A Zero-Day Attack & How To Prevent Zero Day Exploit?
- 2020: A New Decade of Digital Threats - Is Your Business Email Secure?
- Linux: An OS Capable of Effectively Meeting the US Government’s Security Needs Heading into 2020
- Email Security: Complete Guide on Email Security & Types of Email Threats
- Guardian Digital Keeps its Customers Protected from Intel Design Flaw
- Security Spotlight: Open Source Email Security Solutions
- Top Six Advantages of Open Source Development/Products
- Python and Bash - Contenders for the most used scripting language
- Guardian Digital Outlines Top 4 Benefits of Choosing Cloud
- Unrivaled Protection Against Today’s Most Dangerous Threats
- Guard Your Email Accounts Against Today’s Most Dangerous Threats
- Security Highlights from Defcon 26
- Linux / Open Source FAQs: Common Myths / Misconceptions
- Email Security FAQs Answered by Guardian Digital
- Guardian Digital Mail Systems: Designed to be Secure Without Fail