Top Email Security Risks in 2021 - How To Set Your Business Up for Safety & Success
- by Brittany Day
With a large portion of the global workforce now working remotely due to the pandemic, businesses’ reliance on cloud email has reached all-time high - and so has the digital risk that users and organizations face online daily. Cloud email has become a favorite target among cyber criminals, who are exploiting frequent misconfigurations, inadequate built-in protection and the inherent uniformity of cloud platforms to steal sensitive data and deliver dangerous malware in sophisticated, evasive attack campaigns.
We’ve identified the most dangerous email security trends putting businesses at risk of suffering a cyberattack or a breach in 2021:
- The digital attack surface has increased with the proliferation of Office 365 and Google Workspace for business.
- Phishing scams are more sophisticated and evasive than ever.
- Ransomware risk has skyrocketed with the emergence of Ransomware-as-a-Service (RaaS).
- CEO fraud is a growing threat to all employees and executive team members.
- Cybersecurity needs to be to be a top priority in 2021 and beyond, as COVID-related attacks have positioned cyber thieves to distribute dangerous phishing scams exploiting the latest trends.
To help you set your business up for security and success, let’s take a closer look at the threats you face online daily, and measures you can take to mitigate your digital risk.
The Digital Attack Surface Has Increased with the Widespread Adoption of Cloud Platforms
The sudden shift to a largely remote workforce has led many businesses to migrate their email to the cloud, increasing the digital attack surface significantly. Businesses have far more touch points than ever before - which can provide malicious hackers with easy entry into corporate networks and systems if inadequately secured. It is also common for remote workers to use insecure networks and devices shared with other users, further increasing their company’s digital risk.
Many businesses have migrated to cloud platforms like Office 365 and Google Workspace to fulfill their communication and collaboration needs, but have sacrificed security in doing so by failing to implement supplementary protection . Without critical additional layers of security defenses in place, cloud email users are highly vulnerable to credential phishing, ransomware and other malicious attacks in these platforms.
To fortify cloud email against today’s sophisticated threats like spear phishing and fileless malware, Gartner security experts recommend “a strategic approach to security that layers inbound, outbound and internal detection and remediation”. An effective supplementary cloud email security solution should provide automated multi-layered defenses and continual email analysis, and should offer seamless integration, simplified deployment, advanced intelligence and complete visibility.
- Despite built-in security defenses, 40% of Office 365 customers have experienced credential theft nevertheless.
- About 40% of Office 365 customers plan to supplement their security with a third-party solution by 2023.
Additional Resources: Learn more about the hidden dangers of cloud email and how to safeguard remote workers with critical additional email defenses in this blog post.
Phishing Scams Are A Harder Catch Than Ever
Phishing attacks have dominated the email threat landscape for decades; however, businesses’ increased reliance on cloud email, the widespread deployment of inherently insecure and frequently misconfigured cloud and persistent anxiety surrounding the pandemic have led to a resurgence in this notorious threat. Our EnGarde Cloud Email Security platform has identified and blocked more phishing emails in 2020 than in any other year throughout our 21-year history - the majority of which exploit the pandemic.
Not only has the number of phishing scams risen exponentially in recent months, but so has the sophistication and specificity of these attack campaigns. Phishers employ advanced social engineering techniques and stealthy fileless and payload-less tactics to craft highly targeted scams designed to evade security defenses and trick even the most security-aware users into sharing credentials and downloading malware.
- Over 90% of all cyber attacks begin with a phishing email.
- There has been a 600% increase in phishing attacks due to COVID-19.
- Users are now three times more likely to click on a malicious link embedded in a phishing email and then disclose their account credentials than they were pre-COVID.
Additional Resources: Get tips for recognizing and protecting against common holiday-themed phishing scams in this blog post.
Ransomware Attacks Have Risen Sharply with the Emergence of RaaS
Ransomware is on the rise, carrying heavy costs for victims including data loss, hefty recovery costs, serious reputation damage and significant, expensive downtime or worse - permanent business closure. The growing potential for threat actors to profit from ransomware attacks is driving rapid innovation in ransomware development. Ransomware-as-a-Service (RaaS) schemes on the dark web - which enable individuals and groups to have a disproportionately large impact relative to their knowledge and skills - are expediting this innovation, and are expected to become increasingly prevalent in 2021.
Mobile ransomware is at the forefront of modern ransomware development. Because mobile phones often lack adequate security defenses and contain valuable information, cyber criminals are devoting more time and resources to mobile ransomware development than ever before and, as a result, this emerging type of ransomware is becoming increasingly prevalent and problematic for businesses.
- A ransomware attack occurred every 14 seconds in 2019.
- Thirty-four percent of all malware attacks on organizations used ransomware.
- SMBs are a disproportionately large target for ransomware attacks, with 60% of these companies going out of business within six months of an attack.
Additional Resources: Learn how to prevent and recover from a ransomware attack in this blog post.
CEO Fraud is a Growing Threat to All Employees and Executive Team Members
CEO fraud, also known as whaling or Business Email Compromise (BEC), is a central component of the modern email threat landscape, with attacks being reported in all 50 states and in 150 countries. This dangerous impersonation scam is not only a concern for C-suite executives - rather, finance, HR and IT employees as well as all members of a company’s executive team are popular targets for CEO fraud attacks given their roles and the access they have to sensitive information and funds.
The FBI has warned multiple times of sophisticated COVID-19 related BEC scams exploiting cloud email services to steal users’ account credentials, and is urging businesses to take immediate action by implementing critical additional layers of protection in Office 365 and Google Workspace.
- Between 2016 and 2019, BEC scams resulted in $26 billion in reported losses for businesses worldwide.
- BEC scams accounted for half of total losses due to cyber crime in 2019.
- The average loss per BEC complaint reported in 2019 was nearly $75,000.
Additional Resources: Learn how CEO fraud works and get advice on how to prevent BEC attacks in this blog post.
Cybersecurity Needs to be a Top Priority in 2021 and Beyond
It is no secret that 2020 was a challenging year for most companies. In many cases, cybersecurity has been put on the back burner, as organizations scramble to adapt and adjust to accommodate remote workers. However, the reality is that in this heightened digital threat landscape, cybersecurity has never been more important.
The COVID-19 crisis had driven rapid, widespread migration to Office 365 and Google Workspace to meet businesses’ email needs, providing threat actors with the perfect environment to craft timely, convincing email scams that appeal to recipients’ persistent fear and uncertainty surrounding the pandemic. Many of the COVID-related phishing scams that have been identified use language like "test" or "vaccine", and these malicious emails often contain real company logos, trademarks, copyrights and HTML/CSS. One such scam includes legitimate information about a company's telework policies and others are filled with potentially useful information about COVID-19. Phishing campaigns advertising bogus SBA loan emails, phony COVID-19 tests and fraudulent antibody treatments have also been detected. Attackers are using these scams to gain a foothold on corporate systems by tricking employees and their family members into engaging with and enabling their malicious campaigns.
Guardian Digital has detected a steady uptick in malicious phishing emails that appear to come from trusted government sources such as the White House, the CDC, the World Health Organization and the Department of Health and Human Services as this crisis continues heading into the new year. We’ve also identified an increase in the Ursnif, Emotet and Fareit trojans, which leverage phishing emails referencing the term "COVID-19" to convince users to click on links and download malware.
COVID-themed phishing attacks have become the norm and will continue well into the future. Even after we emerge from this pandemic these new threats will persist, as cyber thieves now have a mechanism in place to distribute phishing attacks exploiting the latest trends. Guardian Digital has also detected creative campaigns related to package delivery, changes to insurance regulations and requirements, industry events and meetings, disaster relief, and other issues that demonstrate methods and tactics similar to those used in notorious COVID-related phishing scams.
- Sixty-two percent of organizations will tighten their 2021 IT budgets due to COVID-19.
- Ninety-three percent of businesses are extremely concerned about security.
- Twenty-two percent of organizations plan to spend more on security in 2021 than in 2020.
The scale and impact of cyberattacks on our society was a dominant theme of 2020. Effectively securing users and data in this era of heightened digital risk demands a defense-in-depth approach to security and expert, managed services. Signature-based antivirus software and endpoint security solutions alone are insufficient in combating today’s advanced exploits like spear phishing, CEO fraud and fileless malware, which are crafted specifically to evade these methods of detection.
Now more than ever, businesses cannot afford to leave their email accounts inadequately protected. It is critical to keep in mind that the cost of a successful cyber attack or data breach could be a shut-down or worse - permanent closure.
Secure your business for the future now by partnering with an industry leader to safeguard your users, your data and your brand.
- Thinking Strategically about Email Security in 2021 and Beyond
- There’s a Lot to be Gained with Effective Email Security
- Behind the Shield: EnGarde Cloud Email Security Explained
- Open Source: A Powerful, Yet Underutilized Weapon against Phishing & Zero-Day Attacks
- Buyer's Guide: What to Prioritize in an Email Security Solution
- Buyer's Guide to Office 365 & Workspace Email Security
- EnGarde Cloud Email Security: The Logical Solution to Cyber Risk in Office 365
- Exchange Servers Are Vulnerable - Learn How To Secure Your Email Server Now
- Top Email Security Risks in 2021 - How To Set Your Business Up for Safety & Success
- Ransomware By The Numbers: How Big Is My Risk?
- SMB Ransomware Warnings & How To Prevent an Attack
- Apache SpamAssassin 3.4.6 Release Fixes Two Potentially Aggravating Bugs
- Top Tips and Advice for Staying Safe Online in a Work-from-Home World
- Demystifying Phishing Attacks: How to Protect Yourself Now
- Why Your Business Needs Better Email Security
- Why Ransomware is a Threat to Business
- How to Protect Sensitive Data & Maintain Client Trust in Financial Services Industry
- Why Office 365 Users Are Moving Away from Relying on Default Email Protection Alone
- What You Need to Know to Shield Your Business from Ransomware
- Why You Need DMARC to Secure Email against Spoofing Attacks & Sender Fraud
- Biden's Cybersecurity Efforts Highlight the Power of this Key Technology
- Shortcomings of Endpoint Security in Securing Business Email
- Open Source Utilization in Email Security Demystified
- Limitations of Microsoft 365 Email Security & How To Close These Dangerous Gaps
- DMARC Quarantine vs. Reject: Which Should You Implement to Secure Business Email against Sender Fraud?
- Think Like A Criminal: What You Need to Know About Social Engineering Attacks in 2021
- TLS Email Encryption Explained - How To Encrypt Email with TLS
- Effectively Securing Business Email Accounts: Are Employees the Weakest Link?
- Encryption: An Essential Yet Highly Controversial Component of Digital Security
- Business Email Security Redefined: Key Benefits of Securing Your Business Email with Guardian Digital
- 8 Business Email Security Best Practices
- Demystifying Email Encryption: Stop Sender Fraud
- Demystifying Tax Fraud: How to Avoid Falling Victim to Deceptive, Costly Scams This Tax Season
- Coronavirus Phishing Scams are On the Rise - Is Your Business Email at Risk of Infection?
- Dave Wreski: A Passionate Engineer Brings the Power of Open Source to Business Email Security
- FBI: Existing Cloud Email Protection Inadequate Against Phishing, Ransomware
- Email Risk is Universal: Securing Business Email in Every Industry Sector
- The Remote Worker's Guide to Safely Navigating Office 365
- Why Your Business Needs Superior Email Protection
- Defending Against COVID Email Spoofing Attacks with DMARC
- You’ve Got Mail: How To Tell If It’s Fraud
- Open-Source Security Is Opening Eyes
- Think Like A Criminal: How To Write A Phishing Email
- The Four Biggest Email Threats Your Business Faces Today
- Everything On DocuSign Phishing Attacks in 3 Minutes
- Understanding Payload-Less Email Attacks in Under 3 Minutes
- Demystifying Fileless Malware in Less than 3 Minutes
- Apache SpamAssassin Leads A Growing List of Open-Source Projects Taking Steps to Correct Instances of Racism and White Privilege
- Cyber Risk Is Greater than Ever in the Legal Industry
- Understanding Malicious URL Protection - And Why You Need It to Secure Your Email
- Email Security for SMBs Beyond COVID-19
- Email Risk Is BIG for SMBs - How To Protect Your Business Now
- Why Email Security Is More Important Than Ever in This 'New Reality'
- The Threat of CEO Fraud Extends Beyond the C-Suite
- Top Email Security Trends Putting Your Business at Risk of Attack
- Managed Services: A Key Element of Effective Email Security that Even Modern Solutions Lack
- How to maintain security when employees work remotely: Advice from Leading Security Experts
- FBI: The 2020 Presidential Election Is Under Attack by Email Scammers
- AT&T Security Researchers Identify a Correlation between Strong Cybersecurity and Business Success
- The Aftermath of a Cyberattack Pt. 1: Phishing Recovery Basics
- It Pays to be Prepared! Ransomware Preparedness & Recovery Basics
- Breaking Down Fileless Malware: Anatomy of an Attack
- Keep the Holidays Merry & Bright - Beware of These Sneaky Seasonal Phishing Scams
- Migrating Business Email: The Hidden Complexities You Need To Know
- SPF, DKIM & DMARC: Definition & How They Secure Email Against Sender Fraud?
- Your Current Approach to Email Security May Not Be Enough
- Ways to Prevent Email Account being compromised in a Breach
- Celebrating 20 Years of Revolutionizing Digital Security
- IBM Closes its $34 Billion Acquisition of Red Hat
- Interview with Security Expert and Author Ira Winkler
- What is Phishing Email? How to prevent Phishing email scams?
- Ways Our Business Email Exceed Your Expectations
- Spear Phishing Protection - Definition & How To Recognize Spear Phishing Email
- What is Whaling (Whaling Phishing)? & How to Prevent Whaling attacks?
- Business Email Compromise (BEC) - Definition & Prevention From BEC Attacks
- Wire Transfer Scams Involving Real Estate Transactions: How to Prevent Fraud with Effective Email Security
- Guardian Digital and Mautic: A Dynamic Open-Source Duo
- Email Malware - How to Recognize & Prevent Malware Email Attack
- An Open-Source Success Story: Apache SpamAssassin Celebrates 18 Years of Effectively Combating Spam Email
- What is Spam Email - Types & How to Prevent Spam Emails?
- 2020: A New Decade of Digital Threats - Is Your Business Email Secure?
- Linux: An OS Capable of Effectively Meeting the US Government’s Security Needs Heading into 2020
- Complete Guide on Email Security & Threats Faced by Organizations
- Email Virus - Complete Guide to Email Viruses Plus Best Practices
- What Are Zero-Day Attacks & How Can I Prevent Them?
- Guardian Digital Keeps its Customers Protected from Intel Design Flaw
- Security Spotlight: Open Source Email Security Solutions
- Top Six Advantages of Open Source Development/Products
- Python and Bash - Contenders for the most used scripting language
- Guardian Digital Outlines Top 4 Benefits of Choosing Cloud
- Unrivaled Protection Against Today’s Most Dangerous Threats
- Guard Your Email Accounts Against Today’s Most Dangerous Threats
- Security Highlights from Defcon 26
- Linux / Open Source FAQs: Common Myths / Misconceptions
- Email Security FAQs Answered by Guardian Digital
- Guardian Digital Mail Systems: Designed to be Secure Without Fail