Top Email Security Risks Heading into 2021 - How To Set Your Business Up for Safety & Success
- by Brittany Day
Ten months into this unprecedented pandemic, there has been a seismic shift in the way businesses operate. With a large portion of the global workforce now working remotely, businesses’ reliance on cloud email has reached all-time high - and so has the digital risk that users and organizations face online daily. Cloud email has become a favorite target among cyber criminals, who are exploiting frequent misconfigurations, inadequate built-in protection and the inherent uniformity of cloud platforms to steal sensitive data and deliver dangerous malware in sophisticated, evasive attack campaigns.
With the new year approaching, we’ve identified the most dangerous email security trends putting businesses at risk of suffering a cyberattack or a breach heading into 2021:
- The digital attack surface has increased with the proliferation of Office 365 and Google Workspace for business.
- Phishing scams are more sophisticated and evasive than ever.
- Ransomware risk has skyrocketed with the emergence of Ransomware-as-a-Service (RaaS).
- CEO fraud is a growing threat to all employees and executive team members.
- Cybersecurity needs to be to be a top priority in 2021 and beyond, as COVID-related attacks have positioned cyber thieves to distribute dangerous phishing scams exploiting the latest trends.
To help you set your business up for security and success in the new year, let’s take a closer look at the threats you face online daily, and measures you can take to mitigate your digital risk.
The Digital Attack Surface Has Increased with the Widespread Adoption of Cloud Platforms
The sudden shift to a largely remote workforce has led many businesses to migrate their email to the cloud, increasing the digital attack surface significantly. Businesses have far more touch points than ever before - which can provide malicious hackers with easy entry into corporate networks and systems if inadequately secured. It is also common for remote workers to use insecure networks and devices shared with other users, further increasing their company’s digital risk.
Many businesses have migrated to cloud platforms like Office 365 and Google Workspace to fulfill their communication and collaboration needs, but have sacrificed security in doing so by failing to implement supplementary protection . Without critical additional layers of security defenses in place, cloud email users are highly vulnerable to credential phishing, ransomware and other malicious attacks in these platforms.
To fortify cloud email against today’s sophisticated threats like spear phishing and fileless malware, Gartner security experts recommend “a strategic approach to security that layers inbound, outbound and internal detection and remediation”. An effective supplementary cloud email security solution should provide automated multi-layered defenses and continual email analysis, and should offer seamless integration, simplified deployment, advanced intelligence and complete visibility.
- Despite built-in security defenses, 40% of Office 365 customers have experienced credential theft nevertheless.
- About 40% of Office 365 customers plan to supplement their security with a third-party solution by 2023.
Additional Resources: Learn more about the hidden dangers of cloud email and how to safeguard remote workers with critical additional email defenses in this blog post.
Phishing Scams Are A Harder Catch Than Ever
Phishing attacks have dominated the email threat landscape for decades; however, businesses’ increased reliance on cloud email, the widespread deployment of inherently insecure and frequently misconfigured cloud and persistent anxiety surrounding the pandemic have led to a resurgence in this notorious threat. Our EnGarde Cloud Email Security platform has identified and blocked more phishing emails in the first two weeks of December 2020 than in any other two-week period throughout our 21-year history - the majority of which exploit the holiday season, the COVID-19 pandemic, or a combination of the two.
Not only has the number of phishing scams risen exponentially in recent months, but so has the sophistication and specificity of these attack campaigns. Phishers employ advanced social engineering techniques and stealthy fileless and payload-less tactics to craft highly targeted scams designed to evade security defenses and trick even the most security-aware users into sharing credentials and downloading malware.
- Over 90% of all cyber attacks begin with a phishing email.
- There has been a 600% increase in phishing attacks due to COVID-19.
- Users are now three times more likely to click on a malicious link embedded in a phishing email and then disclose their account credentials than they were pre-COVID.
Additional Resources: Get tips for recognizing and protecting against common holiday-themed phishing scams in this blog post.
Ransomware Attacks Have Risen Sharply with the Emergence of RaaS
Ransomware is on the rise, carrying heavy costs for victims including data loss, hefty recovery costs, serious reputation damage and significant, expensive downtime or worse - permanent business closure. The growing potential for threat actors to profit from ransomware attacks is driving rapid innovation in ransomware development. Ransomware-as-a-Service (RaaS) schemes on the dark web - which enable individuals and groups to have a disproportionately large impact relative to their knowledge and skills - are expediting this innovation, and are expected to become increasingly prevalent in 2021.
Mobile ransomware is at the forefront of modern ransomware development. Because mobile phones often lack adequate security defenses and contain valuable information, cyber criminals are devoting more time and resources to mobile ransomware development than ever before and, as a result, this emerging type of ransomware is becoming increasingly prevalent and problematic for businesses.
- A ransomware attack occurred every 14 seconds in 2019.
- Thirty-four percent of all malware attacks on organizations used ransomware.
- SMBs are a disproportionately large target for ransomware attacks, with 60% of these companies going out of business within six months of an attack.
Additional Resources: Learn how to prevent and recover from a ransomware attack in this blog post.
CEO Fraud is a Growing Threat to All Employees and Executive Team Members
CEO fraud, also known as whaling or Business Email Compromise (BEC), is a central component of the modern email threat landscape, with attacks being reported in all 50 states and in 150 countries. This dangerous impersonation scam is not only a concern for C-suite executives - rather, finance, HR and IT employees as well as all members of a company’s executive team are popular targets for CEO fraud attacks given their roles and the access they have to sensitive information and funds.
The FBI has warned multiple times of sophisticated COVID-19 related BEC scams exploiting cloud email services to steal users’ account credentials, and is urging businesses to take immediate action by implementing critical additional layers of protection in Office 365 and Google Workspace.
- Between 2016 and 2019, BEC scams resulted in $26 billion in reported losses for businesses worldwide.
- BEC scams accounted for half of total losses due to cyber crime in 2019.
- The average loss per BEC complaint reported in 2019 was nearly $75,000.
Additional Resources: Learn how CEO fraud works and get advice on how to prevent BEC attacks in this blog post.
Cybersecurity Needs to be a Top Priority in 2021 and Beyond
It is no secret that 2020 has been a challenging year for most companies. In many cases, cybersecurity has been put on the back burner, as organizations scramble to adapt and adjust to accommodate remote workers. However, the reality is that in this heightened digital threat landscape, cybersecurity has never been more important.
The COVID-19 crisis had driven rapid, widespread migration to Office 365 and Google Workspace to meet businesses’ email needs, providing threat actors with the perfect environment to craft timely, convincing email scams that appeal to recipients’ persistent fear and uncertainty surrounding the pandemic. Many of the COVID-related phishing scams that have been identified use language like "masks", "test", "quarantine" and "vaccine", and these malicious emails often contain real company logos, trademarks, copyrights and HTML/CSS. One such scam includes legitimate information about a company's telework policies and others are filled with potentially useful information about COVID-19. Phishing campaigns advertising bogus SBA loan emails, phony COVID-19 tests and fraudulent antibody treatments have also been detected. Attackers are using these scams to gain a foothold on corporate systems by tricking employees and their family members into engaging with and enabling their malicious campaigns.
Guardian Digital has detected a steady uptick in malicious phishing emails that appear to come from trusted government sources such as the White House, the CDC, the World Health Organization and the Department of Health and Human Services as this crisis continues heading into the new year. We’ve also identified an increase in the Ursnif, Emotet and Fareit trojans, which leverage phishing emails referencing the term "COVID-19" to convince users to click on links and download malware.
COVID-themed phishing attacks have become the norm and will continue well into the future. Even after we emerge from this pandemic these new threats will persist, as cyber thieves now have a mechanism in place to distribute phishing attacks exploiting the latest trends. Guardian Digital has also detected creative campaigns related to package delivery, changes to insurance regulations and requirements, industry events and meetings, disaster relief, and other issues that demonstrate methods and tactics similar to those used in notorious COVID-related phishing scams.
- Sixty-two percent of organizations will tighten their 2021 IT budgets due to COVID-19.
- Ninety-three percent of businesses are extremely concerned about security.
- Twenty-two percent of organizations plan to spend more on security in 2021 than in 2020.
The scale and impact of cyberattacks on our society has been a dominant theme of 2020. Effectively securing users and data in this era of heightened digital risk demands a defense-in-depth approach to security and expert, managed services. Signature-based antivirus software and endpoint security solutions alone are insufficient in combating today’s advanced exploits like spear phishing, CEO fraud and fileless malware, which are crafted specifically to evade these methods of detection.
Now more than ever, businesses cannot afford to leave their email accounts inadequately protected. It is critical to keep in mind that the cost of a successful cyber attack or data breach could be a shut-down or worse - permanent closure.
Secure your business for the future now by partnering with an industry leader to safeguard your users, your data and your brand.
- Effectively Securing Business Email Accounts: Are Employees the Weakest Link?
- Encryption: An Essential Yet Highly Controversial Component of Digital Security
- Business Email Security Redefined: Key Benefits of Securing Your Business Email with Guardian Digital
- 8 Business Email Security Best Practices
- Demystifying Email Encryption: Stop Sender Fraud
- Demystifying Phishing Attacks: How to Protect Yourself Now
- Demystifying Tax Fraud: How to Avoid Falling Victim to Deceptive, Costly Scams This Tax Season
- Coronavirus Phishing Scams are On the Rise - Is Your Business Email at Risk of Infection?
- Dave Wreski: Founder of Guardian Digital – Open Source Cloud Email Security
- New Ransomware Warnings: Is Your Business Safe from This Silent Threat?
- FBI: Existing Cloud Email Protection Inadequate Against Phishing, Ransomware
- Email Risk is Universal: Securing Business Email in Every Industry Sector
- How To Safely Navigate Office 365 While Working Remotely
- Tips and Advice for Staying Safe Online During COVID-19
- Why Your Business Needs Better Email Security
- Defending Against COVID Email Spoofing Attacks with DMARC
- You’ve Got Mail: How To Tell If It’s Fraud
- Open-Source Security Is Opening Eyes
- Think Like A Criminal: How To Write A Phishing Email
- The Four Biggest Email Threats Your Business Faces Today
- Everything On DocuSign Phishing Attacks in 3 Minutes
- Understanding Payload-Less Email Attacks in Under 3 Minutes
- Demystifying Fileless Malware in Less than 3 Minutes
- How to Protect Sensitive Data & Maintain Client Trust in Financial Services Industry
- Exchange Servers Are Vulnerable - Learn How To Secure Your Email Server Now
- Apache SpamAssassin Leads A Growing List of Open-Source Projects Taking Steps to Correct Instances of Racism and White Privilege
- Cyber Risk Is Greater than Ever in the Legal Industry
- Understanding Malicious URL Protection - And Why You Need It to Secure Your Email
- Email Security for SMBs Beyond COVID-19
- Email Risk Is BIG for SMBs - How To Protect Your Business Now
- Email Threats By The Numbers: How Big Is My Risk?
- The Modern Email Threat Landscape: Where Traditional Defenses Fall Short
- Why Email Security Is More Important Than Ever in This 'New Reality'
- The Threat of CEO Fraud Extends Beyond the C-Suite
- Top Email Security Trends Putting Your Business at Risk of Attack
- Think Like A Criminal: What You Need to Know About Social Engineering Attacks in 2020
- Managed Services: A Key Element of Effective Email Security that Even Modern Solutions Lack
- How To Secure Your Remote Workforce: Advice from Leading Security Experts
- FBI: The 2020 Presidential Election Is Under Attack by Email Scammers
- AT&T Security Researchers Identify a Correlation between Strong Cybersecurity and Business Success
- The Aftermath of a Cyberattack Pt. 1: Phishing Recovery Basics
- It Pays to be Prepared! Ransomware Preparedness & Recovery Basics
- Breaking Down Fileless Malware: Anatomy of an Attack
- Office 365 Email Is Vulnerable to Attack Without These Critical Supplementary Defenses in Place
- Keep the Holidays Merry & Bright - Beware of These Sneaky Seasonal Phishing Scams
- Migrating Business Email: The Hidden Complexities You Need To Know
- How Do SPF, DMARC & DKIM Secure Email Against Sender Fraud?
- Top Email Security Risks Heading into 2021 - How To Set Your Business Up for Safety & Success
- Your Current Approach to Email Security May Not Be Enough
- Ways to Prevent Email Account being compromised in a Breach
- Celebrating 20 Years of Revolutionizing Digital Security
- IBM Closes its $34 Billion Acquisition of Red Hat
- Interview with Security Expert and Author Ira Winkler
- What is Phishing Email? How to prevent Phishing email scams?
- Ways Our Business Email Exceed Your Expectations
- Spear Phishing Protection - Definition & How To Recognize Spear Phishing Email
- What is Whaling (Whaling Phishing)? & How to Prevent Whaling attacks?
- Ransomware Attack Explained - Best Practices For Ransomware Protection
- Business Email Compromise (BEC) - Definition & Prevention From BEC Attacks
- Wire Transfer Scams Involving Real Estate Transactions: How to Prevent Fraud with Effective Email Security
- Guardian Digital and Mautic: A Dynamic Open-Source Duo
- Email Malware - How to Recognize & Prevent Malware Email Attack
- An Open-Source Success Story: Apache SpamAssassin Celebrates 18 Years of Effectively Combating Spam Email
- What is Spam Email - Types & How to Prevent Spam Emails?
- Email Virus - Complete Guide to Email Viruses Plus Best Practices
- What Is A Zero-Day Attack & How To Prevent Zero Day Exploit?
- 2020: A New Decade of Digital Threats - Is Your Business Email Secure?
- Linux: An OS Capable of Effectively Meeting the US Government’s Security Needs Heading into 2020
- Complete Guide on Email Security & Threats Faced by Organizations
- Guardian Digital Keeps its Customers Protected from Intel Design Flaw
- Security Spotlight: Open Source Email Security Solutions
- Top Six Advantages of Open Source Development/Products
- Python and Bash - Contenders for the most used scripting language
- Guardian Digital Outlines Top 4 Benefits of Choosing Cloud
- Unrivaled Protection Against Today’s Most Dangerous Threats
- Guard Your Email Accounts Against Today’s Most Dangerous Threats
- Security Highlights from Defcon 26
- Linux / Open Source FAQs: Common Myths / Misconceptions
- Email Security FAQs Answered by Guardian Digital
- Guardian Digital Mail Systems: Designed to be Secure Without Fail