Top Email Security Trends Putting Your Business at Risk of Attack
- by Brittany Day
Six months into this unprecedented pandemic, there has been a seismic shift in the way businesses operate. With a large portion of the global workforce now working remotely, email use for business communications is at an all-time high - and so is the digital risk that users and organizations face online daily.
Email is the preferred method for sharing sensitive data and a key communication channel that businesses cannot afford to lose access to for any period of time. Threat actors are exploiting this increased dependence on cloud email to steal sensitive data and deliver dangerous malware - crafting sophisticated new attacks and distributing these malicious campaigns using their existing networks.
We’ve identified the most disturbing email security trends that are putting businesses of all sizes, throughout all industries, at increased risk of suffering a cyber attack or breach. Since awareness is so critical in mitigating risk, we've outlined these most significant trends to assist with protecting your users.
The Digital Attack Surface Has Drastically Increased with the Proliferation of Cloud Platforms
The sudden rise in remote workers has increased the digital attack surface significantly. Businesses have far more touch points than ever before - which can provide malicious hackers with easy entry into corporate networks and systems if these potential points of compromise are not adequately secured. To make matters worse, it is not uncommon for remote workers to use insecure networks and devices shared with other users.
Many companies have migrated to cloud platforms like Office 365 and G Suite to fulfill their communication and collaboration needs. Without critical additional layers of security defenses in place, cloud email users are highly vulnerable to credential phishing attacks and account takeovers.
To fortify cloud email against today’s sophisticated threats, Gartner security experts recommend “a strategic approach to security that layers inbound, outbound and internal detection and remediation”. An effective supplemental cloud email security solution should provide automated multi-layered defenses and continual email analysis, and should offer seamless integration, simplified deployment, advanced intelligence and complete visibility.
- Thirty-percent of credential phishing attempts bypass existing cloud email security defenses and are opened by target users.
- Despite built-in security defenses, 40% of Office 365 customers have experienced credential theft nevertheless.
- About 40% of Office 365 customers plan to supplement their security with a third-party solution by 2023.
Additional Resources: Learn more about the hidden dangers of cloud email and how to safeguard remote workers in Office 365 in this blog post.
Phishing Scams Are A Harder Catch Than Ever
Phishing attacks have dominated the email threat landscape for decades; however, businesses’ increased reliance on cloud email, the proliferation of SaaS cloud-based platforms and anxieties surrounding the pandemic have led to a resurgence in this notorious threat. Our EnGarde Cloud Email Security platform has identified and blocked more phishing emails in August of 2020 than in any month prior throughout our 21-year history.
Not only has the number of phishing scams risen exponentially in recent months, so has the sophistication and specificity of these attack campaigns. Phishers employ advanced social engineering techniques and stealthy fileless and payload-less tactics to craft highly targeted scams designed to evade security defenses and trick even the most security-aware users into sharing credentials and downloading malware.
- 95% of cyber attacks begin with a phishing email.
- There has been a 600% increase in phishing attacks due to COVID-19.
- Users are now three times more likely to click on a malicious link embedded in a phishing email and then disclose their account credentials than they were pre-COVID.
Additional Resources: Get tips for recognizing and protecting against phishing scams in this blog post.
Ransomware Attacks Have Risen Sharply with the Emergence of RaaS
Ransomware is on the rise, carrying heavy costs for victims including data loss, significant downtime, financial loss and reputation damage. The growing potential for threat actors to profit from ransomware attacks is driving rapid innovation in ransomware development. Ransomware-as-a-Service (RaaS) schemes on the dark web - which enable individuals and groups to have a disproportionately large impact relative to their knowledge and skills - are expediting this innovation, and are expected to become increasingly prevalent in the coming years.
Mobile ransomware is at the forefront of modern ransomware development. Because mobile phones often lack adequate security defenses and contain valuable information, cyber criminals are devoting more time and resources to mobile ransomware development than ever before and, as a result, this emerging type of ransomware is becoming increasingly prevalent and problematic.
- A ransomware attack occurred every 14 seconds in 2019.
- Thirty-four percent of all malware attacks on organizations used ransomware, particularly where ransomware operators demanded a ransom in exchange for not disclosing stolen data.
- SMBs are a disproportionately large target for ransomware attacks, with 60% of these companies going out of business within six months of an attack.
Additional Resources: Learn how to prevent ransomware attacks in this blog post.
CEO Fraud is a Growing Threat to All Employees and Executive Team Members
CEO fraud, also known as whaling or Business Email Compromise (BEC), is at the forefront of the modern email threat landscape, with attacks being reported in all 50 states and in 150 countries. This dangerous impersonation scam is not only a concern for C-suite executives - finance, HR and IT employees and all members of a company’s executive team are popular targets for CEO fraud attacks given their roles and the access they have to sensitive information and funds.
The FBI has warned multiple times of sophisticated COVID-19 related BEC scams exploiting cloud email services to steal users’ account credentials, and is urging businesses to take immediate action by implementing critical additional layers of protection in Office 365 and G-Suite.
- Between 2016 and 2019, BEC scams resulted in $26 billion in reported losses for businesses worldwide.
- BEC scams accounted for half of total losses due to cyber crime in 2019.
- The average loss per BEC complaint reported in 2019 was nearly $75,000.
Additional Resources: Learn how CEO fraud works and get advice on how to prevent these attacks in this blog post.
Cybersecurity Should Be a Top Priority Amid the COVID-19 Pandemic
It is no secret that 2020 has been a challenging year for most companies. In many cases, cyber security has been put on the back burner, as organizations scramble to adapt and adjust to our ‘new normal’. However, the reality is that in this heightened digital threat landscape, cyber security has never been more important.
The COVID-19 crisis had driven rapid, widespread migration to Office 365 and G Suite to meet businesses’ email needs, providing threat actors with the perfect environment to craft timely, convincing email scams that appeal to recipients’ sense of urgency and fear surrounding the pandemic. Many of the COVID-related phishing scams that have been identified use language like "masks", "test", "quarantine" and "vaccine", and these malicious emails often contain real company logos, trademarks, copyrights and HTML/CSS. One such scam includes legitimate information about a company's telework policies and others are filled with potentially useful information about COVID-19 - signed by the White House and President Donald Trump. Phishing campaigns advertising bogus SBA loan emails, phony COVID-19 tests and fraudulent antibody treatments have also been detected. Attackers are using these scams to gain a foothold on corporate systems by tricking employees and their family members into engaging with and enabling their malicious campaigns.
Guardian Digital has detected a steady uptick in malicious phishing emails that appear to come from trusted government sources such as the White House, the CDC, the World Health Organization and the Department of Health and Human Services as this crisis continues. We’ve also identified an increase in the Ursnif, Emotet and Fareit trojans, which leverage phishing emails referencing the term "COVID-19" to convince users to click on links and download malware.
Phishing attacks involving COVID-19 schemes have become the norm and likely continue well into the future. Even after we emerge from this pandemic these new threats will persist, as cyber thieves now have a mechanism in place to distribute phishing attacks exploiting the latest trends - including the upcoming election. Guardian Digital has also detected creative campaigns related to package delivery, changes to insurance regulations and requirements, industry events and meetings, disaster relief, and other issues that demonstrate methods and tactics similar to those used in notorious COVID-related phishing scams.
- Sixty-two percent of organizations will tighten their 2021 IT budgets due to COVID-19.
- Ninety-three percent of businesses are extremely concerned about security.
- Twenty-two percent of organizations plan to spend more on security in 2021 than in 2020.
The dominant theme of 2020 has been the scale and impact of cyber attacks on our society. Effectively securing users and data in this era of heightened digital risk demands a defense-in-depth approach to security and expert, managed services. Signature-based antivirus software and endpoint security solutions alone are insufficient in combating today’s advanced exploits like spear phishing, CEO fraud and fileless malware, which are crafted specifically to evade detection.
Now more than ever, businesses cannot afford to leave their email accounts inadequately protected. It is critical to keep in mind that the cost of a successful cyber attack or data breach could be a shut-down or worse - permanent closure.
Secure your business for the future now by partnering with an industry leader to safeguard your users, your data and your brand.
- Thinking Strategically about Email Security in 2021 and Beyond
- There’s a Lot to be Gained with Effective Email Security
- Behind the Shield: EnGarde Cloud Email Security Explained
- Open Source: A Powerful, Yet Underutilized Weapon against Phishing & Zero-Day Attacks
- Buyer's Guide: What to Prioritize in an Email Security Solution
- Buyer's Guide to Office 365 & Workspace Email Security
- EnGarde Cloud Email Security: The Logical Solution to Cyber Risk in Office 365
- Exchange Servers Are Vulnerable - Learn How To Secure Your Email Server Now
- Top Email Security Risks in 2021 - How To Set Your Business Up for Safety & Success
- Ransomware By The Numbers: How Big Is My Risk?
- SMB Ransomware Warnings & How To Prevent an Attack
- Apache SpamAssassin 3.4.6 Release Fixes Two Potentially Aggravating Bugs
- Top Tips and Advice for Staying Safe Online in a Work-from-Home World
- Effectively Securing Business Email Accounts: Are Employees the Weakest Link?
- Encryption: An Essential Yet Highly Controversial Component of Digital Security
- Business Email Security Redefined: Key Benefits of Securing Your Business Email with Guardian Digital
- 8 Business Email Security Best Practices
- Demystifying Email Encryption: Stop Sender Fraud
- Demystifying Phishing Attacks: How to Protect Yourself Now
- Demystifying Tax Fraud: How to Avoid Falling Victim to Deceptive, Costly Scams This Tax Season
- Coronavirus Phishing Scams are On the Rise - Is Your Business Email at Risk of Infection?
- Dave Wreski: A Passionate Engineer Brings the Power of Open Source to Business Email Security
- FBI: Existing Cloud Email Protection Inadequate Against Phishing, Ransomware
- Email Risk is Universal: Securing Business Email in Every Industry Sector
- The Remote Worker's Guide to Safely Navigating Office 365
- Why Your Business Needs Better Email Security
- Defending Against COVID Email Spoofing Attacks with DMARC
- You’ve Got Mail: How To Tell If It’s Fraud
- Open-Source Security Is Opening Eyes
- Think Like A Criminal: How To Write A Phishing Email
- The Four Biggest Email Threats Your Business Faces Today
- Everything On DocuSign Phishing Attacks in 3 Minutes
- Understanding Payload-Less Email Attacks in Under 3 Minutes
- Demystifying Fileless Malware in Less than 3 Minutes
- How to Protect Sensitive Data & Maintain Client Trust in Financial Services Industry
- Apache SpamAssassin Leads A Growing List of Open-Source Projects Taking Steps to Correct Instances of Racism and White Privilege
- Cyber Risk Is Greater than Ever in the Legal Industry
- Understanding Malicious URL Protection - And Why You Need It to Secure Your Email
- Email Security for SMBs Beyond COVID-19
- Email Risk Is BIG for SMBs - How To Protect Your Business Now
- The Modern Email Threat Landscape: Where Traditional Defenses Fall Short
- Why Email Security Is More Important Than Ever in This 'New Reality'
- The Threat of CEO Fraud Extends Beyond the C-Suite
- Top Email Security Trends Putting Your Business at Risk of Attack
- Think Like A Criminal: What You Need to Know About Social Engineering Attacks in 2020
- Managed Services: A Key Element of Effective Email Security that Even Modern Solutions Lack
- How to maintain security when employees work remotely: Advice from Leading Security Experts
- FBI: The 2020 Presidential Election Is Under Attack by Email Scammers
- AT&T Security Researchers Identify a Correlation between Strong Cybersecurity and Business Success
- The Aftermath of a Cyberattack Pt. 1: Phishing Recovery Basics
- It Pays to be Prepared! Ransomware Preparedness & Recovery Basics
- Breaking Down Fileless Malware: Anatomy of an Attack
- Office 365 Email Is Vulnerable to Attack Without These Critical Supplementary Defenses in Place
- Keep the Holidays Merry & Bright - Beware of These Sneaky Seasonal Phishing Scams
- Migrating Business Email: The Hidden Complexities You Need To Know
- How Do SPF, DMARC & DKIM Secure Email Against Sender Fraud?
- Your Current Approach to Email Security May Not Be Enough
- Ways to Prevent Email Account being compromised in a Breach
- Celebrating 20 Years of Revolutionizing Digital Security
- IBM Closes its $34 Billion Acquisition of Red Hat
- Interview with Security Expert and Author Ira Winkler
- What is Phishing Email? How to prevent Phishing email scams?
- Ways Our Business Email Exceed Your Expectations
- Spear Phishing Protection - Definition & How To Recognize Spear Phishing Email
- What is Whaling (Whaling Phishing)? & How to Prevent Whaling attacks?
- Ransomware Attack Explained - Best Practices For Ransomware Protection
- Business Email Compromise (BEC) - Definition & Prevention From BEC Attacks
- Wire Transfer Scams Involving Real Estate Transactions: How to Prevent Fraud with Effective Email Security
- Guardian Digital and Mautic: A Dynamic Open-Source Duo
- Email Malware - How to Recognize & Prevent Malware Email Attack
- An Open-Source Success Story: Apache SpamAssassin Celebrates 18 Years of Effectively Combating Spam Email
- What is Spam Email - Types & How to Prevent Spam Emails?
- 2020: A New Decade of Digital Threats - Is Your Business Email Secure?
- Linux: An OS Capable of Effectively Meeting the US Government’s Security Needs Heading into 2020
- Complete Guide on Email Security & Threats Faced by Organizations
- Email Virus - Complete Guide to Email Viruses Plus Best Practices
- What Are Zero-Day Attacks & How Can I Prevent Them?
- Guardian Digital Keeps its Customers Protected from Intel Design Flaw
- Security Spotlight: Open Source Email Security Solutions
- Top Six Advantages of Open Source Development/Products
- Python and Bash - Contenders for the most used scripting language
- Guardian Digital Outlines Top 4 Benefits of Choosing Cloud
- Unrivaled Protection Against Today’s Most Dangerous Threats
- Guard Your Email Accounts Against Today’s Most Dangerous Threats
- Security Highlights from Defcon 26
- Linux / Open Source FAQs: Common Myths / Misconceptions
- Email Security FAQs Answered by Guardian Digital
- Guardian Digital Mail Systems: Designed to be Secure Without Fail