November 26, 2019 By Douglas Bonderud 5 min read

Email security remains a top priority in 2019 as organizations continue to face the threat of costly email compromise. The email attack surface is also expanding. Despite growing use of cloud-based collaboration tools and SMS for business, email remains the most common method for exchanging corporate information, with 74 percent of survey respondents choosing email as their preferred method of communication, according to a SendGrind study.

So it’s no surprise that phishing and spam still take the top spot for overall malware delivery. As Business 2 Community noted, 92 percent of malware is delivered via email. As a result, layered email security remains the best way to protect critical assets and reduce the risk of compromise — but this isn’t a static solution. Evolving attack methods and changing email use cases demand dynamic, multi-level defenses capable of identifying threats as they arrive, eliminating them in real time and remediating any damage they cause.

Here’s what you need to know about layering up security to limit email risk as we move into the new year.

What Is Layered Email Security?

Layers limit risk. This is the case for both email security and physical asset protection, as the more layers there are, the harder attackers have to work. Consider an office building. While break-in alarms can alert an organization if windows are smashed or doors are kicked down, they’re also necessarily reactive. But if you add in security cameras, motion sensors, two-way communications and secure areas with separate locking systems, burglars won’t get far.

Similarly, security best practices such as two-factor authentication (2FA) and location-based user identification can help limit the risk of compromise, but these single layers — no matter how deep or wide — offer finite protection. Layered approaches, meanwhile, frustrate malicious actors in different ways at every step of the security process.

Phishing Attacks: New Methods, Classic Pitfalls

While 2017 saw a sharp decline in the overall number of phishing attacks, this trend was short-lived. As HackRead noted, phishing attacks were up 250 percent through 2018, and while some of these shiny hooks included brand-new attack methods, Help Net Security reported that golden oldies like brand impersonation are also making a comeback.

Some of the most popular phishing attack types this year have included:

  • Fake attachments: If it looks too good to be true, don’t click it. From fake invoices to video files and special offers, attackers often use fake attachments to bypass security measures.
  • Credential hooks: Seemingly legitimate credential concerns are often used in business email compromise (BEC) attempts. Users believe their corporate or personal accounts have been hijacked and enter login data at attacker-created links, exposing their credentials.
  • Office impostors: Threat actors have gotten better at writing convincing emails that sound like they’re coming from the CEO, CFO or direct office supervisors. With social engineering now underpinning 97 percent of all malware attacks, according to Business 2 Community, office impostors are increasingly problematic.
  • Domain spoofing: If links appear to be from legitimate domains, recipients are more likely to click through. Attackers are now lifting webpage graphics, text and fonts so fake links look more like the real thing.
  • Brand impersonation: Microsoft, Google, Amazon — Attackers recognize the trust placed in many popular brands by business users, and so they’ve gone back to basics with effective impersonations that often elude suspicion.
  • Outside-the-box efforts: As ZDNet noted, cybercriminals are also thinking outside the box with threat vectors such as server-parsed HTML (SHTML), file attachments that automatically direct users to websites requesting financial information.

With the phishing pool digging deeper and leveraging surface-level techniques, layered email security is critical. Let’s dive into the effects of six different layers on overall infosec efforts.

Layer 0: Eliminate Spam

If you’re not sure how to secure email, start with spam.

In 2019, more than 4.7 billion phishing emails were sent every day to businesses and individuals around the world. Effective spam tools are a requirement to catch the most obvious examples before they can infiltrate local devices and potentially compromise credentials. Here, organizations need advanced detection solutions that do more than white-list common addresses. With spoofing on the rise, it’s a good idea to use multiple tools connected by a unified management framework to reduce the chances of spam getting through.

Layer 1: Seeing Is Deceiving

It’s not enough to look for an email threat as it approaches your server stack — the sheer volume and variety of phishing attempts demand threat intelligence tools capable of tracking common attack vectors, collecting relevant data and analyzing key spam behavior. This provides the foundation for layered protection that looks, listens and learns to improve overall defense.

Layer 2: The Inside Job

Internal configuration is a key component of layered email security. While many business mail servers and email solutions offer anti-spam and anti-malware detection, the increasing use of cloud-based services across multiple vendors means that misconfigured detection or reporting services could allow attacks to slip through unnoticed. Regular assessments of internal email services for potential security flaws form the second layer of our stack — when in doubt, bring in trusted cybersecurity partners to check for potential weaknesses you may have overlooked.

Layer 3: End-User Access Points

Mobile devices, laptops, tablets and even wearable devices are now connected to secure corporate networks. Add in the growing number of internet of things (IoT) devices, which are often protected by the same login/password combinations that govern business accounts or left completely unsecured behind business firewalls, and it becomes clear that deploying email solutions that target end-user devices is critical.

With 63 percent of IT professionals now reporting that their overall infosec posture is stronger in 2019 than in 2018, end-user devices can still create a considerable opening for attackers, according to Dark Reading. If an organization is too confident in its new cloud security services, security information and event management (SIEM) tools and artificial intelligence (AI)-driven malware analysis, it can be easy to overlook the simplest phishing strategy: compromising a single device for large-scale network access.

Layer 4: The More You Know

Phishing attacks target the weakest link in email security, the user. Seemingly legit emails and urgent requests often convince staff to click on links and download attachments, which can put critical assets at risk. Regular training can account for layer four of our total security solution. Training should include refresher courses as well as occasional phishing attack drills to ensure that staff members are opting for safety over speed.

Layer 5: Social Imperative

Email is a social network. Accordingly, it comes with social imperatives. Users tend to have a sense of entitlement around reliable email services, feel compelled to respond to urgent requests, and believe they’re better than they are at spotting big phish. That’s why we’re closing out our list with recognition of this social imperative and the importance of using targeted techniques to reduce overall risk.

Start with education around how not to draft emails — no urgent subject lines or must-do-right-now demands. Users must be given the time and space to review and report emails they deem suspicious. Security, not speed, must dominate corporate culture. Finally, new AI-driven tools can help nudge users in the right direction if they’re not sure about the legitimacy of new inbox arrivals.

Don’t get caught by phishing emails this year. Stay safe through 2020 by layering up on effective protection across your corporate controls, connections and culture.

More from Risk Management

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today