Understanding and implementing email security best practices has never been more important, but enterprises around the globe are still struggling.

Despite its age and pervasive use, email is still one of the top attack vectors when it comes to security breaches. According to a 2017 report, email was the main entry point in 96 percent of cases involving human error that led to a security incident, and 49 percent of malware was installed via email.

This data from Verizon’s “2018 Data Breach Investigations Report” suggests that phishing is still a very effective way to lure users. According to the report, an organization only has 16 minutes until the first click on a phishing campaign. Unfortunately, the first report from a user who recognizes the scam email will only be reported after 28 minutes.

Listen to this podcast to learn how to fight the spear phishing plague

Know the Offense

Matthew Gardiner of email management firm Mimecast noted that “the state of email security is still quote poor” and argued that human error contributes to these security gaps.

“It’s such a difficult area to defend,” he said. “In most organizations, they don’t have the sophisticated controls to defend, so they are dependent on people to do the right thing.”

But depending on users often doesn’t work. Too many malicious emails are still getting through corporate defenses and being served up to end users at a dangerous rate. They don’t always intend to do harm, but end users are still the main cause of breaches. According to the “IBM X-Force Threat Intelligence Index,” 12 percent of attack activity researchers monitored in 2017 were the result of attackers attempting to exploit inadvertent insider weaknesses.

“Email continues to be the obvious target of choice for both low-skilled and high-skilled threat actors,” said Gardiner. “It’s a good return on their investment. Companies can’t turn it off, so of course that leaves it open for attacks.”

How do criminals use email to attack an organization? Let’s take a closer look at some of the most common email security threats outlined in the X-Force report.

Malicious Links

A malicious link in an email directs the recipient to a site where his or her credentials will be harvested. Users think they are on a safe site and are usually responding to an inquiry for information (e.g., “click here to verify your information”). Criminals can gain access to corporate networks or other sensitive information once they have key information from unsuspecting users.

Dropping Malware

If a message contains a malicious attachment, simply opening the file can infect the user’s machine with malware, such as ransomware or keylogging software. Users are usually fooled by being asked to open an attachment that claims to contain financial information, such as an invoice or a bill. This is a very effective technique in business environments.

Business Email Compromise

Business email compromise (BEC) has steadily increased in recent years. Also known as whaling, it involves an attacker who impersonates a high-level executive and tries to trick an employee or customer into transferring money or sensitive data. According to the Internet Crime Complaint Center (IC3)’s “2017 Internet Crime Report,” BEC and email account compromise (EAC) generated the greatest losses, costing victims more than $676 million.

Download the complete 2018 IBM X-Force Threat Intelligence Index

Evaluate Email Security Best Practices and Vulnerabilities

One way to assess your current defense strategy is to start with a phishing simulation, advised Gardiner. Have your security teams craft a mock phishing email and send it out to users. Analyzing the results can be a good first step toward evaluating the level of education and awareness among your organization.

Gardiner also advised organizations to conduct a more technical assessment of their inbound and outbound email to determine how many malicious messages are getting through corporate servers on a daily basis and ensure that sensitive information is not shared with outside parties. Penetration testers can create a more targeted attack simulation using email and give feedback on where weaknesses exist — both human and technical — and how they were able to access sensitive information.

Once security managers have a picture of the state of email security, the next step is to develop a strategy for shoring up defenses.

Consider Managed Security Services

Managed security services (MSS) deliver dedicated expertise to help you address your email security needs, evaluate how your current strategy and platform is performing, and make recommendations about upgrading both software and hardware. A managed email security service provider can offer general guidance and help you set up a solution that integrates spam detection and filtering, antivirus and antispyware, scanning for viruses and worms in messages and attachments, and outbound email encryption. Typically offered through a subscription model, these services are often flexible enough to allow on-site administrators to set up policies and controls that address their organization’s unique needs.

Invest in Awareness Training

Because email is still so pervasive in business communication, it is critical to ensure that users can recognize the red flags in a phishing email and know what to do should they be targeted.

A comprehensive awareness program should educate end users about malicious attachments, dangerous links, common email scams and the techniques used in a spear phishing campaign. Seek out an awareness provider that can tailor training to your organization’s individual risk profile. Keep in mind that the kind of spear phishing techniques threat actors use to target employees working in a financial services firm will be different from those used to target end users in a healthcare clinic.

There are many options and multiple vendors out there that offer awareness training programs for business. Be sure to choose a training strategy that is both appropriate and engaging for your organization.

Take a Layered Approach to Email Security

Perimeter protection, scanning emails and awareness training are individual strategies that are much more effective when used together. The goal of a layered approach to email security is to build a diverse set of defenses. That way, if one line is breached, you can rely on another one as backup.

A layered approach to email security requires a mix of both technology and education. These layers might include mail scanning, perimeter protection served up through a firewall, internal protection such as antispam technology, intelligence reports to stay on top of the latest threats and awareness education so employees can serve as the final line of defense.

Despite all of the other types of messaging platforms available for communication now, email is not going away anytime soon. As long as business use email, criminals will leverage it as an attack vector. Evaluating your email security is critical for a solid, holistic approach to defending against breaches.

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today