Understanding and implementing email security best practices has never been more important, but enterprises around the globe are still struggling.

Despite its age and pervasive use, email is still one of the top attack vectors when it comes to security breaches. According to a 2017 report, email was the main entry point in 96 percent of cases involving human error that led to a security incident, and 49 percent of malware was installed via email.

This data from Verizon’s “2018 Data Breach Investigations Report” suggests that phishing is still a very effective way to lure users. According to the report, an organization only has 16 minutes until the first click on a phishing campaign. Unfortunately, the first report from a user who recognizes the scam email will only be reported after 28 minutes.

Listen to this podcast to learn how to fight the spear phishing plague

Know the Offense

Matthew Gardiner of email management firm Mimecast noted that “the state of email security is still quote poor” and argued that human error contributes to these security gaps.

“It’s such a difficult area to defend,” he said. “In most organizations, they don’t have the sophisticated controls to defend, so they are dependent on people to do the right thing.”

But depending on users often doesn’t work. Too many malicious emails are still getting through corporate defenses and being served up to end users at a dangerous rate. They don’t always intend to do harm, but end users are still the main cause of breaches. According to the “IBM X-Force Threat Intelligence Index,” 12 percent of attack activity researchers monitored in 2017 were the result of attackers attempting to exploit inadvertent insider weaknesses.

“Email continues to be the obvious target of choice for both low-skilled and high-skilled threat actors,” said Gardiner. “It’s a good return on their investment. Companies can’t turn it off, so of course that leaves it open for attacks.”

How do criminals use email to attack an organization? Let’s take a closer look at some of the most common email security threats outlined in the X-Force report.

Malicious Links

A malicious link in an email directs the recipient to a site where his or her credentials will be harvested. Users think they are on a safe site and are usually responding to an inquiry for information (e.g., “click here to verify your information”). Criminals can gain access to corporate networks or other sensitive information once they have key information from unsuspecting users.

Dropping Malware

If a message contains a malicious attachment, simply opening the file can infect the user’s machine with malware, such as ransomware or keylogging software. Users are usually fooled by being asked to open an attachment that claims to contain financial information, such as an invoice or a bill. This is a very effective technique in business environments.

Business Email Compromise

Business email compromise (BEC) has steadily increased in recent years. Also known as whaling, it involves an attacker who impersonates a high-level executive and tries to trick an employee or customer into transferring money or sensitive data. According to the Internet Crime Complaint Center (IC3)’s “2017 Internet Crime Report,” BEC and email account compromise (EAC) generated the greatest losses, costing victims more than $676 million.

Download the complete 2018 IBM X-Force Threat Intelligence Index

Evaluate Email Security Best Practices and Vulnerabilities

One way to assess your current defense strategy is to start with a phishing simulation, advised Gardiner. Have your security teams craft a mock phishing email and send it out to users. Analyzing the results can be a good first step toward evaluating the level of education and awareness among your organization.

Gardiner also advised organizations to conduct a more technical assessment of their inbound and outbound email to determine how many malicious messages are getting through corporate servers on a daily basis and ensure that sensitive information is not shared with outside parties. Penetration testers can create a more targeted attack simulation using email and give feedback on where weaknesses exist — both human and technical — and how they were able to access sensitive information.

Once security managers have a picture of the state of email security, the next step is to develop a strategy for shoring up defenses.

Consider Managed Security Services

Managed security services (MSS) deliver dedicated expertise to help you address your email security needs, evaluate how your current strategy and platform is performing, and make recommendations about upgrading both software and hardware. A managed email security service provider can offer general guidance and help you set up a solution that integrates spam detection and filtering, antivirus and antispyware, scanning for viruses and worms in messages and attachments, and outbound email encryption. Typically offered through a subscription model, these services are often flexible enough to allow on-site administrators to set up policies and controls that address their organization’s unique needs.

Invest in Awareness Training

Because email is still so pervasive in business communication, it is critical to ensure that users can recognize the red flags in a phishing email and know what to do should they be targeted.

A comprehensive awareness program should educate end users about malicious attachments, dangerous links, common email scams and the techniques used in a spear phishing campaign. Seek out an awareness provider that can tailor training to your organization’s individual risk profile. Keep in mind that the kind of spear phishing techniques threat actors use to target employees working in a financial services firm will be different from those used to target end users in a healthcare clinic.

There are many options and multiple vendors out there that offer awareness training programs for business. Be sure to choose a training strategy that is both appropriate and engaging for your organization.

Take a Layered Approach to Email Security

Perimeter protection, scanning emails and awareness training are individual strategies that are much more effective when used together. The goal of a layered approach to email security is to build a diverse set of defenses. That way, if one line is breached, you can rely on another one as backup.

A layered approach to email security requires a mix of both technology and education. These layers might include mail scanning, perimeter protection served up through a firewall, internal protection such as antispam technology, intelligence reports to stay on top of the latest threats and awareness education so employees can serve as the final line of defense.

Despite all of the other types of messaging platforms available for communication now, email is not going away anytime soon. As long as business use email, criminals will leverage it as an attack vector. Evaluating your email security is critical for a solid, holistic approach to defending against breaches.

More from Fraud Protection

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

How Security Teams Combat Disinformation and Misinformation

“A lie can travel halfway around the world while the truth is still putting on its shoes.” That popular quote is often attributed to Mark Twain. But since we're talking about misinformation and disinformation, you’ll be unsurprised to learn Twain never said that at all. In fact, no one knows who first strung those words together, but the idea that truth spreads slowly while lies spread quickly is at least several hundred years old. The “Twain” quote also serves to…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

New DOJ Team Focuses on Ransomware and Cryptocurrency Crime

While no security officer would rely on this alone, it’s good to know the U.S. Department of Justice is increasing efforts to fight cyber crime. According to a recent address in Munich by Deputy Attorney General Lisa Monaco, new efforts will focus on ransomware and cryptocurrency incidents. This makes sense since the X-Force Threat Intelligence Index 2022 named ransomware as the top attack type in 2021. What exactly is the DOJ doing to improve policing of cryptocurrency and other cyber…