The possibility of AI-based email phishing attacks is on the horizon. There has never been a more critical time to examine what else you could be doing to improve your organisation’s email security.
This page addresses the important questions you should be able to answer: What are the main threats to business email security? What can you do to minimise those threats to your organisation? And where can you get help?
Email is your weakest link
Most security breaches involve email accounts. Prioritising email security is critical, with so-called “social engineering” – relying on victims clicking links – being the method of 99% of all email attacks, according to the Proofpoint Annual Human Factor Report.
With so many sorts of assaults relying on email as a means of entry, robust email security is critical. You must effectively defend against all types of email attacks, spot and eliminate threats as they arrive, and keep all employees aware of email threats so they know what to do when confronted with suspicious emails and links.
Attackers adapt their campaigns and methods very quickly to evade more common protection solutions. These “polymorphic attacks” mean your organisation must find ways to get a more complete picture of the email threats your face, as well as solutions that can effectively focus on zero-day and targeted attacks in addition to known vectors.
Email-based cyber attack types
Targeted phishing schemes, business email hacks, and ransomware assaults are among the various sorts of email attack threats that firms face.
According to Check Points’ mid-year security report released in August of this year, ransomware attacks for extortion have escalated considerably over the previous year. 93% more attacks were carried out in the first half of 2021, and ransomware now appears in 10% of breaches according to Verizon.
This low-cost, simple, and very effective method employs emails that appear to be from legitimate sources and contain links that, when clicked, send the victim to pages where payment and other personal information is stolen or malware is downloaded. For example, in the aftermath of Thomas Cook’s receivership, consumers were targeted by phishing attempts near the end of 2019. According to Verizon’s 2021 Data Breach Investigations Report, phishing climbed by 11% between August 2020 and August 2021, and it is present in 36% of breaches.
The National Cyber Security Centre provides advice on how to protect your organisation from phishing attacks.
Malware email attachments
According to Kaspersky, a business is targeted by a ransomware attack every 11 seconds, and ransomware attacks increased by 62 percent between 2019 and 2020. Malware is currently responsible for more than 70% of system intrusions, reports Verizon. Malware commonly includes viruses, worms, Trojan Horses, spyware, adware, and ransomware.
Remote Access Trojans (RATs), for example, are malicious programmes that can arrive as email attachments and provide a “back door” for administrative control over the target computer. They can also be adapted to avoid detection and carry out other types of attack tactics, such as disabling anti-malware solutions and enabling man-in-the-middle attacks.
Business Email Compromise and Vendor Email Compromise
Business Email Compromise (BEC) attacks have long been successful in using email fraud combined with social engineering to lure one staff member at a time in order to extract money from a targeted organisation. However, security experts say that this type of attack is morphing into a much larger threat known as ‘VEC’ (Vendor Email Compromise). This more sophisticated version is carried out on a bigger scale. It aims to leverage organisations against their own suppliers, utilising email as a significant component of the trickery.
Technology and security experts agree that AI will be used in cyberattacks in the near future. Its ability to learn and continuously attempt to reach its target, for example in the form of malware, makes it a terrifying threat.
Because email is the most common way for malware to reach and attack networks and systems, there has never been a better moment to strengthen email security, train and educate personnel about dangerous email threats, how to recognise them, and how to deal with them. The inclusion of AI to the mix may make it more difficult to detect phishing emails. The good news for businesses is that AI and machine learning are already being utilised in some anti-virus software, such as Avast, and this trend of integrating AI in security solutions to combat AI security threats is likely to continue.
How to keep your email safe from common threats
Safeguarding your business or organisation’s email from typical security attacks should include the following measures.
- Always keep anti-virus and patching software up to date.
- Educate and train employees on how to identify fraudulent emails, what to do and what not do, such as not clicking on links from unknown sources.
- If feasible, disable HTML emails (text-only emails cannot start malware directly).
- As an extra layer of security, encrypt crucial data and communications.
- Establish a system for reviewing your bank account activity for unusual charges.
- Make sure critical and sensitive firm data is backed up. Include business email compromise (BEC) in business continuity and disaster recovery planning.
- Prevent public access to email archives by ensuring that archive storage discs are properly set.
- Keep an eye out for any exposed credentials, particularly in emails from and to the finance team or department.
- When possible, employ two-factor authentication (2FA). If you are an enterprise, you may choose to block .html and .htm attachments at the email gateway level so that they do not reach members of staff, some of whom may be unfamiliar with internet security.
- Do not use the same password across platforms and websites. This is called “password sharing” and means when one system is hacked, the rest may be, too. Credentials stolen in one breach are likely to be tried out opportunistically on numerous other websites – a process called “credential stuffing” – by other cyber-criminals who have purchased or otherwise acquired them on the dark web.
Broader methods and some innovative approaches
There are some more approaches that your businesses might use to secure the email system. Unfortunately, this “belt and braces” level of precaution is becoming increasingly necessary.
Adopt a “never trust, always verify” approach to corporate cyber security. This principle forms the core of Zero Trust security. Shift from perimeter to pervasive email security, as advised by Mimecast CEO Peter Bauer, for example. This includes dealing with threats to the perimeter, threats from within the perimeter, and threats from beyond the perimeter, as well as an API-led strategy to delivering pervasive security across all zones.
Help with your email security from Microsoft and Google
- Outlook’s Junk Email Filter and the Report Message Outlook add-in is a useful tool.
- Use Office 365’s Advanced Threat Protection (ATP) plans.
- The Microsoft 365 Defender Portal is a way to measure and receive recommendations on how to safeguard your organisation from dangers, all via a centralised dashboard. More information can be found at Microsoft Secure Score | Microsoft Docs
- The “campaign views” capability in Office 365 offers stronger protection against phishing assaults by allowing businesses to detect the pattern of a phishing campaign over individual messages.
- Online guidance for protecting Outlook email accounts can be found on the Microsoft website at Help protect your Outlook.com email account
- Microsoft is making its plus addressing – in other words, disposable email address functionality – available to all Office 365 customers.
- Advanced Gmail security for phishing and malware for G Suite administrators if available on the Google Workspace Admin help website. Advanced phishing and malware protection
- Google also offers steps to identify compromised accounts. Identify and secure compromised accounts
- Help with firewall configuration is also offered on the same site.
- Google provides help to preventing harmful emails from reaching inboxes. On its Cloud blog on 16 April 2020, Google claimed that Gmail prevents more than 100 million phishing emails every day.
Help from Flywheel
We provide a complete cyber security service to several hundred businesses and schools around the UK, helping them keep their email secure. To discuss how we could help your organisation, please contact us.