Email is one of the oldest methods of attack for cyber criminals, but it continues to be one of their most successful, with research suggesting up to 91 percent of all attacks start with an email.
Add in the more recent phenomenon of criminals exploiting vulnerabilities in collaboration apps, it soon becomes clear that the tools organisations rely on to interact with the outside world are letting in much more than they have bargained for.
Email attacks (also known as phishing) have risen dramatically in recent years, with numerous reports citing double-digit and even triple-digit increases in the volume of malicious emails being generated.
It is a lucrative activity too, with Ponemon Institute finding that in 2023 the average global cost of a data breach due to phishing was US$4.76 million ($7.25 million), with a large percentage of these attacks coming from senders who impersonate organisations or individuals that are likely to have a relationship with recipients, such as online service providers and logistics companies.
While these emails have often been detectable due to poor grammar and formatting, or from using unlikely email addresses, cyber criminals are using generative AI to improve the quality of messages and make them harder to spot, with Europol even issuing a warning in 2023 regarding ChatGPT’s ability to draft highly realistic text.
Europol further warned that the ability of large language models to reproduce language patterns could be used to impersonate the style of speech of specific individuals or groups, allowing for much more targeted attacks that better impersonate trusted entities.
This is manifesting in the form of business email compromise attacks, which is giving rise to activities such as payment redirection fraud – a form of attack that the Australian Competition and Consumer Commission has found cost Australian businesses $224 million in 2022.
Defending organisations against malicious email is big business, with Fortune Business Insights reporting that the email security market was valued at US$3.87 billion ($5.86 billion) in 2022 and projected to grow from US$4.25 billion ($6.43 billion) by 2023.
However, a similar investment has yet to be made to protect users of collaboration tools, despite users often sharing sensitive information.
Hence organisations remain reliant on education regarding best practices, but these strategies are only effective if they are taught and reinforced regularly – something that becomes harder still to enforce when external organisations are invited into collaboration platforms.
Not surprisingly, this is leading many cyber professionals to consider a zero-trust approach to all forms of digital collaboration, such as through the introduction of multi-factor authentication and the continuous monitoring of user behaviour, although such actions are still in their infancy and based in policies rather than controls.
Over time this may lead more organisations to adopt collaboration solutions that include security capabilities, along with other benefits such as archiving and encryption, and the ability to quickly integrate the latest threat intel from multiple sources.
In the meantime organisations will remain reliant on the human element of cyber defence – a strategy that has unfortunately proven extremely lucrative for cyber criminals and one that is likely to grow less reliable as the tools available to cyber criminals improve their ability to impersonate trusted entities.
SA Power Networks’ cyber security annual report offers a solid visual for email security. Out of 32.7 million emails sent to staff last year, some 41,000 were automatically blocked - for phishing
(33,000), malware (6000) and business email compromise (BEC, 2000). In addition, staff reported 13,232 emails to the cyber security team for investigation, a 352 percent increase year-on-year. Of those, 532 were found to be malicious.
A key uplift activity undertaken during 2023 is the addition of warning banners on all external emails. The banners are designed to alert people “to the potential risks associated with external emails, allowing them to take extra precautions before clicking on links or opening attachments. It also allows them to report the email so it can be reviewed by the security team by clicking the banner,” SA Power Networks said.
Banner descriptions include suspicious sender, new email address, suspicious link, potential imposter, external sender and potentially untrusted sender.
Sameera Bandara, a strategic ICT consultant at Calibre Group, notes the growing challenge of blocking all spam and phishing emails - and the assistance that can be provided by both education and tooling.
“A good security education program with things like web-based training on how to detect a phishing email is critical,” Bandera said.
“I've always opted to run internal whitephishing campaigns as well. These have proven to be incredibly effective in raising awareness.”
While tooling is used to filter mail, inspect attachments and links, and is up to 90 percent effective, Bandera notes it must be augmented with user awareness training “to close the remaining gap”.
The 2024 State of Security sponsors have worked tirelessly to improve the safety of enterprise and channel companies.
We are proud to present this year's State of Security champions, and showcase the work they do.