You’ve Got Mail — And It’s the Single Biggest Threat to Your Organization’s Security
Within the focused field of network security, email security is a bit of an outlier, frustrating IT professionals everywhere. Just don’t click on the bad things, right?
To put it bluntly, humans are the weakest link in companies’ cybersecurity efforts. Don’t blame the victim, though. Even sophisticated users can be duped by business email compromises (BECs). In fact, one in four companies has suffered at least one email security breach. The odds are stacked against you: a 2019 Verizon report found that 94% of malware attacks happen through email. So, what do you need to know about email security to protect your organization?
Scammers are Getting Smarter
Business email compromises (BECs) are designed to mimic business email accounts and are a looming threat to businesses of all sizes. These scams have come a long way since the days of a “Nigerian prince” asking for money. Over the years, the scams evolved to include compromise of personal emails, compromise of vendor emails, spoofed lawyer email accounts, requests for W-2 information, and more. Today’s cybercrooks use sophisticated tools to resemble authentic company email accounts. And all too often, they work. The Internet Crime Complaint Center received BEC complaints totaling more than $1.9 billion in 2020. While the numbers for 2021 aren’t in yet, it’s shaping up to be an expensive one too:
- In August of this year, scammers impersonating the FTC Chair send phishing emails promising Coronavirus relief funds and asking for personal information like name, address, and date of birth. Hundreds of copycats have since launched similar scams. In a rare move, the FBI, the Treasury Department, and the FTC issued warnings to businesses and individuals about the threat.
- In May of 2021, a ransomware attack crippled Colonial Pipeline (they ultimately paid a $5 million ransom). That attack is now believed to have spawned from a phishing email. Resourceful cybercriminals immediately began exploiting news of this event, launching other BEC campaigns encouraging recipients to protect their systems by “clicking here to update.”
- In February 2021, SolarWinds reported that “a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles.”
How The Scams Work
Almost without exception, users’ actions open the door to BEC criminals.
BEC scammers may use dozens of different techniques, and usually more than one technique at a time. From spoofing an email account or website, to phishing emails that trick the user into revealing confidential information, to the introduction of malware when an unsuspecting user clicks on a link in the email.
Scammers are opportunists, exploiting common vulnerabilities. For example, as the use of virtual meeting applications such as Teams and Zoom grew during the pandemic, scammers began targeting these platforms, sending emails that looked similar to legitimate invitations. Once a user clicked to join the meeting, the fraudulent website recorded the user’s actual credentials to the services, furthering the legitimacy of their phishing campaigns, or worse.
The Two-Tier Defense Against Email Attacks
Email security requires a two-tier defense: education plus technology.
1. Education
The single best way to protect against BEC attacks is to educate your staff, teaching them what to look for and what not to do. Cybersecurity awareness training should be a part of every company’s security protocol. Your Managed Services Provider (MSP) can help you design and implement a cybersecurity training program.
2. Technology
While education will always be at the forefront of email fraud prevention, it’s simply not enough, as evidenced by the ongoing proliferation of successful attacks. Many technology tools play a role in securing your corporate data safe and keeping cybercriminals out of your inbox. A Managed Services Provider can help you select, deploy, and maintain the technology tools that fight BECs, including:
- Endpoint protection is the first step in cybersecurity. Its capabilities go beyond antivirus and anti-spyware applications. It should be considered a necessity.
- Email security applications. The best use artificial intelligence (AI) to monitor email activity and detect phishing scams.
- Two-factor (or multi-factor) authentication should be in place on any account that allows it. We’ll be talking more about this in an upcoming post.
No More Compromise
Business email compromises are costly and disruptive. Fighting BEC effectively requires experienced security experts, carefully designed and executed training and education, and the best available tools. Learn more about how to protect your organization by connecting with one of the security specialists on Net at Work’s Managed Services team.