Did you know that email is the most popular communication tool, as well as the entry point for up to 95% of security breaches? As cyber criminals evolve their techniques, targeted, enterprise-facing email attacks are rapidly increasing, fueled by an almost inexhaustible supply of potential victims and the tremendous profits awaiting successful fraudsters.
Deceptive emails are used by cyber attackers to carry out three different types of attacks:
- To coerce the recipient to follow a hyperlink to a website masquerading as a trusted site, where the recipient’s login credentials are requested (i.e., phishing);
- To compel the recipient to install malware – whether by opening a malicious attachment or visiting a malicious website;
- To convince the recipient to surrender sensitive information or willingly transmit money to the attacker.
To succeed with their deception, attackers masquerade as parties trusted by their intended victims; use social engineering laden messages; and, occasionally, hyperlinks or attachments that pose dangers to users.
In contrast to traditional phishing attacks and typical spam, the detection of typical deceptive emails cannot be done in ways that leverage large volumes of identical or near-identical, unwanted messages, disreputable senders, or keywords indicative of abuse. This is because cyberattacks typically are targeted. They use customised messages, senders and hyperlinks without bad reputations, and—to the extent that they contain malware attachments— individually repacked malware instances that avoid triggering signature-based anti-virus filters.
The analysis of messages with the goal of identifying targeted attacks, accordingly, is time consuming. Industry data indicates that diligent scrutiny can easily take minutes of computational effort for difficult emails, and the time is expected to increase as more rules are added to address the mushrooming of new attacks and the increased sophistication likely to be seen moving forward. Particularly subtle forms of deceit may require human-assisted review to detect, further adding to the worst-case delivery delays. Without meticulous screening, of course, I would expect to see either false positives or false negatives to increase—or, potentially, both.
The delays caused by filtering—and the associated fears of lost messages—may very well become the greatest liability when it comes to deploying strong security against targeted attacks. This is due to the resistance among decision makers to accept security methods that have the potential of introducing noticeable delivery delays or, worse still, causing false positives. Given the relatively low commonality of targeted attacks and a widespread hubris among end users as it comes to being able to identify threats, this reluctance is understandable.
Agari recently conducted a Social Engineering Survey to see how effectively organisations are addressing the challenges of socially-engineered attacks. The survey found that 94% of security leaders understand the criticality of social engineering as a significant business threat. However, 52% rate their organisations’ defences against social engineering attacks at average or below – there is clearly a lot of room for improvement!
If you would like to learn more, join me on the Trends in Email Fraud webinar. I will explore examples of recent attacks by technique and explain steps you can take to protect your organisation from targeted socially-engineered email attacks.
By Anthony Smyth, Agari Data UK Ltd.
On Wednesday, 19th April, Agari will be presenting a complementary webinar entitled Trends in Email Fraud to discuss this area in more detail. Please click here to register.