Email remains a primary vector for cyber threats, including phishing, malware, and Business Email Compromise, posing significant challenges for organizations aiming to secure their communications.
Advanced techniques like AI-driven attacks and the constant evolution of threat tactics make maintaining robust email security increasingly difficult.
We asked nine experts for their perspectives on the most significant email security challenges.
Brian Reed, Senior Director of cybersecurity Strategy, Proofpoint: The threat landscape is constantly evolving and creates emerging areas for attackers to exploit. The rise of Business Email Compromise (BEC) over the last few years has been a significant challenge, as these messages must be analysed contextually—security practitioners can no longer rely on a link, attachment, or payload to solely identify the threat. Today’s attackers are targeting humans though social engineering, using lures to get the recipient to take a specific action, such as call a phone number or communicate over another application. QR code phishing (or quishing) is another rising threat posing challenges for organizations. These attacks involve including malicious QR codes in emails to redirect targets to spoofed or malicious sites. Read the full Q&A.
Usman Din, Director of Product Management, Cisco Security: One major challenge is the use of obfuscation techniques, such as scripting, encoding, and image-only emails, to hide malicious payloads. Attackers often encode URLs or files to make them harder for security tools to detect, with QR codes becoming a popular way to redirect users to unsafe links and exploit the weaker defenses of personal mobile devices. Business Email Compromise (BEC) attacks have also evolved with the use of generative AI, enabling attackers to craft deepfakes, including synthetic videos and voice memos, to impersonate executives and create urgent calls to action. These AI-powered tools are also used to compose highly convincing and personalized phishing emails, making them more difficult for recipients to identify as fraudulent. Read the full Q&A.
Angel Grant, SVP of Product Marketing Management, Mimecast: The rising sophistication of cyber threats presents a major challenge. We’re seeing attackers increasingly exploit advancements in AI. From deepfakes to impersonation scams, bad actors are finding new ways to bypass traditional defenses and convince users to act. These threats are becoming more targeted by leveraging behavioral insights to trick users into giving up sensitive information, providing account information, and even committing financial fraud. Compounding the issue is the expanded human risk attack surface, driven by remote work and the different platforms employees use to communicate and collaborate.Read the full Q&A.
Olesia Klevchuk, Director of Product Marketing, Barracuda Networks: The volume and complexity of phishing, Business Email Compromise (BEC), and account takeover attacks are on the rise, with increasingly sophisticated tactics often bypassing traditional email security measures. Attackers are using AI to craft highly personalized and convincing phishing attacks, making it harder for traditional defenses to detect threats. Many organizations face resource constraints, with limited IT and security staff unable to keep pace with the complexity and volume of evolving email threats. Human error remains a persistent challenge that reinforces the need for both technological solutions and security awareness training. Read the full Q&A.
Tony Anscombe, Chief Security Evangelist, ESET: Phishing and spear-phishing have evolved to include new methods such as using QR codes or homoglyphs to trick people into scanning and clicking on seemingly legitimate links. BEC tries to trick people into believing that a legitimate sender is communicating with them, and these impersonation and email spoofs are getting better every day, especially with the advent of AI technologies. The Human Factor remains the weakest link in the chain. No technology can work 100% of the time if it is not used correctly and employees are not trained well. Cybersecurity awareness trainings continue to be relevant and necessary for companies of all sizes. Zero-Day threats can be initiated through email and AI is also making it easier for adversaries to come up with never-before-seen threats. Read the full Q&A.
Rodolfo Saccani, CTO & R&D Manager, Libraesva: Sophisticated attackers are continually updating their tactics, exploiting the vulnerabilities that arise from remote work arrangements and personal device use to launch highly targeted cyberattacks. The shift to remote work has introduced new risk vectors, including unsecured home networks, inadequate visibility into employee activity, and increased reliance on public cloud services. This creates an environment where threat actors can easily breach security controls Small and medium-sized businesses (SMBs) are particularly vulnerable due to their limited internal resources and lack of specialized expertise. Read the full Q&A.
Eddie Monaghan, Sales Enablement Officer, TitanHQ: Two of the biggest challenges facing organizations today are both the level of sophistication in e-mail attacks, along with the level of professionalism of attacks. In many cases, bad actors are operating more like major corporations as opposed to cyber criminals. These attackers have structed teams who will focus on a specific vertical or area of vulnerability. By conducting in-depth research on their targets, they can launch highly targeted e-mail campaigns that catch even the most cautious employee. These malicious e-mail campaigns often use sophisticated tools that may have been initially developed for legitimate uses but have now been co-opted for cybercrime. These tools combined with the professional level of social engineering, represent a concerning and ever evolving threat landscape for organizations of all sizes. Read the full Q&A.
Rajan Kapoor, Field CISO, Material Security: Really, the biggest challenges around email security today are the same that they’ve always been: there are countless ways for attackers to get into your inbox, and once they’re in, they can do an immense amount of damage. What needs to change is the way we think about email security, because it’s not just an email problem – it’s a workspace problem. We’re only looking at a small part of the true security when we think about it taking place when email travels into the inbox. We have decades of proof that a breach will happen, and we should be putting protections in place that limit the damage. Attackers only have to be right–or get lucky–once to subvert even the strongest inbound protection. Securing sensitive data, understanding the risk profile of your entire productivity suite and protecting broader access to systems and apps tied to the inbox is the logical next evolutionary step of email security. Read the full Q&A.
Zack Schwartz, VP of Business Development, Trustifi: The sheer volume of emails that organizations process daily complicates the task of identifying malicious content without disrupting productivity. Attackers also employ advanced evasion tactics like polymorphic malware, domain spoofing, and URL shorteners to bypass traditional filters. Ransomware remains a significant threat, frequently delivered through malicious email attachments or links, while human error continues to be a key vulnerability, with social engineering targeting individuals to bypass technical defences. The threats are evolving, as attackers can now harness AI to create convincing phishing content, automate reconnaissance, and adapt attacks in real-time. Read the full Q&A.
Further reading
