Brian Johnson is the Chief Security Officer at Armorblox, a cloud-based, natural language understanding and machine learning-powered email security solution that provides effective protection against advanced email threats such as spear phishing, account compromise, and vendor fraud. In their latest Email Security Threat Report, Armorblox unveiled a 73% increase in financial fraud email threats year-on-year from 2021 to 2022. 44% of these attacks involved wire fraud, invoice fraud, or vendor fraud. To help tackle this increased threat, Armorblox has recently added Vendor and Supply Chain Attack Protection to their email security platform.
We spoke to Johnson to discuss the dangers of vendor fraud and supply chain attacks, why these attacks are becoming more prevalent, and how Armorblox’s new features help organizations protect their users against these sophisticated email threats.
Could you please give us an introduction to yourself and your security background?
Sure—I’m Brian Johnson, I’m the Chief Security Officer here at Armorblox, and I have a long tenure in the security field. Throughout my career, I was CISO at Lending Club, I led the internal security team at Netflix, and prior to that I worked with a number of contractors both on the government and DOD [U.S. Department of Defense] side of Washington, DC. I won’t say how many years it’s been, but it’s getting up there!
Could you please introduce the Armorblox platform and the challenges you’re helping your customers to solve?
Armorblox is an email security platform. As all of us know, email is an open door to the world. With that comes the greatness of being able to communicate, but also the negative of having adversaries continually attacking our employees and trying to gain advantage over them.
We’re helping our customers be on the cutting edge of fighting the most dynamic threats to their organization, based on inbound email.
The email threat vector has evolved in recent years, with attacks becoming much more targeted and sophisticated. What are some of the most prevalent attack methods you’re seeing at the moment, and how do they work?
We’re seeing a very large increase in financial fraud where organizations receive an email from a vendor asking them to pay for a service. Large companies may work with thousands of vendors, and the ability for CFOs and finance teams to keep up with that number of vendors is continually becoming harder and harder. This makes it more difficult to tell when an email is from a genuine vendor, or from an adversary.
Additionally, adversaries are able to change those vectors on a rapid scale. 10 years ago, it took them weeks or maybe even months to come up with campaigns; now it takes them minutes.
So, we’re continually seeing advanced threats coming in spoofing vendor brands. And these are great looking spoofed emails—they look just like PayPal or a financial firm. Netflix is another big one we’ve seen a lot on the user side. Those emails continue to be a growing space.
Account takeover is really the number one thing that we’ve seen among our customers. That’s where people are trying to get access into email systems to spoof other email, or where people are getting access to get into accounts and spoof that account owner to get access to internal systems. We’ve seen that in a number of breaches. Over the last six months, this vector continues to grow, and the adversaries continue to find innovative ways to “go to market” faster, as we call it.
Platforms like Armorblox are built to find those new ways of attacking our customer bases, and being able to protect against them.
Who is most at risk from these types of attack, and why?
Everybody who uses email! But particularly anybody with access to finance or access to internal systems. And that’s not just C-suite staff anymore—it’s now new interns, mid-level managers, and controllers, among others.
A year or two ago, these emails were more targeted towards the CFO, and were trying to spoof an executive. That executive spoofing has definitely morphed because the bad guys have found out that it’s not just the CFO that has access anymore—it’s admins, it’s executive assistants.
And through social media and other channels, it’s become very easy to be able to find out where it is you work and what you do in your job. So, we’re seeing very targeted emails being sent to mid- and lower-level employees. All those kinds of individuals see these types of attacks.
You mentioned earlier that the “go to market” time for these attacks has decreased in recent years. How much of that is due to the fact that the attack surface has grown in this way?
Yes. When you see 73% increase in financial fraud year-on-year, the reason that’s able to grow so exponentially is because there are now platforms that these adversaries are using to spin up their ad campaigns much faster.
I don’t think that’s going to change anytime in the near future, because new ideas are being curated on the adversary side really fast, and then morphed and tested.
At Armorblox we see these as test campaigns as they develop. We have around 58,000 customers that we’re servicing, and we’re able to see the campaigns as they start, as they’re tested, and finally as they’re launched on larger organizations. So, the campaign or mechanism is still the same, but the speed at which they’re able to execute is much faster.
Last week, Armorblox announced the addition of Vendor and Supply Chain Attack Protection to your cloud email security platform. Why did you decide to expand the platform in this way?
The number of customers that we have in our platform really enables us to obtain data insight on what those new attack vectors are. We see vendor and supply chain fraud as one of the largest emerging threats—not only to our customers, but to potential customers coming to ask us for help.
We also see it in the number of write-ups on breaches. We keep reading about a million dollars lost here, five million dollars lost there—these numbers add up, especially for the organization incurring that loss.
So, we’ve launched this platform that can help our current customers and new customers coming to us to be able to understand who their vendors are, and what suspicious emails look like. And this is designed not only for C-suite staff, but also for your mid-level managers—individuals that are actually writing and sending checks or wiring money from bank accounts. This means that we can protect the whole organization, not just an individual.
How will this help organizations to prevent vendor fraud, financial fraud, and supply chain attacks?
Armorblox will be able to flag individual users—not just to the security team, but to the users themselves—that this is not a vendor we’ve seen before or that something looks suspicious. This means we’ll be able to educate the person directly receiving the email not to make those moves.
The blocking aspect is one part of our platform; we can implement protection to prevent those emails from coming through.
But we want to make sure that we’re also training people to identify what in this email is suspicious, and why we think this vendor transaction shouldn’t be “driven through its full course”. This means that users are able to not only inform the security crew, but also know not to answer these emails, which stops the breach in its tracks.
This new module is introducing more of a human element into your platform. How important is it for businesses to combine human and artificial intelligence in the fight against these threats?
It’s critical, because the human is what’s really being attacked. These attacks are being carried out on a technology platform via email, but it’s really the human that’s the recipient of the attack. So, it’s important to not only train them but to empower them to help the security team be more powerful in stopping these incidents before somebody clicks on something or accepts a link or a phone call.
The idea of urgency in these emails is very good, so we need to let them know that this isn’t something they should urgently do. We need to flag why there is an issue, and why they should work with their security team.
And if you want to block those emails completely out, you have that option as well.
How do you anticipate the threat landscape will continue to evolve as we move into 2023 and beyond, and what plans does Armorblox have to keep up with these changes?
We’re going to continue to see dynamic change on the adversary front. Older platforms are running on very basic or rudimentary principles, and their ability to find adversaries isn’t working anymore. That’s why we see the 73% increase in financial fraud, and this will continue to advance and to move on.
Solutions like Armorblox and our machine learning algorithms—which enable businesses to see what normal looks like, to better identify when an adversary is coming at you—are going to be the only real way to protect users going forward.
And we’re going to need to pivot quickly to cover all of our bases. Those adversaries are building their own platforms and changing campaigns so dynamically: it’s financial fraud this week; it’s access to internal admin processes next week; it’s an attack on data storage drives the week after.
On top of that, one of the largest benefits in the Armorblox platform is really bringing the user in to help the security team better learn what’s bad and what’s good, and we’ll continue to do that. We’ll continue to help educate the end user on what looks suspicious and flag it, and we’ll really spend time training them, so they can add that data loop back to us, so we can continue to train our models to be even more advantageous for the business.
What are your final words of advice to organizations that are worried about sophisticated email threats such as vendor fraud attacks?
My advice is to have layers of security in place when you’re looking at these emails—don’t rely solely on your email provider. There are some basic and very loud attacks that they can pick up, but the attacks that we’re seeing today that are growing so exponentially are those really targeted, dynamic attacks aimed at large groups of people inside of an organization. And the standard email platforms have not been able to move quickly enough to help reduce those risks for our customers and the new customers that we’re seeing coming onto our platform.
You also need to ensure you’re taking this risk as a priority. Email is one of the largest external platforms that users have to communicate with the outside world, and platforms like ours help organizations to reduce that risk.
Thank you to Brian Johnson for taking part in this interview. You can find out more about Armorblox’s email security platform via their website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.