Although organizations have more ways of communicating than ever before – think Slack, Teams, WhatsApp, etc., – the most common workplace communication platform is still email. And as workforces are given more independence to work flexible hours, work away from the office, and to use their own devices, our reliance on email for virtual communication and collaboration is only increasing. Attackers know this and are exploiting it.
According to Verizon, 75% of the malware that an organization receives is delivered by email. In other words, email is the most commonly used means of distributing malware. This might be through a generic phishing email with a malicious download embedded in it, or it could be a highly specific “spear phishing” attack that impersonates a C-level executive.
In this article, we’ll consider four of the biggest threats that your email accounts are vulnerable to, and suggest how these can be managed. The threats are credential compromise, phishing, business email compromise (BEC), and “email bombing”.
Credential Compromise
Credential compromise is where an illegitimate user attempts to work out, guess, or bypass, the login procedures around an email account. If a bad actor is able to gain access to an account, they will be able to read any emails in that account, and also use the account to send malicious emails. Any emails sent will appear to be coming from a legitimate inbox and will, therefore, seem genuine. Any phishing email or illegitimate payment request will seem more authentic and has a higher chance of tricking people.
What Are The Risks?
Emails sent from a compromised account can harm your organization’s reputation and credibility. The account can be used to spread false, malicious, or illicit content “from” your organization. The contacts in a user’s mailbox, and the degree of trust associated with your domain, will make any malware delivered more likely to be downloaded and activated.
With email credentials, attackers may also be able to log into other accounts associated with the compromised user. We all know that we should have a different password for each account, but even this might only slow an attacker down. When you click the “forgot password” button, you will usually receive an email link to reset it. If this attacker has access to your mailbox, they can reset your password and gain access to your accounts.
What You Can Do About It
Promote Best Password Practices
The main practice to make your users aware of is not to share their login details. It’s as simple as that. There is no one who needs to know a user’s password, or any other private login details, except the user themselves. Not even account admins. If someone contacts a user saying they need their password, your users need to know not to give it to them. You should also make your users aware of the fact that certain other users within your organization will have enhanced privileges – they might be able to monitor users’ emails or log their internet history – this is different from them having access to an account.
These privileges will be set as an organizational policy, and there will still be restrictions on what they can access. Admin or IT teams might not, for instance, be authorized to access customer account details, or other sensitive information. It is, therefore, imperative that users know not to share account login credentials with anyone.
Implement A Password Manager
A good solution to keeping track of multiple passwords and accounts is to implement a password manager. Password managers securely store the passwords for all your users’ accounts, requiring them to remember only one “master password”. Many password managers will also create unique and complex passwords when setting up a new account. This ensures your users’ accounts are individually protected, and an attacker cannot gain access laterally.
We’ve written an article on The Top 10 Password Managers For Business, which you can read here.
Enforce MFA
To prevent an attacker gaining access to your users’ email accounts, even if they have the correct login credentials, enforce multi-factor authentication before an account can be accessed. This will require a user to verify their identity using additional methods such as a fingerprint, or a time-based one-time passcode (TOTP). Only once these additional checks have been passed will the user be allowed to access the account.
With this additional security layer in place, you can prevent illegitimate users from being able to access your users’ accounts. For a full listing of The Top 11 Multi-Factor Authentication Solutions For Business, read our article here.
Phishing
In a phishing attack, an attacker will send an email claiming to be a trusted associate of their victim. The email will try to elicit sensitive information from its recipient; for example, it may ask a user to “urgently” share critical details or warn of an overdue bill that “needs to be paid now!” These demands are false; any links or downloads are likely to download malware onto the host computer, and any payment details will be to the attacker’s account. According to Area 1, 96 % of phishing attacks come through email. Due to the time-based element of the threat, users do not critically appraise the email, and are encouraged to follow these seemingly legitimate instructions.
According to Verizon, 90% of data breaches have a phishing component and IBM puts the average cost of a phishing based attack at $4.91 million. With these two statistics in mind, it is clear that phishing poses a significant threat to your organization.
What Are The Risks?
In a phishing attack, victims will be encouraged to share details, (unwittingly) download malware, or make payments to the attackers. Emails will usually impersonate a known brand or organization. Logos and text will be designed to replicate the authentic communication and encourage the user to believe that this is a trusted source. The user will be asked to share important details or click on malicious links. These links can download malware onto the user’s computer – this could harvest data, corrupt files, or lock users out until a ransom fee is paid.
In many cases, the victim won’t even realise that they have been targeted. Details can be harvested from a “spoofed website” – this is a site that is designed to look like a known, legitimate site, but is in fact run by the attackers. When the user logs in, rather than gaining access to the site, their details will be stored by the attackers. These details can then be used to login to the legitimate site or used as leverage to extort money from the victim.
What You Can Do About It
Implement A Secure Email Gateway (SEG)
A secure email gateway uses spam filtering to scan all inbound mail and check it for any indication of malicious content. They will often use multiple different filters, each scanning for a different indicator of compromise (IOC), to reduce the chance of anything malicious slipping through the cracks.
SEGs are unobtrusive and can prevent the vast majority of email-based threats from reaching the end user. When 96% of companies have been the target of an email-related phishing attempt, it’s important that you stop as many attacks as possible before they have the chance to reach their intended recipient.
For more information on The Top 11 Secure Email Gateways, you can read our article here.
Security Awareness Training
When users know what a phishing email looks like, they can become one of your biggest assets in the fight against phishing attacks. In order to give them the relevant information, staff should be enrolled on a security awareness training (SAT) course. Through videos and interactive quizzes, staff will be taught how to spot a malicious email. Your SAT solution should have the capability to run phishing simulations to test your users’ responses to phishing threats. This gives you real-world data on how effective the training is and enables you to highlight any users who need additional support.
For a list of The Top 10 Security Awareness Training Solutions For Business, read our article here.
Business Email Compromise
Business email compromise (BEC) is a specific form of phishing – in this case, it is targeted at a known, high-ranking user within an organization. Rather than the “scatter gun” approach that is phishing, BEC takes time to select a target, understand their habits and behaviors, and learn contextual information about that user and their role, before carrying out a precise attack.
What Are The Risks?
With a wealth of relevant and accurate personal information, a realistic phishing email will be sent to the target. An attacker might masquerade as an organization’s CFO, for example, and send an email to someone in the finance team, asking them to make an overdue payment. The bad actor might send the account details, or they may have set up a spoofed site that looks legitimate. The finance member will make the payment in the belief that the bill is outstanding, and they should act promptly to prevent any negative consequence.
BEC attacks are so effective as they gather a large amount of information to create a realistic and plausible scenario. As the request is coming from someone (who appears to be) high ranking, it is unlikely to be questioned too closely. BEC attacks are used to steal trade secrets, as well as for financial gain.
What You Can Do About It
As BEC is a form of phishing attack, all the advice to prevent phishing attacks is relevant here. There are one or two additional steps that can be taken to decrease the chance of a BEC attack being successfully carried out.
Privileged Access Management
The number of users who are able to make payments from an organization’s bank account should be limited. This can be controlled through a Privileged Access Management (PAM) solution. PAM controls what users have access to specific accounts or areas of the network, They ensure that users have enough network access to complete their job, but no unnecessary access. All privileged user activity can be logged by the PAM solution, which is essential for compliance and auditing purposes.
These solutions can also grant “just-in-time” privileges – this means that a user will have to seek permission each time they need to make a payment, or access critical network areas. As users have to request permission, there are more checks in place to ensure that the payment is legitimate.
A list of The Top 10 Privileged Access Management (PAM) solutions can be accessed here.
Post-Delivery Cloud Email Security
Cloud email security solutions can monitor historical and current user activity to build up a picture of usual behavior. This can then be used as a baseline to compare new communications with. If any abnormal behavior is detected, the solution will either automatically block it, or alert an admin to it for investigation. Some cloud email security solutions will also analyze a user’s relationship with other email addresses and catalogue the type of relationship between the two. Any time a new email address is identified, or an account is behaving in an unusual way, an alert can be triggered.
Some cloud email security solutions also assign a risk score to inbound emails, categorising them according to risk type and severity. If an email is classified as risky but still delivered, the solution will insert a warning banner to notify the user that the email may be malicious. This will warn the user to be cautious, and ensure they double check who they’re corresponding with, and if the actions are safe.
Enforce Payment Policies
In a similar vein to the PAM solution, your organization should have policies in place for handling payments, invoices, and the distribution of sensitive information. For example, your accounting team should hold detailed records of invoices and outgoing payments – if a user receives an email asking for additional payment, this can be cross checked to identify if a payment has been missed.
Ensuring you have a contact within the organization that you usually pay – a contractor or supplier, for example – can ensure you do not get tricked. You can confirm any payment details with your contact. In this instance, it is important to use an established phone number or email address, as any contact details within the BEC email could be part of the scam. Using bank details you have on file, rather than ones sent in an email, can prevent money being sent to the wrong account.
“Email Bombing”
Email bombing is the name given to a botnet or a distributed denial-of-service (DDoS) attack that is aimed at an organization’s email network. These attacks would traditionally use a network of computers (infected with malware) to overwhelm and crash a targeted server or network. This is achieved by coordinating hundreds of “bots” to access the server at the same time. This results in the server crashing and being unable to operate as normal.
In an email bombing attack, your organization’s inboxes can become the target of an overwhelming amount of spam emails. As with a traditional attack, this could cause your email server to crash, preventing you from carrying out business as usual. As email is at the heart of how organizations communicate, the effect of this attack could be significant.
What Are The Risks?
Ultimately, the risks of an email bombing attack are that your organization is prevented from operating as normal, which would result in a loss of earnings. The attack could affect your ability to email colleagues internally, preventing the attack from being remediated, and your organization from functioning as normal. As well as the cost in loss of earnings, you may have to invest in additional infrastructure, and in fixing damaged systems.
The reputation of your organization might also take a hit. Depending on your sector, this could have longer term, financial consequences. Heavily regulated sectors (finance and medical, for example) might face fines or penalties if they are unable to provide a minimum level of service because of an attack.
In some cases, the overwhelming flood of emails can also be a distraction for an attack that is occurring elsewhere on your network. If, for example, you receive notifications regarding cyber breaches via email, and your email goes down, how will you find out about the attack?
What You Can Do About It
This is a difficult one to prevent. If hundreds of identical emails were being sent to you, it would be easy enough to block. However, in an email bombing attack, content is usually unique enough not to be flagged by spam filters. Instead, you should try to limit the risk of falling victim to this type of attack through maintaining good security hygiene and managing the risk:
- Ensure your users only use their work email for work related activities to help to ensure your domain does not cross an attacker’s radar
- Use dark web monitoring tools to identify if your users’ accounts are for sale on the dark web and keep your domain away from malicious actors
- Require CAPTCHA codes when subscribing to your organizations mailing list as this prevents bots from signing up en masse
- Use “tarpitting” to slow down emails at the server level – while this doesn’t prevent spamming, it can reduce it to a more manageable rate
Summary
Email communication is at the core of most businesses today. Without it, organizations would struggle to communicate internally and have to find new ways of reaching their customers. It is, therefore, a tempting target for bad actors.
However, maintaining good email hygiene – implementing a robust email security solution ensuring all employees have completed SAT, and keeping login credentials private – can help to reduce the risk. Ensuring that you have a spam filter, or SEG, will prevent the majority of malicious emails from entering your inboxes. Having PAM and MFA solutions in place across your network will improve your security posture against a number of threats, not just email based ones.
Malicious actors are constantly searching for new ways to bypass security measures, access your accounts and trick users into dangerous behavior. It is, therefore, important not to treat this list as exhaustive, but as a starting point. Ensure your organization is secured against these four threats (credential compromise, phishing, BEC, and email bombing), then continue to remain cautious and vigilant.
