Ahh, email—it’s likely your first priority in the morning and your last look at end-of-day. You may get anywhere from tens to hundreds of emails a day: coworkers asking questions, supervisors making requests, automated messages requesting verification or login information. Everyone’s done it: skimming through your sky-high backlog, checking for actionable messages, ignoring minute details that might seem out of place—which is exactly what malicious actors are counting on.
Email scams have been around as long as email itself, and in today’s commonly remote-working world, they’re more prevalent than ever, invading the spaces we rely on to communicate both personally and professionally. Two types of scams reign supreme: phishing and business email compromise (BEC). While BECs are more specific, phishing can refer to a wide number of social engineering tactics designed to catch employees unawares and obtain sensitive information.
But there are always cutting-edge solutions on the horizon, just like there are always simple measures your organization can take to protect against the subtlest threats. Today, we’ll talk about the top two email scams and how you can respond in the everyday, then get into exciting investments in the digital world designed to extend the reach of your IT security strategy.
Don’t Be Phishing Bait
One of the dangers of phishing is how efficiently it targets email. Harris, Firstbrook, and Chugh from Gartner’s Infrastructure Security Initiative (2020) warn that despite ever-increasing threats to other attack fronts, email is the most common channel for opportunistic and targeted attacks and a considerable source of data loss.
Phishing scams via email are never what they seem. They could show up as communications from people you know or websites you have accounts with, asking you to open a file or click on a link. According to the 2020 Verizon Data Breach Report, 22% of data breaches involved social engineering—and 96% of those breaches came through email. They had less to do with the IT security measures in place and more so with human error, failing to spot the indicators of a phony communiqué.
One of the best tactics for phishing prevention can be educating your employees on what to look for. Elements as simple as spelling or grammatical errors or unfamiliar email addresses can be a dead giveaway, and when employees are in doubt, train them to hover over links to make sure they go to a known address. Employees should also be prepared to immediately report suspicious activity on their email server to your IT security department, as spreading the word can be critical to keeping others from falling for the same scheme.
While keeping employees informed is a best practice for all aspects of IT security, there remains plenty of opportunity to invest in technology that can pick up the slack. Much like AI-driven behavioral anomaly systems, anti-phishing systems can monitor incoming emails for traces of malware, suspect URLs, or account takeover attacks. Some of these systems even check for communication patterns and conversational anomalies, picking up on awkward phrasing or some of the aforementioned errors.
No Compromise For BECs
What exactly is so insidious about Business Email Compromise (BECs)? Most BECs use social engineering to manipulate employee accounts and incite fraudulent money transfers. Whereas phishing can involve inattention to little details in suspicious emails, BECs actually rely on them. Even more concerning, a BEC actor has usually already obtained control of one employee’s account, making the scam appear from a credible source. The more egregious BECs go as far as to spoof company domains to target suppliers and customers.
However, the latter is where DMARC comes in handy. DMARC, or Domain-based Message Authenticating, Reporting, and Conformance, is an email authentication system that certifies the sending domain for recipients. Ideally, DMARC records all legitimate correspondence and protects your customers and partners from impersonation attacks. According to Firstbrook for the Infrastructure Security initiative (2020), it’s specifically designed to prevent exact domain spoofs, which are used in 10% of all phishing attacks against employees, partners, and consumers alike.
DMARC certification may be highly specific in the world of BEC prevention, and while it won’t work for everyone, it plays a critical role in raising awareness. As Harris, Chugh, and Allan for Infrastructure Security (2020) point out, there is no one solution for BECs. Combating them will rely on a combination of technology, process, and user understanding.
Because BECs are a specialized form of phishing, it doesn’t hurt to include the hallmarks and precautions in your employee awareness training. Impostor detection and internal email protection come in all different shapes and sizes to meet your organization’s needs, and for high-risk financial or data transactions, Harris, Chugh, and Allan at Gartner recommend moving the relevant email requests to more secure servers altogether.
Always worth mentioning is the power of multi-factor authentication, a favored solution of CIOs and CISOs for the 2021 business year. Whereas certain business servers only require an email and a password for access, making it easier for malicious actors to snag, making login and data access a multi-step process will do its part to thwart hackers who think they’ve made it in.
The Next Step
When phishing makes your people part of the problem, you can make them part of the solution. Integrating the human element into your IT security strategy is part of the strongest defense against social engineering, and as part of your cyber-education efforts, you can invest in a Social Engineering Evaluation, a smart and cost-effective add-on to your IT Security Assessment or HIPAA Risk Assessment.
BAI’s real-world assessment puts your team to the test, using the methods of today’s cyber criminals to raise your organization’s level of security awareness and preparation. Along with legitimate tactics and methodologies developed by our seasoned team of in-house experts, we also offer several Enhancement Options:
- In-person or phone-based security audits
- Endpoint compromise
- USB flash drive drop
- Black box placement
- Multiple scenario deployment
Take the next step in building your human firewall, and contact us today.