When it comes to data breaches from cyberattacks, there’s one attack vector that stands out clearly as the “Achilles Heel” for most organizations: email. If an organization has 100 or more Microsoft 365 inboxes, there’s a 98% chance they harbor malicious emails that slipped past the company’s gateway defenses and are just waiting for a user to click or reply unwisely, potentially resulting in fraud, account takeover, ransomware, or a data breach.
The government has its eyes on email scams as well, with the FBI acknowledging that business email compromises (BECs) are the most financially-damaging online crimes. BEC exploits are very serious because so many of us rely on email to conduct business—both personal and professional. Despite the significant damages it can cause, BEC stands as just one of many email threats.
There are 13 distinct email threat types, ranging in complexity. Spam, malware, data exfiltration, URL phishing, scamming, spear phishing, domain impersonation, brand impersonation, extortion, business email compromise, conversation hijacking, lateral phishing, and account takeover are all unique email threat vectors that organizations need to defend against.
To keep up with the bad guys, businesses must take a proactive approach to email security and develop an effective strategy that gets at the heart of what’s most critical. Understanding the nature and characteristics of these 13 email threat types is just the first step in protecting what’s most valuable to a business: data.
Threat actors can exploit email to achieve their objectives and compromise the organization’s data—and they continue to adapt and innovate. Email threats evolve and multiply over time, making it a complex challenge to stay ahead of attackers and protect against the many different email threat types.
Email security has become a crucial component of effective data protection. So how can organizations mitigate email security threats? Businesses need to address the multiple points of weakness that attackers can exploit, across three areas: people, process, and technology:
- People: Educate the staff.
People are innately vulnerable. It’s imperative to have phishing awareness training to establish a first-line-of-defense against email cyberattacks. Training should include tools that can simulate real-world campaigns and offer feedback on results. Run sessions in digestible, bite-sized lessons to every single employee on an ongoing basis. Phishing tactics get smarter and evolve every day – people can only stay on top of this and know what tactics to look out for with proper continuous training.
- Process: Adapt to keep up with the bad guys.
Attackers never stop updating their techniques and processes, so an organization should update its processes regularly. Use multi-factor authentication for log-ins, advise employees to not click on links or open attachments in unsolicited mail, and to not sign-up for third-party accounts/services with work email.
- Technology: Leverage top tools.
Email security technology has come on a great deal from the days of URL and attachment scanning – although these capabilities are still important. Organizations should complement their solutions with AI tools for spotting suspicious behavior that may slip under the radar of non-advanced technology. Security leaders at every organization across all verticals should ask themselves if the technology they have will suffice against an advanced threat and if their employees understand what to do in the case of an attack.
Cybercriminals continually use email attacks as their favorite tool because it's been proven that email attacks work. There are many steps organizations can take to deliver the best defenses against attackers, however, it’s important to get back to basics and understand that everyone plays a role in email security.
Mike Flouton, vice president, email security, Barracuda Networks
