Mid-Year Email Security Report: It’s Still a Huge Problem and a Major Threat
Despite the vast amount of publicity that dangers such as phishing, spam and business email compromise have received, the hard truth is that business workers (and everyone else) are still falling for these tricks. Most people know that many cyberattacks are transmitted via email, but human gullibility is stronger than common sense.
Consider this example. Your employee arrives at work and opens his email Inbox. The first message carries the subject, “Urgent. Payment Declined. Please Address Immediately.” Concern overcomes prudence and he opens the message, which reads, “Avoid return of your recent order.”
Worried that an order he placed online is in jeopardy of being returned, the recipient clicks on the link and opens it. No hovering over the link to see if it matches what it says; no checking online with a merchant to see if a recent order is being held up due to a payment problem.
The trap is sprung … the prey has been caught. Theft of credentials or a ransomware infection may soon follow.
This scenario plays itself out every day in companies around the world. Fortunately, there is a much more successful approach. Firms that implement an email security solution that trains users to recognize and report potentially spoofed emails, detects attacks in real time, and aggressively quarantines suspicious emails will have the best chance of avoiding negative outcomes.
Email Security: It’s a Numbers Game
Although statistics vary from one study to another, the hard reality is that the vast majority of cyberattacks start with an email. In 2019, 65% of U.S. organizations experienced a successful phishing attack. And the numbers aren’t getting any better. Spear phishing — a targeted email attack purporting to be from a trusted sender — has become an especially common threat vector.
With spear phishing, scammers generally ask an employee (often a new hire) to do something that circumvents corporate channels. The email may appear to come from the company’s head of human resources, for example, telling the worker it’s urgent that he or she download and complete more “new hire” paperwork. When the worker clicks the link, they open the door to the cybercriminal.
These tricks are also common during tax season, when scammers may purport to be an organization’s accounting or payroll firm. The message might contain a warning that information needed for the worker’s W-2 is missing, the deadline is looming and they must fill out some paperwork. Again, they are instructed to access the paperwork directly by clicking on a link — which is bogus. As soon as they do, they may be taken to a spoofed site where the attacker can collect usernames, passwords or other sensitive information.
Protecting Against the Inevitable
It may seem incredulous that computer users can be duped successfully, over and over again, but it is a proven fact. People are naturally gullible, and they respond more readily to messages that suggest haste is required.
At Carmichael Consulting Solutions, we recommend Barracuda Email Protection & Inky for G-Suite. They incorporate the prudent approaches we mentioned above, providing comprehensive protection against all 13 known email threat types, from ransomware and spam to spear phishing, business email compromise and account takeover.