By the end of this year, 77% of all enterprises will have moved at least some of their operations into the cloud—including email. At the same time, we're seeing that fraudsters have been doing some modernizing of their own.
Tactics that were once the domain of nation states are now being adopted by increasingly networked cybercrime organizations. Exploiting the same targeting and lead generation tools used by legitimate marketers, these well-funded criminal enterprises run highly professional operations with somewhat formal demand generation and sales functions, complete with sales quotas and revenue forecasts.
So it's no surprise BEC scams have jumped nearly 60% so far this year. A full 92% of organizations report being hit by email scams, with 23% suffering direct financial losses. As more businesses move email operations to the cloud, email fraudsters are actively developing innovative ways to attack them.
And attacks don’t discriminate—organizations of all shapes and sizes need to take a critical look at email security and lay out a strategy to defend against these ever-evolving threats because current controls are not cutting it. Unfortunately, the threats are only growing more advanced at an accelerated pace.
The Move to Modern Email
The move to Microsoft Office 365, G Suite, and other cloud-based platforms is a strategic imperative for most organizations today.
By eliminating the need for further investment in physical infrastructure, these hosted services not only reduce operations and management overhead, but they also offer a stable email experience with most of the security features businesses employ today.
It matters. Email remains the single most important communications and collaboration tool in modern-day life. But it comes with a gaping security flaw: the ability for anyone to send an email claiming to be someone else. The lack of built-in authentication has opened businesses up to a growing number of phishing attacks. BEC scams rank among the most dangerous.
To their credit, cloud email providers have integrated key security features of legacy secure email gateways (SEGs) into their platforms. Designed to ferret out spam, malware and malicious links, certain keywords, and high-volume attacks, these features are essential. But they are not enough.
Imposters on the @ttack
Just as with legacy security controls, many advanced attacks circumvent these protections with tactics such as display name deception, domain spoofing, or look-alike domains. The key ingredient for the highly-targeted attacks is social engineering, designed to maximize relevance to the recipient and to play off the key human emotions of fear, anxiety, and curiosity.
Instead of relying on code or cargo, these malicious emails leverage highly-personalized, plain-text messages to fool recipients into coughing up login credentials, paying fraudulent invoices, or performing some other harmful action that on the surface seems appropriate and innocuous.
It's paying off, to the tune of $12.5 billion in business losses over the last five years. And new attack modalities are cropping up daily.
Take PhishPoint attacks, which involve scammers setting up Office 365 accounts and placing what appear to be OneDrive files within SharePoint. Posing as colleagues, they then send email invitations to their target recipients, offering to allow them to edit the file.
It's a legitimate SharePoint request, so it makes it through malware scans and most other controls. However, when victims attempt to open the file, they're presented with a fake OneDrive login screen, from which the fraudsters can harvest their credentials.
These attacks are effective because they're perpetrated not against computer systems, but against the weakest link in any organization's cyber-defenses: human beings. Even with the best phishing awareness training, 30% of users open a malicious email. On average, it takes just under 4 minutes for an email attack to snare its first victim.
Cybercriminals able to infiltrate an organization's cloud-based email systems could be hitting the jackpot.
Not Just Email—An Entire Ecosystem
Think about it. Office 365, G Suite, and other hosted services aren't just cloud-based email platforms. They're ecosystems for which swindled user credentials can quite literally serve as keys to the entire kingdom.
Once they've infiltrated Office 365, for instance, fraudsters can launch chain-phishing attacks—pulling off executive impersonation scams, requesting fraudulent wire transfers, stealing valuable IP, or redirecting employee paychecks. Those same credentials could grant them access to other Microsoft connected services, useful for launching fresh attacks.
Whether organizations maintain on-premises email operations or migrate their email and productivity suites completely to the cloud, one thing is becoming increasingly clear. They're going to need to augment their existing email security controls with solutions that can protect them from even the most vexing email threats.
A Silver Linings Playbook
The move to the cloud is relentless, and shifting email to these platforms is one way to modernize the business.
But just as this trend isn't going away, neither is the scourge of email fraud. Investing more money in legacy systems is not going to solve the issue. As fraudsters race to modernize their attacks in order to maintain and build upon their revenue flow, look for smart chief executives and information security officers to elevate and integrate email security with their overall cloud strategy.
Reducing operations and management overhead can and should be combined with halting the significant operational, reputational, and business damage that comes when employees and partners can no longer trust the safety and legitimacy of the messages in their inboxes.
To that end, we're seeing new strategies being employed by our clients. Where email security is still on-premise, clients are putting the Secure Email Cloud in front of it in order to generate a mesh of complementary defenses against advanced email attacks.
If you're moving the cloud, combining native cloud security features with Agari can be an even smarter move. In fact, of Agari’s active implementations, roughly two-thirds who deploy Office 365 eliminate on-premises deployments of legacy email security controls altogether. For the rest, it is likely only a matter of time.
Whatever the solutions they put in place, organizations seeking to modernize their operations for the cloud era must make sure their email security gets modernized, too.
To learn more about BEC scams and emerging models for defending against them—including modern, AI-based advanced email protection—read our blog on How BEC Scammers Validate New Targets with Blank Emails.