By the end of this year, 77% of all enterprises will have moved at least some of their operations into the cloud—including email. At the same time, we're seeing that fraudsters have been doing some modernizing of their own.
Tactics that were once the domain of nation states are now being adopted by increasingly networked cybercrime organizations. Exploiting the same targeting and lead generation tools used by legitimate marketers, these well-funded criminal enterprises run highly professional operations with somewhat formal demand generation and sales functions, complete with sales quotas and revenue forecasts.
So it's no surprise BEC scams have jumped nearly 60% so far this year. A full 92% of organizations report being hit by email scams, with 23% suffering direct financial losses. As more businesses move email operations to the cloud, email fraudsters are actively developing innovative ways to attack them.
And, attacks don’t discriminate—organizations of all shapes and sizes need to take a critical look at email security and lay out a strategy to defend against these ever-evolving threats, because current controls are cutting it. Unfortunately, the threats are only growing more advanced at an accelerated pace.
The Move to Modern Email
The move to O365, G-Suite, and other cloud-based platforms is a strategic imperative for most organizations today.
By eliminating the need for further investment in physical infrastructure, these hosted services not only reduce operations and management overhead—they also offer a stable email experience with most of the security features businesses employ today.
It matters. Email remains the single most important communications and collaboration tool in modern day life. But it comes with a gaping security flaw: the ability for anyone to send an email claiming to be someone else. The lack of built-in authentication has opened businesses up to a growing number of phishing attacks. BEC scams rank among the most dangerous.
To their credit, cloud email providers have integrated key security features of legacy Secure Email Gateways (SEGs) into their platforms. Designed to ferret out spam, malware and malicious links, certain keywords, and high volume of attacks, these features are essential.
Imposters on the @ttack
Just as with legacy security controls, many advanced attacks circumvent these protections with tactics such as display name deception, domain spoofing, or look-alike domains. The key ingredient for the highly-targeted attacks—social engineering to maximize relevance to the recipient and to play off the key human emotions of fear, anxiety, and curiosity.
Instead of relying on code or cargo, these malicious emails leverage highly-personalized, plain-text messages to fool recipients into coughing up login credentials, paying fraudulent invoices, or performing some other harmful action that on the surface seems appropriate and innocuous.
It's paying off, too—to the tune of $12.5 billion in business losses over the last five years. And new attack modalities are cropping up daily.
Take PhishPoint attacks, which involve scammers setting up O365 accounts and placing what appear to be OneDrive files within SharePoint. Posing as colleagues, they then send email invitations to their target recipients, offering to allow them to edit the file.
It's a legitimate SharePoint request, so it makes it through malware scans and most other controls. However, when victims attempt to open the file, they're presented with a fake OneDrive login screen, from which the fraudsters can harvest their credentials.
These attacks are effective because they're perpetrated not against computer systems, but against the weakest link in any organization's cyber-defenses: human beings. Even with the best phishing awareness training, 30% of users open malicious email. On average, it takes just under 4 minutes for an email attack to snare its first victim.
Though generally more secure, cybercriminals able to infiltrate an organization's cloud-based email systems could be hitting the jackpot.
Not Just Email—An Entire Ecosystem
Think about it. Office 365, G-Suite, and other hosted services aren't just cloud-based email platforms. They're ecosystems for which swindled user credentials can quite literally serve as keys to the entire kingdom.
Once they've infiltrated O365, for instance, fraudsters can launch chain-phishing attacks—pulling off executive impersonation scams, requesting fraudulent wire transfers, stealing valuable IP, or redirecting employee paychecks. Those same credentials could grant them access to other O365-connected services, from Skype, to Azure, to more recently LinkedIn, for launching fresh attacks.
Whether organizations maintain on-premise email operations or migrate their email and productivity suites completely to the cloud, one thing's becoming increasingly clear. They're going to need to augment their existing email security controls with solutions that can protect them from even the most vexing email threats.
A Silver Lining Playbook
The move to the cloud is relentless, and shifting email to these platforms is one way to modernize the business.
But just as this trend isn't going away, neither is the scourge of email fraud. Investing more money in legacy systems isn't going to solve the issue. As fraudsters race to modernize their attacks in order to maintain and build upon their revenue flow, look for smart chief executives to elevate and integrate email security with their overall cloud strategy.
Reducing operations and management overhead can and should be combined with halting the significant operational, reputational, and business damage that comes when employees and partners can't trust the safety and legitimacy of the messages in their inboxes.
To that end, we're seeing new strategies being employed by our clients. Where email security is still on-premise, clients are putting Agari email security solutions in front of it in order to generate a mesh of complementary defenses against advanced email attacks.
If you're moving the cloud, combining native cloud security features with Agari can be an even smarter move. In fact, of Agari’s active implementations, roughly two-thirds who deploy O365 eliminate on-premise deployments of legacy email security controls altogether. For the rest, it may only be a matter of time.
Bottom line: Whatever the solutions they put in place, organizations seeking to modernize their operations for the cloud era must make sure their email security gets modernized, too.
To learn more about BEC scams and emerging models for defending against them—including modern, AI-based advanced email protection—download a special report from Agari and Osterman Research.