Spoiler alert: When it comes to email security and the fight against business email compromise (BEC) scams, phishing attacks, and other advanced email threats, 2020 won’t be a cakewalk. Then again, neither was 2019. Whether it was ransomware, time-bombed email attacks that activate post-delivery, or the $700 million-a-month losses faced by businesses pummeled by surging BEC attacks, the past year offered plenty of pain to go around.
But the months ahead won’t just be more of the same. Instead, information security professionals will also face surprising new twists as cybercriminals focus less on complex technical attacks and more on simple, low-tech scams that can produce staggering financial and reputational damage with crushing efficacy. Here’s a look at Fortune 1000 CISOs can expect in 2020:
In 2020, the form of BEC known as vendor email compromise (VEC) will emerge as the top attack modality for email fraudsters targeting the enterprise. In VEC attacks like the kind launched by the cybercrime group we’ve dubbed Silent Starling, fraudsters hijack corporate email accounts, spy on communications, and then impersonate the account’s legitimate owner in emails aimed at defrauding companies throughout the extended supply chain. It’s easy to see the appeal. While a traditional BEC scam can net fraudsters an average $50,000, revenues from a successful VEC attack average $125,000, according to FinCEN.
The good news: There are likely to be fewer malware attacks in 2020. The bad news: Cybercriminal organizations will launch less technical, social engineering-based email attacks at a larger scale. Not only are these attacks much harder to detect than phishing emails containing malicious links or content, they can be just as harrowing. In the year ahead, cybercrime rings won’t be the only ones using these tactics. Iran, Russia, China and other foreign threat actors will seek to hack the email accounts of US presidential campaigns in hopes of influencing the 2020 elections, diverting campaign donations and spoofing campaign brand domains. The Election Security Registered Voter Poll, taken at the end of Oct. 2019, found that 44% of the registered voters said they believe many of the presidential campaigns have already been hacked; and of those, 79% believe that at least some portion of campaigns have been hacked, but just don’t yet know it.
Eastern European and Russian cybercrime rings that have watched the rise of BEC pioneered by West African cybercrime rings will likely launch their own aggressive slate of BEC attacks in the year ahead. Given their operational prowess and far-flung networks of money-laundering channels, their success could easily eclipse that of Nigerian operatives. If the $8.6 billion per year in known business losses since 2016 are bad, the cost to companies could hit the stratosphere in 2020.
With increased use of 2-factor authentication, criminals will seek out ways to circumvent this extra layer of protection. SIM swapping attacks will rise, but so will simple, social engineering-based ploys that fool victims into forking over the one-time passcodes sent via text message during 2-factor authentication. Cybercriminals who acquire breached bank account login credentials, for instance, can text a fraudulent “unauthorized login” alert to the bank customer’s smart phone, adding, “If this was NOT you, please text back the code we just sent you.” Simple, but potentially catastrophic.
Nonstop data breaches will drive the growing availability of millions of compromised email credentials such as Collection #1, making it simpler than ever to take over a high-value target’s email account. Look for a boom in Phishing-as-a-Service offerings (PaaS) offerings, as well as a proliferating number of turnkey phishing kits. Ranging from free to $300, phishing kits typically include zip files with the HTML, PHD files, images and other assets needed to set up phishing sites that replicate legitimate login pages for trusted brands such as DropBox, Adobe, Microsoft, LinkedIn, Google and more. Randomization generators create multiple URLs so that if one URL gets blacklisted, the other URLs still function. The vast majority of sites have lifespans of as little as 24 hours to avoid being taken down.
In a world where cybercriminals no longer need to rely on malware or malicious content, businesses clearly need a new approach to email security. For many companies, sender identity intelligence paired with machine learning (ML) may be required to solve advanced threats at enterprise scale. But accurate, real-time sender intelligence will be predicated on a robust identity graph that is enriched daily and is drawn from an enormous, high-quality pool of sender behavioral and telemetric data.
Despite the $100 billion invested in cybersecurity over the past year, threat levels continue to rise. In 2020, we believe more companies will feel a moral obligation to strike back through new “active defense” measures. This will include cross-industry efforts to assist expert research teams working to infiltrate email accounts of networked crime rings, document tactics, identify perpetrators, and more. Not to launch counterstrikes, but to share findings with financial institutions and law enforcement so they can recover stolen funds, apprehend perpetrators, and ultimately cripple transnational cybercrime rings.
When phishing attacks originate from a coworker, or an employee for a trusted supply chain partner, detection can come too late. Especially when the goal isn’t direct financial theft. Exfiltration of competitive intelligence and strategies, IP, and valuable customer data is a very real threat. The average costs associated with data breaches now top $8.2 million per incident for US-based companies. For mega-breaches, costs can run as much as $388 million or more. And that’s before any regulatory fines or lawsuits. Considering the $37 million loss one Toyota subsidiary recently suffered from an outsider email attack, it’s not unfathomable that a major corporation will face $50 million in losses from an insider-based wire fraud or credentials phishing attack that results in a data breach in 2020.
“Alexa, can you hack my email?” In coming months, voice tech will be weaponized in new cyberattacks. As relatively insecure forms of continuous data recording (CDR) technology are inevitably hacked, cybercriminals will combine spoken login credentials and the deepfake-enabled “voices” of trusted executives in their phishing schemes. Just ask the German company that recently paid out $243,000 in what may have been the first deepfake-enabled BEC attack. Increasingly, email security will require an adaptive authentication-based approach that leverages ML to analyze thousands of indicators—identity, device, location, behavioral and more—to accurately assess and act on risk.
Expect calls for new regulations that emulate the US Department of Homeland Security’s Binding Operational Directive BOD 18-01, which requires executive branch agencies to adopt Domain Message Authentication Reporting and Conformance (DMARC). This standard email authentication protocol helps organizations protect their domains from being pirated and impersonated in email attacks. Today, most executive branch agencies have fully implemented DMARC, while 82% of the Fortune 500 remains vulnerable to impersonation attacks targeting their customers, partners, investors and the general public. Watch for any proposed mandates to encompass DMARC, cyber-insurance, and advanced threat protection through a defined set of email security controls.
Most, if not all, of these mounting challenges reflect an accelerating shift from technology-driven email threats to social engineering-based attacks. BEC, VEC, extortion, and credential phishing are all on the rise, and none of them requires sophisticated technology. In 2020, organizations will able to deploy defenses against these and other advanced email threats may have a distinct business advantage, as those that can’t become increasingly tempting targets.
To learn more about these trends, read the announcement for our 2020 Email Security Predictions