Cybercriminals increasingly use new forms of identity deception to launch an email attack to target your weakest link: humans.
Call it a case of locking the back window while leaving the front door wide open.
In recent weeks, a number of reports have surfaced about sophisticated cyberattacks that are proving all too successful at circumventing the elaborate defenses erected against them.
Firewall? Check. Application security? Ditto. Endpoints? Those are covered, too. Yet despite the $97 billion organizations will spend this year on perimeter security, the bad guys are still winning. This year alone, cybercrime losses in the US will exceed $12 billion.
But how can this be possible? How can businesses grow more vulnerable even as their defenses harden? As it turns out, 97% of organizations are failing to effectively leverage modern technology to protect against the number one target cybercriminals use to implement their schemes: Human beings.
Indeed, whether it’s a recent $2.6 million SamSam ransomware attack on the Atlanta Police Department, or the 1.4 billion corporate records stolen in data breaches in Q1, cyberattacks tend to have one thing in common:
They almost all involve identity deception perpetrated not against computer systems, but against specific individuals. And that means they almost always start with email.
The fact is, email is still the most popular tool for business communication and collaboration. But most email security systems are falling short in protecting organizations against fraud.
Then again, we’re not talking about the typo-laden phishing email attack of yesteryear.
Cybercriminals now produce flawlessly crafted messages capable of deceiving virtually anyone. They’ve also come to understand something far more critical to their success: You’re much more likely to be fooled into disclosing sensitive information or downloading dangerous malware if you’re reacting to a friend or colleague.
Take the current trend in file-sharing email fraud. According to CSO, cyberthieves are increasingly leveraging information from social media to target corporate employees and then posing as colleagues and sending them file-sharing phishing emails from OneDrive and other popular cloud services.
Embedded links within the emails lead recipients to fake sign-in pages, where they’re prompted to enter their personal credentials. Attackers then leverage those credentials to hijack victims’ accounts, where they can steal valuable information, access contact lists, and launch ever-more devastating attacks.
The problem: Most email security solutions can’t detect this kind of fraud because the login page is hosted on a compromised website with a good reputation.
Email Attacks: Personalized & Pernicious
Most identity deception-based email attacks increasingly follow a similar playbook.
First, they leverage popular cloud services in order to make infrastructure reputation less reliable. After all, it’s not as if organizations can simply blacklist the likes of Google or Microsoft, since they also send a large amount of legitimate email.
Second, they appear to come from identities and brands the individual trusts. Think simple display name ploys, where fraudsters insert a trusted identity within the “from” field within Gmail and Yahoo. Or domain spoofing, which involves displaying a legitimate email address using third-party email sending services that don’t verify domain ownership. But that’s not all.
In a lookalike domain email attack, criminals substitute say, “invoices-acme.com” for an actual domain, like “acme.com,” to send fraudulent invoices. And then there are account takeover (ATO) attacks, which originate from legitimate-but-compromised accounts and are notoriously difficult to detect.
Whatever the technique, the highly personalized messages within these emails are designed to be indistinguishable from everyday business email, rendering traditional content analysis ineffective.
The goal: manipulate the recipient into taking some action or disclose some piece of information that they assume will be safe.
Stemming the tide of such attacks won’t be easy.
Securing the New Perimeter
Security awareness and phishing training can help employees detect some of these new forms of email attack. But the quality and sheer volume of new email schemes mean that will only go so far.
And yes, Domain-based Message Authentication Reporting and Conformance (DMARC) protocols can help stop domain spoofing and brand hijacking. But 9Y7% of companies have yet to set up policy parameters to optimize effectiveness. And even then, this doesn’t protect against most inbound attacks.
It’s also unclear how many organizations are deploying machine learning technologies with the kind of modeling and analytics capabilities needed to go beyond content analysis and infrastructure reputation to assess people, relationships and behaviors and put an end to the identity deception-based email attack.
As it stands now, there probably aren’t enough of them. According to the FBI, losses from business email compromise (BEC) alone could top $9 billion this year — a 2,370% increase since 2015.
Which means we’d all better hope more organizations move beyond just securing that “back window” on the perimeter—and stop the endless stream of identity-based email attacks flowing through their front door.
Identity is the New Perimeter (Part 1 of a 4-Part Series)
Next in the Series
To learn more about identity deception, the rapidly evolving threat from email attacks, and advanced machine learning solutions that can help you stop them, download an exclusive white paper, here.