If you want to know why business email compromise (BEC) and other advanced email attacks keep working so well, just ask Dilbert.
In one particularly biting installment of Scott Adams’ popular workplace comic strip, our tech geek hero sits in his cubicle perusing an email that reads, “Enter your bank account number.” Dilbert’s thought bubble: “Scam.”
Quick cut to engineer Alice. Same email, same thought bubble: “Scam.” One last cut, this time to Pointy-haired Boss as he too reads, “Enter your bank account number.”
His unflinching response: “Okey-Dokey!”
Ouch. Nothing like a few laughs at the expense of the top dog to drive things home, right? But painful as it may be, Dilbert makes a point. While heightened risks may have led you to boost spending on cybersecurity in recent years, the bad guys have been fine-tuning attacks on a vector that lets them bypass all those security controls right from under your own nose: email.
That’s right. Despite the $97 billion C-suites will greenlight to harden defenses this year, a growing number of organizations are contending with attacks aimed not at computer systems, but at specific individuals—including your very own executive team.
The damage done to execution of your business plan can be as jaw-dropping as the worldwide losses to businesses this year: $9 billion and counting.
Six Degrees of Impersonation
If it’s any consolation, Dilbert gets some of the details wrong. Contrary to popular belief, most email-based attacks are targeted to employees rather than to CEOs, who make up just 2.2% of all attack recipients.
But none of this means you’re immune. According to a recent survey of 800 global IT and C-suite leaders, 20% report that a member of their executive team was scammed into sending sensitive data sometime in the last 12 months via phishing attacks.
Indeed, while some of these fraudulent messages have malware attachments or malicious links, the most sophisticated attacks take advantage of emotional responses that are inherent to human behavior—such as fear, anxiety, and curiosity. And they rely on social engineering to make recipients believe they’re responding to a trusted friend or colleague.
In a recent survey, 92% of organizations report having been hit by successful attacks, with up to 23% of those that end up falling victim suffering direct financial harm. The average loss from a standard-issue phishing con is now more than $130,000 per attack. When it results in a data breach, the price tag can average $7 million and up.
For chief executives and their teams, uncertainty over the legitimacy of inbox messages can hobble executive communications and impede the ability to conduct business via email—potentially derailing their best-laid strategic initiatives. The good news is that there may be an answer.
The Rise of ‘The Intelligent Inbox’
As the risks of BEC, phishing, and other scams increasingly come to light, many organizations make the mistake of fighting the last battle, futzing with security controls in the wake of a successful attack.
Others at least go a step further, training and re-training employees to spot and report email phishing. But this can be counterproductive as an overabundance of false alarms raised to the SOC can be costly to manage.
Ideally, employees should be able to trust their inbox instead of questioning the authenticity of every email they receive. What if businesses could perform predictive trust decisioning on inbound email in real time—before they ever hit the inbox?
The good news is that with a large enough dataset, an AI-based approach informed by real-time intelligence can do what neither humans nor traditional email security controls can — extract insights from a massive volume of global email messages, and use these insights to perform automated real-time inspection of incoming email.
It’s this AI-backed approach that we deliver with Agari Enterprise Protect. By analyzing trillions of emails annually, the solution models good emails and behaviors that simply can’t be faked or spoofed. The machine learning models are continuously updated to address both known and never-before-seen threats. Even though your business might not have seen the threat, it’s highly likely that our network has already.
This always-on, cognitive approach applies rules, makes decisions, and gets smarter with each new sender identity analyzed. And as we sign up new organizations, the dataset and intelligence grow exponentially. It’s a true network effect in action.
More Smarts, Less Uncertainty?
As for the business benefits of this safer, smarter approach to email security? Unbeatable.
For the first time ever, employees at every level of the organization can click on anything in the inbox and know they can open and respond to it with confidence.
No more wasting time assessing an email’s legitimacy, because a thorough assessment has already been performed. No more making calls or sending texts to confirm a message’s authenticity if there’s ever a doubt. No more clogging up the precious cycles from your already overwhelmed SOC. And no more mad scrambles to mitigate the damage when even highly-intelligent people fall for phish bait.
Yet for all of this, there’s another reason why tweaking existing security controls in the face of advanced email threats may come up short by comparison. The fact is, this predictive AI-backed approach is fast becoming table stakes for modern internal accounting and security control.
The sheer volume and severity of new attacks also continue to be unrelenting. As it stands now, nearly 6.5 billion fraudulent emails are sent each day. Losses from BEC cons have risen 136% just since 2013. And 93% of those costly data breaches start with well-targeted email scams—which can be compounded by regulatory fines and even criminal charges.
Whatever the path to achieve it, pursuing an “Intelligent Inbox” approach to neutralizing BEC attacks and other advanced email threats could be a very wise choice. Just ask Dilbert.
To learn more about BEC, phishing, and other threats and how to stop them with a modern, AI-based approach to email security, download a special Agari solution brief, “Stop Identity Based Email Attacks.“