With identity-based email attacks posing a serious threat to individuals and organizations in every sector, it is critically important to understand how cybercriminals use identity deception techniques to evade existing security controls.
The key to any identity-based attack is impersonation—manipulating components of an email message to exactly match or bear an extremely close similarity to identity markers in a legitimate message. The most common message components that have these identity markers are the “From” header, the Subject header, and the body of the message.
Display Name Deception
Of these components, the display name in the “From” header is the most commonly recognized identity marker, as it is displayed prominently in most email clients. It is also the marker that is most commonly abused, since the sender of a message can specify any value for the display name. Indeed, this kind of technology continues to be the tactic of choice for cybercriminals, accounting for 53% of all email attacks.
Cybercriminals simply need to insert the name of a trusted individual or brand into the display name field within Office 365, G Suite, Yahoo, or any other cloud-based email platform. Since its point of origin is an established and widely used hosted email service, these attacks easily evade most SEG defenses, and then trick their recipients since the name matches one they are familiar with—either a brand they trust or a specific person within their organization
The second most common form of identity deception is also the most harmful. Known as a compromised account attack, this approach is used in one out of every four new email scams, and it is by far the most difficult to detect and stop. A key driver of this attack modality is the rapidly expanding online marketplace for stolen email account login credentials belonging to high-value targets.
Here again, traditional email security controls are defenseless because these attacks are launched from a legitimate email account within a legitimate domain—perhaps even from the same domain as the target. These attacks are especially damaging because each new compromised account can lead to more. A successful compromised account not only gives fraudsters the ability to impersonate the email account’s owner, but it also gives them access to the individual’s contacts, ongoing email conversations, and historical email archives. This makes it possible to craft new scams that appear entirely legitimate— coming from the actual account with all the background information needed to make perfect sense.
The remaining identity deception technique includes look-alike domains. Here, threat actors can use common misspellings, homoglyphs, or Cyrillic characters that appear similar to the original characters in an impersonated domain to a company or a trusted service such as DocuSign, Dropbox, or Microsoft itself. While large services and corporations often register look-alike domains as “defensive domains” themselves to prevent this attack, they can never register every permutation. In addition, if the organization has not implemented the email authentication level needed to block the use of the lookalike domain, attacks can still spoof the look-alike domain, no matter who legally owns it.
By only slightly changing the domain, criminals can easily trick recipients who may not notice an extra letter or have the foresight to focus on the sending domain. Indeed, something a simple as changing a lowercase l in an email to an uppercase I can appear to be the same visually, but have an entirely different digital destination.
Despite their differences, each of these forms of identity deception is designed to bypass legacy security controls and ultimately convince recipients that the message was sent by an identity they know and trust. Once the email security system has been bypassed, cybercriminals have struck gold by taking advantage of a much weaker defense—humans themselves.
The result of these new identity deception-based email attacks is that business email compromise, data breaches, and consumer phishing are costing businesses and consumers billions.
Big Business in Business Email Compromise
These attacks are seen on a daily basis through CEO wire fraud schemes, partner invoice scams, or payroll diversion scams, with most organizations receiving hundreds or thousands of per year. Unfortunately, it only takes one to lose millions of dollars, as Google and Facebook recently discovered in a business email compromise scam that cost the tech giants $100 million each.
And it’s not just huge enterprises that are discovering how easy it is to be scammed. Today, more than 90% of organizations report that they’ve been hit by targeted phishing attacks, with one in five suffering direct financial damage. Depending on the size of the company, industry reports estimate average losses from a successful email attack at $1.6 million—money that goes straight into the pockets of criminals.
Data Breaches Continue to Concerns
Business email compromise isn’t the only major player, with the Verizon Data Breach Investigations Report stating that 96% of successful data breaches begin with an email. These breach-focused attacks use spear phishing or social engineering techniques to gain access to sensitive data such as employee W-2 or direct deposit information. According to the Ponemon Institute, data breaches now cost US-based businesses an average $7.9 million per incident. With 1,579 breaches reported in just the last year by the Identity Theft Resource Center, that comes out to $5.7 billion in annual costs to organizations.
Consumer Phishing Hits Hard
These attacks are not just targeted at employees, as consumers have been hit just as hard. In fact, RSA estimates that the total global losses from consumer phishing may be as high as $9.1 billion, in one year alone. In these attacks, cybercriminals impersonate trusted brands in order to defraud their customers, as well as other consumers and businesses. The negative headlines and reputational damage from these incidents can make the organization’s legitimate emails toxic to consumers who want to avoid falling victim to a scam, and the resulting impact on email-based revenue streams can be catastrophic.
Getting One Step Ahead
To counter these types of threats and those that come after them, the next generation of email security must take a fundamentally different approach to the secure email gateways and advanced threat protection solutions that are currently on the market. As cyber criminals move to outsmart current email security technology, organizations must move with them to a solution that uses identity markers to distinguish identity-based email attacks from legitimate email traffic and stop them before they reach the inbox.