With spam emails being a source of irritation for many, they are also a significant cause of cyberthreats. In May, spam emails accounted for a staggering total of 85.16 per cent of all emails sent, with an average daily spam volume of 366.51 billion globally.
According to Verizon’s 2018 “Data Breach Investigations Report”, email remains the number one path for malware distribution (92.4 per cent) and phishing (96 per cent).
Emails serve as the perfect opportunity for attackers to share malicious links and file attachments, which people often click on without thinking of the consequences. With phishing and social engineering becoming increasingly sophisticated, even those who are aware of such threats are not necessarily void of exposure to attacks.
Cybercriminals may use seemingly legitimate email addresses or copy the format of a well-established organisation to appear as a trusted source. During Cisco’s recent “CISO Benchmark Study”, the extent of spam email threats was self-evident — 56 per cent of CISOs (chief information security officers) surveyed revealed that defending against malicious links within emails was “extremely” challenging. This ranks higher than any other security concern surveyed, outranking worries around data in the public cloud and mobile device use.
Still easy to breach
The risks are clear, especially when considering simulated phishing campaigns carried using Duo Insight — a tool which enables users to construct fake phishing campaigns to test and educate users within their organisation. Duo’s 2018 research showed that 62 per cent of phishing simulation campaigns captured at least one set of user credentials. Of all the recipients, almost a quarter clicked the phishing link in the email and half of them entered credentials into a fake website — identifying the ease with which scams can occur.
Another Cisco survey found 70 per cent of respondents admitting difficulties when aiming to protect against email threats. Irrespective of the consequences of email-led attacks, 75 per cent of respondents shared that they had experienced operational impacts, with 47 per cent reporting these to be significant on their finances. Overall, Talos Intelligence data puts spam email at a 15-month high. The number of new phishing domains showed an increase of 64 per cent between January and March, with the rise potentially continuing.
Although avid computer users may have heard of the preventive steps many times before, it is crucial that they are reiterated, for the benefit of keeping cybersecurity at the forefront of one’s online agenda. The vital areas of consideration for responsible online behaviour:
* Run regular phishing exercises to teach employees how to recognise even highly tailored and sophisticated phishing attempts and report them.
* Use multi-factor authentication to prevent attackers from gaining access to accounts.
* Keep software up to date — email gateways, apps, operating systems, browsers, plug-ins; just make time to patch.
* Never wire money to a stranger — set up strict policies that require high-ranking authorisation of wire-transfers. Have a designated secondary signature requirement.
* Stop and think — does the message in the email sound technically plausible? Does the pitch make sense? Are there holes in the requester’s story?
* Users — check the sender’s email address against the message signatory — do they match? If not, do not click on any links.
A multi-layered approach is crucial in order for businesses to remain secure and minimise their risk of email-borne attacks. An organisation is never too big or small to be out of the realm of consideration for an attacker, which is why education and best practice is crucial for all.
Traditional approaches such as spam blockers, malware and URL blockers and integrated sand-boxing remain essential. However, new technologies such as domain-based Message Authentication, machine learning and email remediation among others can help businesses stay ahead, remaining vigilant and prepared in today’s changing online landscape.
Fady Younes is regional Cyber Security Director at Cisco.