SC Media’s article Email threat confidence sky-high, but is it misplaced?, highlights the EMEA industries problem with email threats and in particular phishing attacks. EMEA IT teams receive more suspicious emails threats than the global average; therefore, they are more likely to fall under attack. Research has found that over half of IT security professionals in EMEA think they are more protected from cyber security threats than they were in 2018.
It appears that teams think they have better protection due to advanced email security solutions. However, their confidence in email security is perhaps misplaced, as many organisations fail to have any sort of training with regards to phishing attacks. The article concludes that there needs to be a focus on assuming phishing attacks will be successful; thus organisations need to put in controls to mitigate the impact of attacks.
SureCloud’s Senior Cybersecurity Consultant, Elliott Thompson, responds to the article, discussing the issue and where the industry needs to improve.
The Threat Landscape
Today, email is still a very significant attack vector. For the vast majority of businesses, email is the common way all staff can receive messages from outside of the business. Other systems like Slack/Skype/etc, usually require the business to “invite” someone to a group or channel. But with email, an attacker only needs the name of a member of staff to send them a message, which is often easy to find on Companies House or LinkedIn. With a name, it’s possible to guess the email address format and send anyone in the business any desired message. The same is often not true with other forms of communication.
Additionally, decades of badly written and obvious spam have conditioned many of us that if an email looks well-written and on-brand, that it’s probably legitimate. The attackers are getting very good at making pixel-perfect copies where the only difference in a message is the link directing you to a malicious website.
Where Are They Going Wrong?
One of the main mistakes we often see is focusing on showing staff poor quality examples of malicious emails, focusing on the mistakes that a particular attacker has made. For example, using the incorrect font, signature, colors and other aspects of the email which only apply to poor quality forgeries. Often a highly-skilled phishing campaign is something that looks very nearly identical to a legitimate email. Similarly, a dangerous email may not include any links or attachments, things which we usually use as indicators to be suspicious. Instead, it could simply be a request to reset a password or change payment information.
The best way to defend against email-based attacks, in general, is to make verification of highly-skilled or high-risk requests as easy as possible. Building a culture where staff are encouraged to check unusual requests from leaders can help detect even the most highly skilled forgeries.
Check out Elliott’s blog on improving email security by underpainting external email labels here.
About SureCloud
SureCloud is a provider of cloud-based, Cybersecurity services and Integrated Risk Management products, which reinvent the way you manage risk.
SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.