There is no question that unwanted email is a source of annoyance. It is also the biggest source of cyber threats. In fact, just last month, spam accounted for 85 percent of all email sent. Plus, according to Verizon’s 2018 Data Breach Investigations Report, email is the number one vector for both malware distribution (92.4 percent) and phishing (96 percent). Attackers know that, unfortunately, this channel just works.
Because email forces the user to stop and at least scan every message they receive, it presents the perfect opportunity to serve up malicious links and file attachments that people in a hurry sometimes mistakenly click on. Phishing and social engineering have gotten so sophisticated that it can be hard for even cyber-savvy users to discern the legitimate from the malicious.
Our most recent CISO Benchmark Study showed that 56 percent of CISOs we surveyed felt that defending against the user behavior of clicking a malicious link in an email is very or extremely challenging. This ranks higher than any other security concern surveyed—higher than data in the public cloud, and even higher than mobile device use.
The risk becomes evident when looking at simulated phishing campaigns carried out as part of Duo Insight, a tool that allows users to craft fake phishing campaign in order to test and educate users within their organization. Duo’s 2018 research showed that 62 percent of phishing simulation campaigns captured at least one set of user credentials. Of all the recipients, almost a quarter clicked the phishing link in the email and half of them entered credentials into a fake website.
In a separate Cisco survey commissioned last year, 70 percent of those respondents reported that protecting against email threats is becoming more difficult. Regarding the consequences of email-borne attacks, 75 percent of respondents said they experienced significant operational impacts, and 47 percent reported significant financial impacts.
The picture is grim, and sadly, the numbers are trending up. Overall volume of spam email is currently at a 15-month high, according to Talos Intelligence data, and the number of new phishing domains has shown a 64 percent increase from January through March 2019, indicating that attackers could be gearing up for more phishing attacks.
While the following preventive steps have been recommended many times by many sources, given the continued increase in successful email attacks, they are worth repeating. At Cisco, we practice all of them regularly as part of our foundational and extensive security efforts – and it’s paid off through significant declines in email-based compromises of our network.
- Run regular phishing exercises to teach employees how to recognize even highly tailored and sophisticated phishing attempts and report them
- Use multi-factor authentication to prevent attackers from gaining access to accounts
- Keep software up to date – email gateways, apps, operating systems, browsers, plug-ins; just make time to patch
- Never wire money to a stranger – set up strict policies that require high-ranking authorization of wire-transfers; have a designated secondary signature requirement
- Stop and think – does the message in the email sound technically plausible? Does the pitch make sense? Are there holes in the requester’s story?
- Users – check the sender’s email address against the message signatory – do they match? If not, don’t touch it!
As has long been the case, a layered approach to security is critical in defending your organization from email-borne attacks. Traditional approaches like spam blockers, malware and URL blockers and integrated sand-boxing remain must-haves. There are also new technologies like DMARC, machine learning, email remediation and several others that will help all organizations keep up with the always changing email threat landscape.
We invite you to download our full report Email: Click with Caution – How to protect against phishing, fraud, and other scams…