Email is critical to the way we do business. While the advent of email offered businesses a world of convenience and expedience, with it came a multitude of security threats. Email is one of the preferred avenues of attack for hackers looking to access sensitive information or funds.
Most of us consider ourselves to be email-savvy. Unfortunately, email scammers are constantly changing their methods and develop new, highly sophisticated techniques every day. Phishing scams are becoming increasingly advanced, and old ways of protecting against them are no longer sufficient. If you want to be sure that you are keeping your organization safe, your security measures need to evolve along with the threat.
The Ever-Changing Email Threat Landscape
By now, most of your employees are likely accustomed to looking out for anything that might seem suspicious in an email. Early phishing scams were easier to spot, but as users have become more sophisticated, attackers have similarly advanced, and spotting fake emails or other attacks has become increasingly difficult. Attackers are aware that organizations are focusing on email security, and people have become savvier at identifying scams through experience and ongoing security awareness training. The attackers have changed their tactics accordingly.
All phishing attacks are similar, in that their goal is to obtain illegal access to systems or information. What keeps changing is how they go about trying to gain that access. Things like spelling and grammar errors can be easy tip-offs that a message might not actually be coming from the person who claims to be sending it. Attachments that look suspicious or come from unknown senders are obvious red flags. Today’s hackers have developed far less-obvious methods for attempting to obtain user credentials to gain unauthorized access to information and systems.
More Sophisticated Email Attacks
Today’s cyber attackers have come up with new, highly advanced ways to obtain user credentials. This allows them to inject themselves into email conversations through compromised accounts. Users are regularly told to change their passwords as a security measure, but many users employ very simple models for their passwords – for example, changing Password123! to Password1234! at the next forced change. Users also tend to turn to similar passwords with similar changes across all of their accounts – just look at the recent spate of Ring camera attacks which have been blamed on users sharing passwords among their online accounts.
Much like online marketers, hackers maintain profiles on users. They aggregate information from security breaches (Yahoo, Equifax, Target, etc.) and use information from these historical events to build data repositories, including password change information and patterns. They can identify targets who have had their accounts compromised through publicized data breaches at major stores and companies, and capture a user’s credential and password change patterns. With that information, it’s easy for them to guess a user’s current password and employ it to compromise their credentials at their place of business. If the organization doesn’t have strong security protections, including multifactor authentication (MFA) and/or mobile device management (MDM), the hackers may be able to infiltrate email accounts and launch attacks.
Once the hackers have access to an email account, they often set an unseen rule that forwards all email to an outside account under the control of the attacker. The attackers then read the emails and wait for a thread they want to infiltrate, at which point they may create new rules that delete messages from the user’s account that would alert the user to the infiltration. This means the user doesn’t even see the messages, and the attackers have full control of the conversation. With full control, they can then send malicious attachments or links, or implement new routing information for payments that are about to be made. If both parties to the conversation or deal are not vigilant or lack strong email protections, the hackers may convince one of the parties to transfer thousands or even millions of dollars out of the organizations and into their own pockets.
Preventative Measures
Knowing hackers’ methods is often the key to preventing attacks, but how can you prevent an attack that you can’t even see? The answer lies in using the most advanced email security tools and coupling them with security awareness and processes.
Multifactor authentication is one of the best ways to prevent hackers from gaining access to email accounts. With multifactor authentication, an email account cannot be accessed unless you have two pieces of information, not simply a password alone. When you use multifactor authentication, it does not matter as much if your users are predictable in changing their passwords or create weak passwords. Even if attackers can figure out the password, they’re still locked out of the email account without the necessary second piece of information.
Within your network and email system itself, you can use security functions such as mobile device management and conditional access to further reduce access from unknown devices or unusual locations. Security information and event management (SIEM) solutions that monitor and alert for unusual communication origination and destinations can help detect if email accounts have been hijacked. These tools allow an organization to identify when their email is being accessed by outside users and where that access is coming from; alerting them that an account has likely been compromised. For example, if a given user typically logs in from locations in Washington, D.C. or the suburbs of Virginia, but now their account is being accessed from Africa or Eastern Europe, an alert will be triggered notifying the organization of possible infiltration.
MessageControl is another useful tool for helping users identify email scams. Most organizations have tags on emails that indicate if a given message is going to or received from an external account. However, most users are so accustomed to seeing these tags that they no longer pay much attention to them. MessageControl enhances this tagging system, telling a user not just that a message is external, but that it’s the first time they’re receiving an email from a given sender. When users see these unique messages on an email from someone with whom they’ve had several communications, they’ll be more critical and will likely report the incident, potentially preventing a serious breach. Your security team will be able to verify that the email is not actually coming from the person it claims. These alerts are dynamic and call out anomalies such as a new sender or domain, not just that the message originated outside of the organization.
Because these tags are so infrequent, they stand out to users. Tools such as these that actively monitor where messages are coming from and going to can allow an organization to significantly shore up its defenses against the ever-changing threat. As part of vital ongoing security awareness training, users should be educated about these tools and told to not click on any links or open any attachments when flagged emails come in. Informing employees of new threats and changes to the email landscape, as well as reminding them of existing threats, is the best way to stop attacks once hackers have gained access.
Finally, every organization should have processes for handling and confirming changes to important procedures such as transferring funds, and those processes should include a requirement that such changes should never be made by email alone. The combination of user training, sound organizational processes and procedures, security and monitoring and good message sanitation tools that protect against malware and compromised websites is an organization’s best shield against ever-evolving attacks.
Going Forward
Email attacks are a constantly moving target, and so require a constantly evolving defense strategy. The right tools, training and internal processes can significantly reduce the risk presented by external email messages. The goal is to limit the amount of noise your users are subjected to so that they pay full attention to messages that are actually identified as risky. Your users are your last line of defense–strong tools can help them detect threats before they cause real damage.
Cyberattackers are relentless and will continue to evolve their methods. Just because you can’t entirely eliminate the threat doesn’t mean that you can’t take serious steps to reduce their likelihood of success. Setting up the proper defenses today and building upon those tomorrow are the best way to avoid becoming a victim.
About the Author
Eli Nussbaum is a managing director and the director of business development at Keno Kozie, an IT design and support provider for law firms. Contact him on Twitter @Eli_Nussbaum.