Top Highlights and Takeaways from Our Modern Email Attacks Series
Over the last decade, email has affirmed its position as the preferred channel for communication in the workplace. And with the transition of hundreds of thousands of organizations to fully remote or hybrid work environments, our collective dependence on email has only gotten stronger.
Threat actors recognize this, which is why email’s popularity as an attack vector has grown considerably in recent years. In fact, losses due to email fraud are up 64% since 2020, with the FBI reporting $6.9 billion in cybercrime losses last year.
But cybercriminals aren’t nearly as interested in basic malware, spam, and simple phishing as they were in the past. Instead, they’re focused on high-value, high-impact attacks like business email compromise (BEC), account takeovers, and ransomware. Email attacks have shifted, and email security needs to shift too.
Recently I was joined by cybersecurity heavy-hitters for a three-part webinar series on this topic. Throughout the virtual event series, we discussed how advanced email attacks started, how they’ve evolved, and why they should be a top concern for security professionals worldwide.
Read on for highlights and memorable quotes from our Modern Email Attacks series.
Chris Krebs on BEC: Business Email Compromise as Your Biggest Concern
From 2018 to 2020, Chris Krebs was Director of the Cybersecurity and Infrastructure Security Agency (CISA), leading the national effort to recognize, manage, and reduce cybersecurity risks. Following his departure from CISA, Krebs co-founded Krebs Stamos Group, a cybersecurity consultancy, with Alex Stamos, formerly the CISO at Facebook.
Among other topics, Chris and I discussed the evolution of business email compromise; why BEC is still impacting enterprises, and how organizations can minimize their vulnerability to cyberattacks.
Below are three of the biggest takeaways.
1. Threat actors do their homework.
Most companies pride themselves on business intelligence and their ability to effectively target customers by conducting extensive research on their audience. This is exactly what modern threat actors do as well.
Rather than launching high-volume, low-value attacks, cybercriminals leverage information on LinkedIn, SEC disclosures, and even the target organization’s website to create more convincing emails that are more likely to trick employees.
2. Cybercriminals are taking advantage of the shift to remote work.
Over the past two years, work-life balance has been somewhat replaced with work-life fluidity. Because professionals are tasked with switching between work responsibilities and personal responsibilities throughout the day, distractions abound.
Threat actors capitalize on this by sending innocuous phishing emails disguised as notifications from ticketing systems and password reset requests—messages that employees wouldn’t think twice about clicking through, especially when distracted.
3. Protecting your organization requires six key initiatives.
In Chris’ experience, successful enterprises share six characteristics across three categories: strategic, technical, and tactical.
From a strategic standpoint, these organizations have support from the C-suite and encourage a culture of security at all levels of the company. The technical aspect involves knowing who is on your network and practicing proactive identity and asset management.
Finally, these enterprises have an effective process in place for monitoring, detecting, and responding to threats as well as an understanding of what’s needed from a resilience and recovery perspective.
“What I love seeing is executive teams, C-Suites, Boards of Directors, and CEOs that embrace a culture of security. They embrace a culture of, ‘We can do this; we can get this done. We have to work together as a team.’ [Whether] you're the CEO or the intern in the mail room, you're all part of that security team. And so we have to put them in a position to be successful.” —Chris Krebs
Troy Hunt on ATO: Account Takeovers as the Hidden Threat
Australian web security consultant and data breach expert Troy Hunt has made education and outreach the focus of his career. He’s best known for creating “Have I Been Pwned?”, which allows users to see if their personal information has been compromised.
Troy and I discussed the methods threat actors use to compromise accounts, why account takeovers are so dangerous, and steps enterprises can take to protect their workforce from account takeovers.
Here are three of the biggest takeaways.
1. Access to an email account grants cybercriminals “the keys to the kingdom.”
What makes account takeovers such a big threat is the fact that not only do our email accounts contain mountains of sensitive data, but they are also a hub through which threat actors can gain access to just about any other account we have.
Once a cybercriminal has compromised an inbox, they can easily reset passwords for other accounts and also begin corresponding with colleagues to acquire more information and launch additional attacks.
2. Good password hygiene is one of the most straightforward ways to reduce risk.
The overwhelming majority of data breaches involve the human element, and one in five are the result of compromised credentials.
While it’s not a guaranteed way to prevent 100% of account takeovers, requiring employees to follow password best practices (including not reusing passwords and creating passwords of an appropriate length with at least one upper and lower case letter, one number, and one special character) can help counteract common ways cybercriminals compromise accounts, such as password stuffing and brute force attacks.
3. Preventing account takeovers is a shared responsibility.
In addition to enforcing a strong password policy, requiring employees to complete ongoing security awareness training can help them identify malicious emails that are usually the first step in account takeover attacks. However, the onus can’t be entirely on your workforce.
The most effective way to prevent compromised accounts is by blocking the threats before they even reach employee inboxes. Invest in technology that understands normal communication patterns and stops messages that deviate from that baseline.
“We have this situation where access to email is part of the sort of chain of control for everything else. For the vast majority of cases, all it takes is access to an email account and you are into everyone else's things….Being there within an email account is very often the predecessor for then pivoting into all sorts of other things that people have downstream from there.” —Troy Hunt
Theresa Payton on Ransomware: Malware as an Ongoing Email Issue
Theresa Payton made history as the first woman to serve as White House CIO and is now CEO of Fortalice Solutions, a provider of cybersecurity consulting services. She was also named 2019 Woman Cybersecurity Leader of the Year as well as one of the “Top 25 Most Influential People in Security” by Security Magazine.
Theresa and I discussed the main ransomware attack vectors, the components of modern ransomware attacks, and how to respond to a ransomware attack.
Below are three of the biggest takeaways from the webinar.
1. Email remains (and will continue to be) a primary attack vector for ransomware.
While threat actors may have multiple entry points into an organization, malware delivered via email continues to be the initial foothold for ransomware.
Nearly every business relies on email as its primary communication vehicle, making it an easy way to get in front of an employee and, subsequently, compromise an organization’s network. Additionally, threat actors can use a myriad of different methods to convince employees to download malware—from fake file transfers using Google Drive to bogus calendar invites.
2. Threat actors are using increasingly sophisticated tactics to deliver ransomware.
Threat actors know that legacy email security solutions look for obvious indicators of compromise, such as suspicious links or malicious attachments, and have pivoted to new strategies.
For example, one attack trend is for cybercriminals to send fake subscription confirmation emails and include a note along the lines of, “If you wish to cancel this subscription, please call us.” When the target calls the number provided, the threat actor has them visit a link to fill out and submit a “cancellation request form”, which then downloads the malware.
3. An effective ransomware playbook is essential for every enterprise.
Theresa cited one statistic that says by 2035, it’s estimated that there will be one ransomware attack every two seconds for every business consumer and device. Having a comprehensive response plan in place before an attack will only become more important.
An effective ransomware playbook acts as a guide for the security team to follow in the event of a successful attack, reflects the organization’s cybersecurity policies and procedures, and links the playbook’s actions to the organization’s framework and defined security best practices.
“We have the technology today to profile what good employee behavior looks like and to profile what nefarious cyber operatives and cybercriminal syndicate operators look like. That technology and those profiles can help us discern good traffic from bad traffic at a speed level and accuracy we haven't had before. So these are really encouraging and optimistic times.” —Theresa Payton
Get Event More Insights at Vision 2023
Want to hear more from cybersecurity experts? Join us for a half-day virtual conference to hear about the latest attack trends and predictions for the new year from some of the biggest names in cybersecurity, including Frank Abagnale, Rachel Tobac, and experts from Microsoft, KnowBe4, and Valimail.
Vision 2023 is dedicated to helping security leaders learn about the evolving threats that modern organizations face—both today and in the future.