Defending against email threats 

Paul Drake at Barracuda Networks describes how to protect your business, whatever its size, against evolving email threats

 

Email-based attacks have been around for decades, yet they remain a significant threat for businesses. They are relatively low cost and easy to implement by cyber-criminals, offering a range of rewards, from sets of credentials which can be sold on, to network access and all the high value assets that a company holds. 

 

Our recent analysis of targeted email attacks revealed a threat landscape that is continuously changing, as attackers leverage new techniques to bypass detection and boost their chances of success.

 

Among the findings, we discovered that the proportion of more advanced and targeted email-based threats, using sophisticated social engineering techniques, is increasing steadily. We also found that the size of a company impacts the types of email attacks it is most likely to encounter.

 

Here we explore these threats and the measures that organisations can take to protect against them.  

 

Company size and the type of email threat

All companies, regardless of their size, are susceptible to email based attacks, although the nature of these vulnerabilities can differ. Our analysis of data shows how company size is a significant variable when it comes to the type of email threat types encountered. 

 

Lateral phishing is a major risk for large businesses. This is where attacks are sent to mailboxes across the organisation from an internal account which has already been compromised. 

 

Our data showed that 42% of targeted email attacks against large organisations – those with 2,000 or more mailboxes – involve lateral phishing.  Just 2% of attacks against smaller companies, with up to 100 employees, fall into this category. 

 

Smaller companies are the most likely to be hit by external phishing attacks which account for 71% of the targeted email attacks.  Smaller companies also receive around three times as many extortion attacks as their larger counterparts. Extortion attacks account for 7% of targeted incidents for the smallest companies, compared to 2% for those with 2,000 employees or more. 

 

The difference in the types of attacks could be down to a range of issues, from organisational structure to the company culture and technological factors.  

 

Larger companies, for example, with many employees and mailboxes, provide attackers with multiple entry points and communication channels from which they can spread malicious messages. Employees are more likely to trust email messages that appear to come from someone within the organisation, even if the sender is not familiar to them. Cyber-attackers can exploit these factors to spread lateral phishing messages more effectively. 

 

The flatter organisational structures of smaller companies provide attackers with easier access to names or contacts, allowing them to target a wide range of employees. Attackers can also take advantage of the fact that smaller companies are less likely to have layered security in place and may be more likely to have misconfigured email filters due to a lack of in-house skills and resources.  

 

Advanced and targeted email-based threats

The proportion of more advanced and targeted email-based threats, which use sophisticated social engineering to gain access to information or systems, is increasing steadily year on year.  

 

Our analysis shows that Business Email Compromise (BEC) - in which the attacker uses the identity of someone on a corporate network to trick the target into sending money to the attacker’s account - now accounts for more than one in 10 social engineering attacks, up from 8% in 2022.  

 

Conversation hijacking has risen by 70% since 2022. This is a technique in which attackers steal login credentials and access business accounts. They then study emails to learn about operations, deals, and payment processes and insert themselves into existing business conversations or start new conversations based on information they’ve gathered. This could be used to deceive victims into sending money or updating payment details. 

 

Both techniques are highly personalised and well researched, making them effective, hard to detect and costly for the organisations that fall victim.  

 

How to stay safe 

Whether your business has just a few employees or hundreds of mailboxes, education is key to protecting against email-based attacks. Regular security awareness training is important to keep everyone informed about the latest threats so they can easily spot suspicious emails. It’s also essential to have reporting processes so that employees can quickly alert the IT or security team if they notice any malicious activity. 

 

With lateral phishing and BEC attacks on the rise, it’s important to teach employees not to trust an email simply because it comes from a colleague. 

 

As criminals adapt their tactics, organisations should deploy an AI-powered defence to detect highly targeted attacks like BEC and conversation hijacking. These can help to identify account takeover attacks, compromised accounts, and reconnaissance activity. 

 

---

 

Paul Drake is Regional Vice President Sales, UK&I at Barracuda Networks

 

Main image courtesy of iStockPhoto.com and RerF