How Emails Became the Weakest Link in the Security Chain

One in every 99 emails is a phishing attack. That was one assertion made in an infographic that explains how email became the weakest link from cloud security platform provider Avanan.

The New York City-based firm’s research also revealed in a five-day work week, employees are hit by almost five phishing emails, 4.8 to be exact; and businesses could receive attacks every day and not know about it since 30% of phishing emails make it past default security, 25% breach existing security measures and 5% become whitelisted by administrators.

Here are some other findings:

• Cyberattacks cost businesses over $5 billion from 2013 to 2016; today a phishing attack on a midsize business costs an average of $1.6 million.
• Phishing attacks increased by 65% from 2016 to 2017.
• Eighty-three percent of people received phishing emails; spearphishing targeted infosec professionals 64% of the time; 35% of professionals do not know what phishing means.
• One in three consumers stops using a business after a security breach.
• When someone clicks, the attacker gains prolonged access to the system on average less than two minutes after the email reaches the inbox.
• Phishing attacks fall into the following categories: Credential harvesting, 41%; extortion, 8%; malware, 51%; spearphishing, 0.4%

Michael Hiskey, chief marketing officer for Avanan, provided some additional insight. When asked whether any specific jobs/functions are more susceptible than others, he said, “Absolutely. We see an unusually high number in four categories.”

He listed the following: 1) Senior executives (CxO) of all flavors, especially CFO & CEO; 2) Mid-level managers, both in accounting/finance, who have ties to accounts payable, billing, invoicing, etc., and human resources, who have access to employees’ direct deposit, other payments, etc. (“Essentially, people who touch the organization’s bank accounts”); 3) administrators/secretaries to group number 1 (“same reasons, they often act as the exec in cases and respond to emails … especially good as they will not pick up on nuances of regular communication patterns”); 4)  IT administrators. “Hackers try to figure out who has administrative privileges on the company email system. This lets them get inside, create/delete accounts and even hold the company ransom (imagine someone locked everyone’s emails or changed passwords one day and demanded payment to release them).”

Hiskey noted they have seen mixed results when addressing whether financial institutions are more or less susceptible than other industries. “Banks – especially retail banks with lots of customers (Citi, B of A, etc.) – are targeted so that hackers can exfiltrate and trick their customers … fake logins, even inserting themselves into the loan approval process.”

Otherwise, for the normal infiltration, financial institutions are equally susceptible as companies of the same size and complexity. “In this case, banks often have pretty high-grade security and good end-user training, so it is possible they could get as many or more attacks and have fewer of them be successful.”

Hiskey explained, “What we’re talking about is often called business email compromise. With BEC, there is a mixture of hacking and social engineering to understand the patterns of communication and the level of access for individuals.”

Hiskey noted hackers are patient: They use automation in some cases to “sit” on an account and look for an opportunity. “According to industry reports, the breach most often starts with a phishing email and happens in minutes. It then takes months to discover. In the intervening time, bad actors do their best to exploit a vulnerable business process (one that doesn’t have substantial checks and balances in place).”

Avanan’s experience is to see the recipe of advanced threats. “It’s not one thing that our software observes, but a combination of items – say, a first-time email from a mid-level finance executive to a wide group of people he or she never communicates with regularly.” Hiskey said. And, they do this in a proactive way. “So, the emails never reach the user’s inbox, so they are never tempted to click on a malicious link or fall for a BEC scam. We then take what we find, with user interaction and the recipe of the attack, and feed it into our AI to prevent future break-ins.”