Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Secure Email Gateways Cost $3B Last Year – Phishing Attacks Are Still Evading Them

Despite investing a record $3B in Secure Email Gateways (SEGs) in 2019, US companies still lost $1.7B to phishing.

Here’s how attackers use sophisticated tactics to bypass the SEG and trick users into taking the bait.

Fooling the SEG

Activating or uploading malicious content to a target web page only after the email has been scanned isn’t a new scam. Advanced SEGs countered this tactic with “time-of-click” detection, which automatically rescans an email when the user clicks the link. It gives the SEG one last chance to detect a malicious URL.

Related: Block Evasive Phishing with Email Security Defense-in-Depth

However, it is not without flaws. Spear phishing and Business Email Compromise (BEC) attacks don’t contain URLs or attachments, so they appear harmless to the SEG. Once the tainted email has evaded the SEG, the user is the last line of defense.

What it looks like: Often a Business Email Compromise attack uses the organization’s own internal communications to listen, learn, and execute a crime. The attacker might target and then observe the mailbox of a well-placed employee to learn when an executive is going on vacation, what payments are coming due, and who is responsible for vendor payments. This information can be used to plan a convincing wire fraud attack. (Yes this happens.)

Fooling the user

Evasion tactics trick users as well. 50% of users click on links because social engineering creates a sense of urgency, especially when:

  • cousin domains are used to obfuscate URLs

  • Punycode attacks use foreign language characters that resemble English ones

  • Attackers serve up local versions of a spoofed site, so the domain looks legitimate, but it’s not

What it looks like: Consider the employee who receives a vendor email saying a security vulnerability in the shadow application he is using has just been patched, so “please click now to update and verify your ID.” Not only does a counterfeit email/site look and act like the real thing, it has all the expected security trappings. Even the most vigilant, security-trained users fall for these tricks.

Fooling cybersecurity

Bad actors even manage to evade detection by cybersecurity companies! They learn the IP address ranges of these companies and block the connection attempt. Or they change a couple of pixels in a fingerprinted image so tampering isn’t detected. Target website HTML code is often obfuscated and encrypted.

It’s time to layer Inbox Detection and Response on top of SEGs

Enterprises using cloud-hosted email urgently need an inner layer of email security called Inbox Detection and Response (IDR). IDR solutions hook into users’ inboxes, and continuously scan all inbound and outbound emails in all folders​.

New from Cyren, this whitepaper provides best practices for implementing an IDR security layer. It explains how you can massively reduce the “window of vulnerability” caused by malicious emails lingering within the reach of users.

Read the whitepaper: Best Practices in Adaptive Security to Block Evasive Phishing Attacks

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...