Despite investing a record $3B in Secure Email Gateways (SEGs) in 2019, US companies still lost $1.7B to phishing.
Here’s how attackers use sophisticated tactics to bypass the SEG and trick users into taking the bait.
Fooling the SEG
Activating or uploading malicious content to a target web page only after the email has been scanned isn’t a new scam. Advanced SEGs countered this tactic with “time-of-click” detection, which automatically rescans an email when the user clicks the link. It gives the SEG one last chance to detect a malicious URL.
However, it is not without flaws. Spear phishing and Business Email Compromise (BEC) attacks don’t contain URLs or attachments, so they appear harmless to the SEG. Once the tainted email has evaded the SEG, the user is the last line of defense.
What it looks like: Often a Business Email Compromise attack uses the organization’s own internal communications to listen, learn, and execute a crime. The attacker might target and then observe the mailbox of a well-placed employee to learn when an executive is going on vacation, what payments are coming due, and who is responsible for vendor payments. This information can be used to plan a convincing wire fraud attack. (Yes this happens.)
Fooling the user
Evasion tactics trick users as well. 50% of users click on links because social engineering creates a sense of urgency, especially when:
cousin domains are used to obfuscate URLs
Punycode attacks use foreign language characters that resemble English ones
Attackers serve up local versions of a spoofed site, so the domain looks legitimate, but it’s not
What it looks like: Consider the employee who receives a vendor email saying a security vulnerability in the shadow application he is using has just been patched, so “please click now to update and verify your ID.” Not only does a counterfeit email/site look and act like the real thing, it has all the expected security trappings. Even the most vigilant, security-trained users fall for these tricks.
Bad actors even manage to evade detection by cybersecurity companies! They learn the IP address ranges of these companies and block the connection attempt. Or they change a couple of pixels in a fingerprinted image so tampering isn’t detected. Target website HTML code is often obfuscated and encrypted.
It’s time to layer Inbox Detection and Response on top of SEGs
Enterprises using cloud-hosted email urgently need an inner layer of email security called Inbox Detection and Response (IDR). IDR solutions hook into users’ inboxes, and continuously scan all inbound and outbound emails in all folders.
New from Cyren, this whitepaper provides best practices for implementing an IDR security layer. It explains how you can massively reduce the “window of vulnerability” caused by malicious emails lingering within the reach of users.
Read the whitepaper: Best Practices in Adaptive Security to Block Evasive Phishing Attacks