Today, after 4 decades in existence, and more than 25 years’ worth of consistent, daily use, email remains the most reliable, ubiquitous, and constant communication platform for both personal and professional interaction. As users, we may grumble about its ubiquity or its misuse, but we have an inherent trust in email bred from familiarity and functionality.
So it’s of little surprise that email has also become the single largest platform for Internet Crime, at least as reported by the FBI in its annual Internet Crime Report. Business email compromise alone represents 48% of the reported $1.4B financial losses from Internet crime in 2017. That’s 10x more than the reported losses from identity theft, and 3x more than the second most lucrative Internet crime technique (confidence fraud / romance).
Defined by the FBI as “sophisticated scams [that] are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds,” business email compromise is just one of many email-based threats facing organizations today.
So why are such scams so successful? In June, GreatHorn conducted a survey of 300 business professionals – most of whom were involved in email security in some way – to understand the current email security involvement. We benchmarked threat frequency, prevalence, types, defenses, and remediation requirements to see what kind of patterns we could find.
As you see in this infographic, we found a number of clues that pointed to the root cause behind the success of social engineering scams such as business email compromise and other spear phishing techniques.
For example, we learned that the “average” user either doesn’t recognize email threats for what they are or they dismiss it under the rather innocuous heading of “spam.” We know this because two-thirds (66%) of average users could not recall seeing any of the following email threats in their inboxes:
- Executive or internal impersonations
- External impersonations (e.g. customers, vendors, partners)
- Wire transfer requests
- W2 requests
- Payload / malware attacks
- Business services spoofing (e.g. ADP, Docusign, UPS)
- Credential theft
And yet when asked the same question (explicitly about what reaches inboxes, not a quarantine folder), 85% of respondents that had some involvement in email security indicated that one or more of those threats was hitting inboxes.
That discrepancy demonstrates a dangerous perception gap within organizations – the exact perception gap that criminals exploit. We’ve moved beyond the easy-to-spot Nigerian prince schemes of yesteryear. Sure, there are still mass phishing attacks that are easy-to-spot, but such attacks in some ways increase the danger precisely because they are so easy to see. The user quickly identifies them as a danger, dismisses them as obvious, and pats themselves on the back for being perceptive enough to see them.
That self-congratulatory complacency may lead to an inability to recognize the real threats – the highly targeted, sophisticated, and well planned attacks that uses social engineering and research to replicate, impersonate, and redirect “real” communication. Our research indicates that most existing email security solutions are failing to catch impersonations (nearly half of our respondents – 46% – report impersonations; including 64% of email security professionals). Such emails often come without obvious triggers such as an attachment or even a link – they use urgency (5pm on a Friday), conciseness (typically just a couple of sentences), seniority (often impersonating a superior), and fear to drive the desired outcome. That’s why it makes sense that impersonations are the email threat that email security pros worry most about.
More concerningly, our study indicates that 1 in 5 organizations have to take some kind of significant remediation action (e.g. suspending compromised accounts, PowerShell scripts, resetting compromised third-party accounts, etc.) on a weekly basis as a result of email threats that bypassed their security defenses. And on average, our panel deployed approximately three separate security tools to protect their environment from email threats.
Given the remediation requirements, it’s no wonder, however, that 56% reported major technical issues with their email security solution today, including:
- “Doesn’t stop internal threats (e.g. if a user account is compromised)” – 35%
- “Missing payload attacks” – 16%
- “Missing payload-free attacks (e.g. impersonations, social engineering)” – 20%
- “Weak or no remediation capabilities” – 19%
- “Negative impact on business operations (e.g. too many false positives)” – 21%
We’ll dive more into the challenges with today’s common email security platforms and our results in upcoming blogs. In the meantime, however, we’d love to hear what you think. What do these numbers mean to you?
Want to download the full report? You can do so here.