As cybercriminals continue to use email as a primary vehicle to steal data and deliver cyber-threats, social engineering attacks are a rising concern, because they can be the most difficult to control. That’s according to a ‘State of Email Security 2019‘ report by the cyber product company Mimecast.
Its report found that impersonation attacks increased almost 70 percent (67pc) in comparison to the results in last year’s report – with 73 percent of those affected by impersonation attacks having experienced a direct loss, specifically loss of customers (28pc), financial loss (29pc) and data loss (40pc). Phishing attacks were the most prominent type of cyberattack, with 94 percent of respondents having experienced phishing and spear phishing attacks in the previous 12 months, and 55 percent cited seeing an increase in phishing attacks over the same time period.
Not only are email-based attacks on the rise, but they’re affecting how confident people are in their organisation’s cybersecurity defences – and ultimately the ability to do their jobs, the company added. According to the report, 61 percent believe it is likely or inevitable their organisation will suffer a negative business impact from an email-borne attack this year. The report also found that business-disrupting ransomware attacks are up 26 percent in comparison to last year.
Comments
Karl Barton, Senior Director, International Channels and Alliances at SecureAuth, said: “The swell of phishing attacks is unfortunately common today due to the worthwhile opportunity and success often due to low levels of user-awareness regarding how attackers try to imitate and operate as companies or high-level executives. Additionally, cybercriminals behind these attacks dedicate time and resource to build convincing impersonations, making them more targeted and difficult to spot. As a result, protecting valuable data in the organisation and mounting a defence is becoming increasingly challenging.
“With attacks targeting high level executives on the rise, organisations must adopt modern approaches to identity security – such as multi-factor authentication – to ensure the user is who they say they are and prevent attackers from gaining access to email accounts. Risk-based adaptive authentication adds additional layers of security that are invisible to the user. Such methods layer geolocation data, IP address look up and behavioural analysis, and provides an enhanced user experience without compromising security.
“Additionally, security training should be viewed as a critical part of any cybersecurity strategy and should aim to improve employee awareness of security risks to spot and report threats. Along with adaptive authentication, stolen credentials will be rendered useless to a threat actor, decreasing their chances of success.”
And Matt Aldridge, Senior Solutions Architect at Webroot said: “This highly targeted phishing technique or ‘spear phishing’ is presenting itself as a huge risk to companies across the board. Cybercriminals utilise information from social media profiles, even using advanced technology such as AI to improve the scale and fidelity of threats. This enables them to fine tune phishing emails to look more and more like the real thing, creating targeted, personal emails to trick even the savviest recipient into believing the correspondence is genuine.
“Users need to be vigilant when they spot an email that doesn’t seem quite right. Misspelled URLs, requests for sensitive information that might not be of essential use to a company chief or lack of personal greeting should raise suspicions and it is critical that employees double-check before responding.
“However, this is not always possible and enterprises will need to look beyond traditional solutions, investing in proven next generation threat intelligence offerings coupled with email filtering to help remove these lures from inboxes. Aside from technology, employee education is where organisations will get the best bang for their buck. Employees need to understand the risks to business, why installing software updates, and clicking links within emails should be done with great care.”
