Why email is still the number one threat vector

  • Without emails, businesses would grind to a halt
  • Business Email Compromise (BEC) attacks target people, not technology
  • Bad actors try to infiltrate corporate systems 24/7/365
  • FBI warns BEC scams have cost businesses $43bn to-date

The sophistication of some of these cybersecurity systems is such that they can protect data from bad actors trying any and all techniques to compromise their way into a target.

But, and it’s a big but, there is still no comprehensive and overarching protection against the most vulnerable aspect of any company’s IT infrastructure – the humble email. This ubiquitous messaging system, without which businesses would grind to a halt, is still the easiest vector to access corporate networks.

Big news stories cover state-sponsored cyber espionage attempts and ransomware attacks that cost companies millions to recover from. Then you have foreign actors using social media to influence elections or attack critical national infrastructure.

However, the easiest and cheapest method of breaking into a company’s databases is still by using malicious attachments in normal-looking email messages, both personal and corporate.

Malicious intent

The dangers from innocuous-looking, but ultimately malicious emails need to be reiterated time and again to keep this threat in its proper position as the number one most insidious menace facing those that try to protect against hacking, ransomware, phishing, malware, or other attacks.

Chief Security Officers (CSOs) across industries present ultra-strong cyber defence systems to their boards and can rightly claim that “they have done all they could to protect company data and systems”. However, in reality, they cannot guarantee total protection. Despite CSO’s planning against the hundreds of thousands of known threats and ample past experience, it’s simply not foolproof.

Patching is critical

The number of ‘bugs’ (hidden vulnerabilities) that are present in almost all software programmes, operating systems, and even hardware, make protecting against them a 24/7/365 operation. Constantly updating (patching) all software with the latest versions across multiple systems is another aspect that needs to be maintained consistently.

Many organisations state that almost a third of incidents reported to IT departments come from phishing and malicious email attachments. The effectiveness of these ‘social engineering’ attacks is astonishing; only the most vigilant and trained staff identify threats and contact IT support.

People and groups are targeted in BEC attacks

The latest and greatest threats are Business Email Compromise (BEC) email attacks. These tend to target people, rather than technology, as they are designed to ‘inveigle’ workers to hand over information or click on malicious links.

These scams frequently target businesses that work with foreign suppliers and/or those that make wire transfers. The E-mail Account Compromise (EAC) component of BEC targets individuals that perform the wire transfers.

In May 2022, the US Federal Bureau of Investigation (FBI) updated its projections, stating that BEC scams have cost businesses US $43bn to date, particularly as smaller businesses are increasingly being targeted.

The FBI figures show that in the period between July 2019 and December 2021, there was a 65% increase in global identified losses in US dollars.

COVID-19 pandemic effects

The FBI further attributes some of the rise in BEC scams to restrictions placed on normal business practices during the pandemic. As remote working practices had to become the norm, communications became quickly less secure and more vulnerable.

BEC scam reports were collated from all 50 US states and 177 countries around the world, with more than 140 countries receiving fraudulent transfers.

The FBI also reports a rise in BEC scams using cryptocurrency, where financial transfers are made through cryptography. Cryptography is using coded messages to secure communications, which is popular among illicit actors due to its anonymity and transaction speeds.

Some other scam routes are:

  • Spear phishing: A targeted phishing attack directed to specific individuals or organisations
  • Whaling attacks: Highly targeted phishing attempts aimed at senior executives
  • Credential harvesting: Emails that attempt to trick users into sharing their personal information
  • Account takeovers: Illegally collecting email accounts from public sources, or by compromising computers

Datto protects

As emails continue to be the number one scam route, companies must ensure they are protecting themselves against this proliferous cyber threat route with the most advanced technologies on the market.

Datto offers a host of solutions that help organisations protect against a variety of attack profiles through emails. Datto SaaS Protection + suite has been designed especially with Managed Service Providers (MSPs) in mind, as a cloud protection solution for Microsoft 365 applications (including Exchange, OneDrive, SharePoint, and Teams).

Datto provides a defence against email-based cyber threats with a configurable number of daily backups and supports flexible, fast recovery of data. The company also provides similar protection for the Google suite of applications (Gmail, Calendar, Drive, Docs, Sheets, Slides, Meet, and chat etc).

See all articles in Insights

Similar Posts