Targeted email attacks are on the rise. According to Agari's Email Security: Social Engineering Report, 89 percent of respondents saw a steady stream or increase of targeted email attacks involving social engineering in 2016. Nearly half (46 percent) of security leaders revealed their organizations had experienced one such attack that year.
Given this growth, companies should be working to bolster their digital security in defense against targeted email attacks. But a majority of security personnel think their employers should be doing more. In Agari's survey, 52 percent of participants disclosed their belief that their organizations' defenses against targeted email attacks are at average or below.
Companies need to know all they can about targeted email attacks so that they can properly protect themselves. Towards that end, this blog will define targeted email attacks, discuss why they're on the rise and provide organizations with strategies on how to combat them.
Targeted Email Attacks -- A Definition and Examples
Domenico Quaranta, CTO of eLearnSecurity, defines a targeted email attack as "a specific attack in which the attacker, through the email channel, tries to persuade a victim to run a specific, apparently innocuous, action." Informed by research conducted on their intended target, these attacks oftentimes leverage social engineering techniques to trick users into doing something that will further the campaign. More sophisticated attacks might incorporate software vulnerabilities with more limited user interaction, notes Quaranta in a blog post.
Targeted email attacks can take the form of a spear-phishing campaign. In these types of operations, bad actors select an intended target and leverage social media platforms, publicly available information, or previously compromised accounts of friends or colleagues to research them. They then commonly craft an email using one of those hacked accounts or from a domain that spoofs a trusted entity like an employer. Ultimately, spear-phishing emails come with a malicious URL or attachment that, when clicked, either installs malware onto the target's computer or directs them to a compromised website. The purpose of many spear-phishing email campaigns is to steal information and leverage that data for subsequent attacks.
Many targeted email attacks aim to steal companies' sensitive information using advanced malware and/or gain access to important systems. But they're not always as narrowly focused as spear-phishing. In fact, targeted email campaigns can be much broader in scope and prey on a larger number of users at the same time.
Success Breeds Widespread Use
Organizations can help their employees spot targeted email attacks by creating ongoing security awareness training programs. Using simulations, they can teach them to spot misleading URLs and spoofed senders as well as to exercise caution around suspicious email attachments.
But training isn't a cure-all for preventing targeted attacks. According to Experian and Ponemon Institute's report Managing Insider Risk through Training & Culture, only half of respondents said the data protection and privacy training (DPPT) program at their workplace effectively reduced noncompliant behaviors among employees. An even lesser percentage revealed their employer's DPPT program consisted of just one basic training course for most employees. That's because 55 percent of enterprise programs exempted at least some of their employees, with C-level executives excused from regular training sessions in 29 percent of cases.
In the absence of training for the entire workforce, not all employees can learn to be skeptical of links from unknown senders or to unexpected invoices received via email. They therefore will be more prone to overshare information online, to fall for compromised accounts of their fellow employees and to pay attention less attention to potential security threats when using email.
Targeted email actors are aware of these consequences of poor security awareness. Indeed, they've exploited them to produce campaigns targeting Fortune 500 companies and attacks where spoofed Securities and Exchange Commission (SEC) emails deliver malware.
How to Defend Against Targeted Email Attacks
To protect themselves against malware-based and other types of targeted email attacks, organizations need to focus on educating all of their employees and executives about email-based threats using training programs that incorporate a variety of different courses. They should also focus on deploying effective security solutions such as tools like ZixProtect, which can identify and stop inbound email threats using advanced multi-layer filters and live threat analysts.
For information on how Zix can protect your company against targeted email attacks, click here