For centuries masking and misrepresentation of reality has been a not so magical tactic employed by criminals, con artists and spies. With the rapid growth in data, devices and applications, not only has the usefulness of this technique continued it has become the most common method for criminals to infiltrate advanced malware, ransomware and targeted attacks into an organization. Email is the attack vector of choice simply because it is accessible anytime and anywhere, can be readily used to masquerade a faux social or professional connection, and, can carry malicious payloads onto a device or within a network perimeter.
Through research of social media, press releases, company filings, supplier networks and more, criminals are able to build accurate profiles of their targets and the target’s business practices. As a result of this research, and by using email, criminals are able to exploit vulnerable employees who simply believe they’re doing their job. Yet in fact, they are the latest victim of phishing and social engineering. Examples of this in action include:
- Business Email Compromise (BEC) scams: An email or series of emails are crafted to appear legitimate and targeted at an executive or an executive assistant requesting a transfer of money for a seemingly legitimate business purpose. This BEC attack cost a California-based company $47 million.
- Spearphishing Attacks: Similar to the targeted method of fishing with a spear, spearphishing attacks are crafted to target a specific individual or group of individuals with similar characteristics or interests. The intent is to have the recipient of a seemingly real yet malicious email open an attachment or click on a URL which triggers the execution of malicious computer code on the device. Once the code has executed, the criminal can obtain access to credentials and passwords and/or commence malicious activity on the target device or networks the target device connects to. A recent phishing attack using a Google Doc exemplifies the ease with which criminals can exploit email.
The question arises of how organizations can take steps to minimize the threat of email based attacks. The key message here: there is no single silver bullet. While standalone products and solutions can help, a holistic strategy which encompasses people, process and technology is the sage approach. First, provide employees with ongoing training and education on social engineering inclusive of running attack simulations to test both your employees, as well as your IT and security teams responsiveness. Second, examine business processes which are vulnerable to manipulation by criminals. Do you mandate multiple approvals for payments above a certain threshold? Do you enforce minimum device security standards as a prerequisite for network connectivity? Third, are you taking proactive measures to identify malicious payloads attached to or within emails which can trigger ransomware or data breaches? Do you have measures in place to protect against data disclosure or breaches?
To learn more about how Zix and how our solutions can strengthen your security approach, check out our video
on ZixProtect or see it in action with a free 30-day trial