It follows that vectors with greater internet exposure will also attract more attention from threat actors. Because of this, malicious actors frequently exploit public email servers, and a wide variety of cyber dangers can spread through them. We found some interesting patterns after reviewing a representative sample of our 2022 emails. The 2023 Email Security Trends Report examines the causes of the rise in email threats over the previous year. It also offers advice on how businesses can use this information to remain ahead of the curve.
Here are the key takeaways, followed by tips on how to enhance your email security.
Phishing attacks are on the rise (no surprise here)
According to the Verizon 2022 Data Breach Investigations Report, phishing “is one of the top five most common action varieties in data breaches.” Between 2021 and 2022, phishing attacks increased for the finance and construction sectors, and finance still commands the majority share of phishing attention.
In 2022, email phishing attacks accounted for 24% of all spam types discovered, compared to only 11% in 2021, marking an increase of 13%. Financial institutions (48%) are still the most targeted sector by a wide margin, followed by construction companies (17%), which have experienced a significant increase in phishing emails since 2021.
“If you wonder why criminals phish, it is because email is where their targets are reachable. And while only 2.9% of employees may actually click on phishing emails, a finding that has been relatively steady over time, that is still more than enough for criminals to continue to use it.”
The numbers don’t lie, and the more email is used as the primary form of business communication – and it is – the higher the risk of phishing will be. According to The Future of Digital Communication Study by SendGrid, email remains the preferred method of communication across the board to the tune of 74%, with 89% of respondents using it monthly for either business or personal reasons.
Despite the rising popularity of platforms like Slack, or social media in general, the number of emails sent daily has risen by nearly 5% in the past year alone – and is expected to grow. As long as email use trends upwards, so will the risk, ingenuity, and vectors of phishing attacks.
Worryingly enough, criminals leverage phishing campaigns as the first step to further harm businesses and disrupt operations. Following the interaction with a phishing message, criminals download malicious payloads to the victim’s system, which are then used to infiltrate the company with ransomware.
A variety of email risks
Despite the public perception that built-in email security controls are enough to protect our inboxes, there are a host of ways bad actors are getting around these controls and our own best scrutiny.
Insider threats, although often overlooked, are an essential and dangerous factor since they have unsolicited access to corporate knowledge and culture. Over one-third (34%) of businesses are affected yearly by insider attacks. Over the last two years, insider attacks increased by 44%, taking an average of 85 days to contain – up from 77 in 2020.
Spam is the most prominent email risk category. The percentage of spam emails among the 2022 subset rose to 90%, including phishing, scam, and commercial emails. Malicious spam emails can be broken down into subcategories to understand malicious actors’ motives and vectors better.
According to the Norton 2022 Cyber Safety Insights Report, 36% of Americans have fallen victim to holiday spam attacks. While we’ve all learned to be wary of email advertising deals that seem too good to be true, fraudsters have become more sophisticated and are now attacking from multiple fronts. Customers eagerly awaiting delivery but are preoccupied or unaware may fall victim to a phishing scam when they confirm their address or log in to a shipping business like UPS or DHL. Regrettably, this spam has a click-through rate of 60%.
Interestingly, the report findings note an uptick in job scams in Q4 of last year, which bad actors were exploiting to deliver phishing and malware. According to AARP’s director of fraud victim support Amy Nofziger, scammers ‘follow the headlines’ and have profited at the intersection of online hiring and work-from-home trends.
How to defend yourself against email threats
Based on the cumulative email threat data, VIPRE estimates that during 2023 we should expect more remote work-based attacks, an increase in the crime-as-a-service economy, and smaller businesses becoming the prime targets of email-based attacks. In addition, we should see a rise in attacks exploiting weaknesses in multi-factor authentication (MFA) and QR codes.
While foresight is essential, so is the ability to prepare a defense. There are best practices that businesses may implement to protect themselves from these email threats and avoid being the next easy target. These best practices include:
- Implementing a layered email security strategy
- Investing in behavioral analysis
- Training your employees for better security awareness
- Securing data in transit
- Deploying email-specific security controls
The email safeguards you implement today will have a broader and more lasting impact as your organization grows. Your email security solutions should be tailored to the size of your enterprise and scale with your growth. That’s why it’s integral to partner with the right email security vendor when implementing these best practices.
Anastasios Arampatzis is a cybersecurity content strategist, writer, and consultant with expertise in cybersecurity, digital identity, and regulatory compliance. Tassos has a strong background in creating thought leadership content, marketing materials, and strategic communications tailored to CISOs, security professionals, and business leaders. He has contributed to various cybersecurity publications and collaborates with organizations to develop compelling, insightful content that addresses industry challenges. He is a privacy advocate and a member of the ISC2 Hellenic Chapter. Before joining Bora, Tassos was an Hellenic Air Force Officer with a solid background on IT and Infosec.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.