Earlier this year, a survey of IT decision-makers by security firm Mimecast revealed that 54 percent of organisations in the UK reported an increase in email-based phishing attacks and that 92 percent of ransomware attacks globally were delivered by email.
Mimecast found that the success of such attacks was largely due to the fact that less than one in ten organisations in the UK and beyond continuously trained employees on how to spot phishing attacks, and because many CEOs undervalued the role of email security as a key element of their security programmes.
To find out how cyber-criminals employed email as a vector for carrying out malware attacks on organisations, to steal credentials or to defraud employees into transferring money to their accounts, researchers at Proofpoint carried out a detailed study that also looked at which organisations and departments received the most highly targeted email threats between April and June this year.
The research showed an 85 percent increase in the number of email fraud attacks per targeted company compared to the year-ago quarter and also found that 23 percent of employees who were targeted by email fraud attacks worked in operations and production functions at organisations, making these two the most-targeted departments.
The researchers also found that while lower-level management workers were at the receiving end of 60 percent of all email fraud attacks, executives and upper-level managers such as board members, C-level executives, directors, and department heads, received a disproportionately large share of attacks even though they formed a small proportion of the total workforce.
While upper management staff received 23.5 percent of all fraudulent emails, in terms of departments, production/operations were the most targeted departments, followed closely by management, R&D/engineering, accounting, finance, sales, marketing and HR departments.
In terms of industry, cyber-criminals launched the largest number of email fraud attacks on the real estate sector, with each organisation in the sector receiving 67 such emails on average. Other industries that were frequently targeted in Q2 were the biotech and medical industry, as well as consulting, engineering and manufacturing industries.
While education-related attacks jumped 250 percent compared to the year-ago quarter, the average number of email fraud attacks against automotive companies soared more than 400 percent, and attacks against government agencies also quadrupled in the period.
"More than 65 percent of companies targeted by email fraud had the identities of more than five employees spoofed. That’s more than triple the proportion in the year-ago quarter, suggesting that fraudsters are getting more creative and finding new ways to target. With information about employees widely and freely available, they can find multiple ways inside your environment," the researchers warned.
Email fraud attacks launched by cyber-criminals aren't all the same, as they vary in terms of impact depending upon the objectives of fraudsters who launch such attacks. According to Proofpoint, as most organisations have adopted DMARC (Domain-based Message Authentication, Reporting and Conformance), email domain-spoofing has dropped to a large extent but fraudsters have switched to employing malware to target organisations across the globe.
While ransomware made a solid comeback in Q2, accounting for 11 percent of total malicious email volume, 17 percent of all malware used by fraudsters were credential-stealers, 42 percent were banking malware, 25 percent were downloaders, and 2 percent were remote access trojans.
Despite not spoofing domain names anymore, fraudsters are still spoofing display names on a large scale (90 percent of all malicious emails) to appear familiar to targeted victims and to make recipients believe that such emails are genuine. This should make it mandatory for organisations to train their employees in spotting malicious emails that spoof display names to appear familiar.
"The fact email fraud attacks have increased emphasises that an organisation’s over-reliance on technology could be their downfall in the future. When it comes to targeted attacks, organisations must focus on educating their staff on what dangers to look out for so that they can effectively become a human network of sensors, designed to spot phishing attempts before it’s too late," said Stephen Burke, founder & CEO of Cyber Risk Aware to SC Media UK.
"Employees are the greatest security asset in a company, so it’s time to create the human firewall – the first line of defence to effectively protect their network," he added.
Commenting on the findings of Proofpoint's research on malicious emails, Steven Malone, director of security product management at Mimecast, said that mail impersonation fraud and ransomware attacks are now the easiest way for criminals to get their hands on valuable data and money. Yet, far too many businesses rely on the thinking that they’re too small to be targeted by cyber-criminals. That naive attitude could be a costly mistake.
"Our Email Security Risk Assessment showed just how many of these malicious emails are appearing in business inboxes. In the last quarter alone, there has been an 80 percent increase in impersonation or business email compromise – or BEC – attacks. With the number of victims ever growing, it is time for SMEs to realise that their size is irrelevant to hackers, and a breach can have a great impact on their business.
"Hackers rely on human error here, so training employees to recognise the fraudsters is the first part of the puzzle. To combat these threats, organisations must adopt a cyber-resilience strategy that tackles all organisational weak links from the bottom up. This means adopting a layered security approach, including dedicated protection from impersonation attacks and secured email systems, along with proactive measures such as simulations and employee awareness training," he added.