“Despite increased awareness of the problem, the price tag is estimated at $12.5 billion,” according to a report from cybersecurity firm Agari. Driving the uptick, according to the report, are “increasingly sophisticated cybercriminal organizations that pair identity deception techniques with personalized, socially engineered emails designed to throw recipients off-kilter just long enough to fork over login credentials or make wire transfers before thinking to confirm the message’s legitimacy. ”
Agari reports that business email compromise (BEC) scams increased 60 percent in the last year.
“More than 90% of organizations report being hit by targeted email attacks, with 23% suffering financial damage that can average $1.6 million and up,” the firm stated, adding that "96% of successful data breaches now begin with an email, wreaking an average $7.9 million in costs per incident. Despite increased awareness of the problem, the price tag is estimated at $12.5 billion—and counting.”
Cloud security firm Avanan this spring said it reviewed 55.5 million emails for its Global Phish Report. Of the emails surveyed, the firm said, a quarter were phishing attempts that made it past Office 365 security. “Over half of all phishing emails contain malware,” the company says. “Microsoft is by far the most impersonated brand throughout the year,” according to the report, except during the holidays, when Amazon is the most impersonated brand in phishing attacks.
An ESG report commissioned by Cisco found that most enterprises now use cloud-based mail and 11% expect to adopt it in the next 12 months.
Joy Belinda Beland, senior director of cybersecurity business development for Continuum, says implementing company training can help reduce the damage, but she said she recognizes it may not be enough to reduce the risks of corporate email.
“Of course, employees are able to configure filters, back-end rules and policies to combat the inevitable exposure email provides, but overall they have little control what comes into their inbox,” said Beland.
Beland suggests limiting exposure by reducing email exchanges and using more trusted chat applications. Other strategies, she said, include making sure that the only way an employee could initiate an interaction with a new and untrusted outside entity would be through validation of the identity of that user. Further, the employee and user would then be allowed to interact only through a collaboration tool that is 100% segregated from internal communication. "I would advocate for cutting down the noise of email and instead look toward secure collaboration tools,” she added.
Of course, cloud-based collaboration/chat tools have their own vulnerabilities, though there are far fewer reported incidences of real-world data breaches on these platforms.
Interestingly mobile use seems to affect whether users fall for phishing attacks. In its 2019 Data Breach Investigations Report, Verizon found that click-through rates have fallen on phishing simulations the company connects with data partners, down from 24% to 3% percent. “But 18% of people who clicked on test phishing links did so on mobile devices. Research shows mobile users are more susceptible to phishing, probably because of their user interfaces and other factors. This is also the case for email-based spear phishing and social media attacks.”