Even with a plethora of communications tools in the workplace, email isn’t going anywhere — and that means it will continue to be a top attack vector for cybercriminals looking to exploit human behavior through social engineering attacks such as phishing, business email compromise (BEC) and malicious attachments.
Indeed, the human element is the most common threat vector, with 68% of breaches involving a non-malicious human element, according to Verizon’s “2024 Data Breach Investigations Report.” But, these attacks are becoming much more sophisticated as cybercriminals turn to AI and other emerging technologies to quickly and cheaply evolve their techniques, including more convincing, personalized social engineering tactics.
Phishing, where cybercriminals impersonate a person or company and attempt to trick users into giving away sensitive information such as passwords or financial details, has skyrocketed by 4,151% since ChatGPT’s public debut in late 2022, according to “The State of Phishing 2024” report.
The report also revealed that more than two-thirds (68%) of all phishing emails are text-based business email compromise. “The diversity and sophistication of BEC types have received a significant boost from the public availability of AI chatbots,” notes the report.
How email threats are evolving
Phishing continues to evolve with new tactics, such as file-sharing phishing, where attackers embed phishing links in shared documents on trusted services. And they’re on the rise: File-sharing phishing attacks skyrocketed 350% in early 2024. Since remote and distributed employees are used to working with file-sharing tools, they may miss some of the red flags associated with more ‘traditional’ phishing emails.
Similarly, multi-channel phishing combines email phishing with other modes of communication such as text messages or messaging apps that are often accessed on a user’s personal (and less secure) device. At that point, it’s easier for cyberattackers to circumvent enterprise-level email security controls.
This can lead to an email account takeover, where cybercriminals use phishing or even a brute-force attack to hijack a user’s email. From there, they gain direct access to corporate data and systems, allowing them to steal data, launch malware or even launch further phishing campaigns that target employees inside the corporate network.
With BEC, cybercriminals impersonate a legitimate person (such as your boss or HR manager) to steal data or commit fraud. Emails might also contain malicious attachments, where employees are tricked into downloading malware or ransomware that compromises the network.
With AI-generated BEC, however, cybercriminals are using AI to create much more personalized social engineering attacks — and they can do it faster than ever, particularly with the plethora of data available on social media channels. That makes it easier for attackers to trick targets with personalized emails.
Yet another tactic is email bombing, where inboxes are flooded with a high volume of emails in a short period of time. These emails bypass spam filters because they’re not spam; perhaps the attacker signs the user up for multiple newsletters or subscription services at the same time, flooding their inbox. The ensuing chaos and confusion is designed to make it easier for the user to miss an alert or click on a malicious link.
Google Workspace email security protection
That’s why email shouldn’t be an afterthought in an organization’s cybersecurity strategy. As attacks become more sophisticated, security defences and cyber training need to evolve along with them. IT teams must ensure their security defences are able to handle these new, evolving threats — and that employees are trained to recognize them.
Google Workspace has a suite of built-in security protections that can help keep your organization’s data safe, including phishing protections, email encryption and proactive alerts. With certain Enterprise editions, you’ll also have access to Security Sandbox, which can scan attachments that may be missed by traditional antivirus programs in a virtual environment.
But these features are only as good as their configurations. If they’re not set up properly, you could be leaving the door open for spam, spoofing and phishing. And they need to be backed up by comprehensive security training for employees.
For example, while many users might understand what a traditional phishing attack looks like, they may not understand how some of the newer threat vectors work.
How Pythian’s Email Security Deep Dive can help
Does your team have advanced knowledge of Google’s spam filtering service and email security settings? Are you using all available features in Google Workspace to secure your email services, protect your data and prevent email spoofing? Are you sure that all settings are configured properly, so there aren’t any holes in your security defenses?
Pythian’s team of security experts can help ensure your organization is adhering to Gmail security best practices, including email authentication and phishing detection. And, with our expertise in DMARC, SPF and DKIM, email protections apply to any email platform your organization is running, including Gmail and Microsoft 365.
As part of Pythian’s Email Security Deep Dive fixed-fee service, we’ll make sure you’re taking advantage of Google Workspace’s robust security features, including email authentication, phishing protection and spoofing protection. But Pythian goes beyond technical security reviews to focus on the human element to ensure your data is protected through a people-first approach, including comprehensive training.
Cybercriminals are continuing to innovate, using AI and emerging technologies to launch more sophisticated attacks at speed and scale. Staying proactive, and combining tech-based and human-based defenses, can help you stay one step ahead.
Ready to get started defending your organization against email threats? Contact us at info@pythian.com to find out how we can help.
No Comments Yet
Let us know what you think