Sign in
  • Home
  • Platform
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Shadow IT
    • Office 365 migration
    • Government
  • Customers
    • Customer support
  • Blog
  • About
    • Resources
    • News + awards
    • Upcoming events
    • Partners
    • Team
    • Careers
    • Industry leadership
  • Support
Request domain analysis
  • Platform
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Shadow IT
    • Office 365 migration
    • Government
  • Customers
    • Customer support
  • Blog
  • About
    • Resources
    • News + awards
    • Upcoming events
    • Partners
    • Team
    • Careers
    • Industry leadership
  • Request domain analysis
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Share this article
Related posts
  • Blog
    Research: Email remains a weak link in U.S. election infrastructure
  • Blog
    How DMARC works with subdomains and the sp tag
  • Blog
    How DMARC handles domains and subdomains in email addresses
Valimail blog

The core problem with email security

Author: Valimail
Cut in half rotten apple

Email reaches half the world’s population, and is the leading attack vector for cyber crime. Everyone from petty criminal gangs to state-sponsored espionage groups make use of email as a primary delivery vehicle for the vast majority of their attacks.

To cite just one among many sources, the 2019 Verizon Data Breach Investigations Report (DBIR) cites email phishing attacks as the number one cause of data breaches.

And costs are rising. The Federal Bureau of Investigation estimates that business email compromise (BEC) attacks (the fastest growing type of spear phishing) cost companies $12.5 billion between October 2013 and May 2018. It gets worse, though: The cost of BEC more than doubled to $26 billion for a similar three-year period from June 2016 to July 2019.

The security industry has responded to this threat by investing billions of dollars into new anti-phishing products and technologies. Unfortunately, most of them are woefully inadequate to stop phishing attacks.

For too long, the industry has relied on employee security awareness training and tools for content scanning, spam blacklisting, and artificial intelligence to protect against phishing.

Meanwhile, criminals continue to adapt and change their attack methods. One reason for the surge in BEC: Clever impersonation attacks slip through most current defenses. That’s one reason that Barracuda recently found that almost 90% of email attacks use impersonation, of either a brand (83%) or a person (6%).

Employee Security Training

Nearly 50% of cybersecurity incidents in 2017 were attributed to human error, so there’s clearly a need for training that covers a variety of best practices for physical and data security, including how to avoid email phishing, hoaxes, and malware.

But if you think employees will be able to detect all email fraud if you just train them well enough, dream on. Human brains are wired to understand and interpret patterns, and you can probably easily read even jumbled text (below left). Attackers make use of this strength and turn it into a weakness, sending their phishing attacks from domains that have “jumbled” text but which your brain interprets as a legitimate sender (below right).

the phenomenal power of the human mind

Even the best-trained employees will have a hard time identifying deceptive domains like these, particularly if they’re moving through their inboxes quickly, distracted by other work, or reading on their mobile phones.

Content scanning

Commercial secure email gateways (SEGs) are quite adept at scanning email content for malware, viruses, and bad URLs. Additionally, sandboxing technologies can quarantine email attachments to determine if they’re safe or not. Unfortunately, attackers have moved on from malware-centric email attacks. FireEye reports that 90 percent of email attacks are malware-less, which means they often pass right through SEGs and other defenses focused on scanning for malicious content.

Artificial Intelligence and Machine Learning

Artificial intelligence (AI) and machine learning (ML) techniques can be useful to analyze large volumes of content and monitor network activity. Some email security solutions have used these technologies map relationships amongst senders and recipients, learn and model expected behaviors, and classify messages with scores meant to indicate their relative level of risk.

These solutions tend to work in two ways: One is to build an understanding of the individual’s and/or organization’s “emailing network” to determine unusual activity based on contextual cues, relationships in the network, etc. IT administrators can spend weeks to months on manual configuration before these systems reach full functionality. Another method analyzes content to classify phishing emails based on how similar it is to known-good messages or how much it has in common with known-bad messages. This method can detect some phishing right away, but still takes time to build accuracy for individual users. Both methods require a lot of IT resources and time devoted to training and tuning the systems. But they also have weaknesses, such as a high rate of false positives (good messages mistakenly labeled as bad). And well-crafted social engineering attacks, which are often nearly indistinguishable from legitimate messages, slip through these filters.

The missing piece

Employee training, content-scanning and filtering solutions like SEGs, and AI/ML techniques all have their place in a complete, layered approach to defending against phish.

But what they miss is a robust approach to validating sender identity. The high rate of impersonation among email attacks mentioned above proves that attackers have recognized this weakness. Impersonation enables attackers to slip through these defenses with malware-less messages that don’t trigger any alarms, delivering deceptive social-engineering attacks right into users’ inboxes. Those emails are aimed at getting users to do something other than click on a link or download an attachment — instead, they direct the recipient to update a payroll direct deposit, or to send payment to a new bank account, or to deliver the codes for iTunes gift cards via email to the “boss” who sent the message.

Without a strong approach to sender identity, impersonation attacks like these will continue to wreak havoc and cost companies billions of dollars.

In our next blog post we’ll look at the three main types of impersonation used by email attackers.

Want to know more? Download our free white paper, Put an end to phishing.

Back to blog
Published September 18, 2019
  • Email
  • Fraud
  • impersonation
  • Phishing
Author: Valimail
Valimail is a pioneering, identity-based, anti-phishing company that has been ensuring the global trustworthiness of digital communications since 2015. Valimail delivers the only complete, cloud-native platform for validating and authenticating sender identity to stop phishing, protect and amplify brands, and ensure compliance. Valimail has won more than a dozen prestigious cybersecurity technology awards and authenticates billions of messages a month for some of the world's biggest companies and organizations, including Uber, Splunk, Yelp, Fannie Mae, Mercedes Benz USA, and the U.S. Federal Aviation Administration. For more information visit www.valimail.com.
Resources
Election security
Learn more
Executive summary: The guaranteed path to DMARC enforcement
Learn more
The guaranteed path to DMARC enforcement
Learn more
Sender identity: The missing piece in email security
Learn more
BEC explodes as attackers exploit email’s identity crisis
Learn more
Latest news
Most of the largest US voting districts are vulnerable to email spoofing
Learn more
Morning Cybersecurity
Learn more
The Cybersecurity 202
Learn more
Louisiana spurns attempted ransomware attack, governor says
Learn more
Ransomware Attack Hits Louisiana State Servers
Learn more
Press releases
The Software Report Recognizes Valimail as a Top 15 Cybersecurity Provider
Learn more
Valimail’s Seth Blank named chair of M3AAWG’s election security working gro...
Learn more
Valimail applauds accelerating support for next-generation email standards ...
Learn more
Valimail Opens Denver Innovation and Engineering Hub
Learn more
Despite Accelerating Adoption of DMARC, Less Than 10% of Enterprise Domains...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

180 Montgomery Street
20th Floor
San Francisco, CA 94104

Valimail Mountain Office

3601 Walnut St
5th Floor
Denver, CO 80205

Request a full domain analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Website terms of use
  • Domain Analysis
  • Domain Checker
  • Platform
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Shadow IT
  • Office 365 migration
  • Government
  • Customers
  • Customer support
  • Blog
  • About
  • Resources
  • News + awards
  • Upcoming events
  • Partners
  • Team
  • Careers
  • Industry leadership