Phishing attacks continue to ramp up – data from Trend Micro’s 2023 Email Threat Landscape Report shows a notable 29% increase in phishing detections. It’s no wonder that phishing/BEC was deemed the biggest factor contributing to cyber risk, according to a Trend Micro survey of US cybersecurity leaders.
Understandably, it's becoming increasingly difficult for employees to discern phishing given its many forms. No longer just a Nigerian Prince looking to share his wealth, now phishing has branched into several different forms that include AI-powered text messages and phone calls:
- Spear phishing: targeted email phishing
- Whaling: Executive email phishing
- Harpoon Whaling: Highly-targeted executive phishing
- BEC: Business email compromise (CEO fraud)
- Smishing: Text message (SMS) phishing
- Vishing: Voice (phone call) phishing
- Quishing: QR code phishing
- Angler phishing: Social media phishing
Organisations understand the importance of protecting sensitive information and avoiding a data breach. However, security teams are struggling to contain phishing attacks. Security risks increase due to the inability to view and successfully filter email threats, accurately differentiate between marketing and phishing emails, and apply a multi-layered email security approach with rules to holistically track traffic and stop malicious actions in real life.
This article explores email security best practises to defend against phishing attacks to reduce cyber risk.
Phishing attack trends
Cybercriminals are always evolving their tactics to stay one step ahead of their victims. Here are a few recent changes:
1. AI-enabled harpooning: Harpoon whaling occurs when malicious actors perform detailed, target- and perfect- specific research prior to initiating an attack. AI tools such as ChatGPT bridges phishing’s scalability and whaling’s per-message impact to result in scalable, highly profitable harpoon whaling attacks. ChatGPT can coordinate, in an adaptive way, a series of flawlessly written messages that increase in emotional intensity while being able to recognise the content of previous messages.
2. QR codes: Cybercriminals have tapped into a new technique that leverages QR codes via scam emails. A recent phishing campaign targeting a notable energy company in the US used QR codes embedded in images to bypass email security tools that scan a message for known malicious links.
3. New top level domains are taken advantage of: In May 2023, Google released the top-level domain.zip to the public, and it was quickly leveraged by cybercriminals to run phishing campaigns. The familiarity of.zip can add confusion that leads a user to a malicious website.
4. Multiple phishing forms used in tandem: Cybercriminals want to create a sense of urgency to prompt victims to act quickly. To do this, they’ve turned to doubling or tripling-up on phishing techniques. The National Cyber Security Centre reported several incidents where multiple phishing techniques were used, such as sending a whaling email followed up by a phone call (vishing) to quickly establish trust and confirm the request.
Email security best practises: a layered approach
Strengthening your email security won’t just reduce the financial impact, it can also help you obtain or renew cyber insurance coverage. Questions like “Do you pre-screen emails for potentially malicious attachments and links?” and “Do you have the capability to automatically detonate and evaluate email attachments in a sandbox to determine if they are malicious prior to the delivery to the end-user?” appear on cyber insurance applications. And if you answer no, you could be immediately denied without a chance to reapply.
While native email security is a good start, it simply isn’t enough to protect your business. In 2022, Trend Micro detected and blocked over 39 million malicious emails that slipped past native defences.
How does a layered security approach work? We’ve broken it down into four steps to demonstrate how multiple security capabilities and technologies work to thwart phishing attacks:
1. Email gateway
When an email first comes into the company, it should be inspected by an email gateway. Traditional email security may only provide basic email filtering and protection. Look to use the latest threat defences like AI, ML, and behavioural analysis within a single dashboard to reduce manual tasks for overstretched security teams.
Capabilities like authorship analysis compares a suspected impersonation to an AI model of a high-profile user’s writing style. This establishes a baseline to flag anomalies for security teams to further investigate.
2. Cloud app security
Cloud Application Security Broker (CASB) technology ensures that if an email does make it into the inbox and is later deemed malicious with new intelligence or by performing more analysis (such as scanning for QR codes) on the links, attachments contained, it can be extracted from mailboxes. The right CASB solution will be able to scan emails between peers to prevent compromised accounts from sending phishing messaging to other employees.
3. Educate your users
Simply deploying an Acceptable Use Policy (AUP) is too restrictive and will impact productivity. You also run the risk of employees finding creative ways around it to get work done, which creates more security risk by unknowingly expanding the attack surface. Embedding notifications at the top of emails that flag the source as external help employees look at it with a more sceptical eye.
Run phishing simulations to test employee awareness and vigilance. Some cybersecurity vendors will offer security awareness products with their email security solution. Trend Micro™ Phish Insight offers customisable training programmes to educate users on the most prevalent and recent threats. You can put their knowledge to the test by running automated and realistic simulations using templates extracted from real phishing scams.
To improve employee engagement in awareness training, use gamification, contests, and different forms of media. Recognising success and improvements—no matter how small—is also vital to employee buy-in.
4. Secure web gateway (SWG)
SWG sits between the end users and the internet, inspecting traffic inline across multiple security techniques, including TLS/SSL.
If a user does click a malicious link, SWG technology will perform image analysis and use machine learning to analyse branded elements, login forms, and other site content to recognise fake websites while reducing false positives. Also, with an Acceptable Use Policy (AUP) in place, risk can be further limited by disabling access to unsanctioned apps requiring users to input sensitive personal information.
Integration with a broader platform
Instead of deploying a disparate security solutions, look for an offering that is part of a unified cybersecurity platform backed by broad third-party integrations and extended detection and response (XDR) capabilities.
XDR collects and correlates email activity data as well as geo-location, time and access information, plus other behaviour indicators to build a user profile and determine a risk score. Thus, if a deviation is detected and the risk level increases, it is flagged for further investigation. Correlating data also helps to shrink the attack surface exposure and reduce the likelihood of a breach.
For more information on email security, check out the following resources: