Protecting your organizations against BEC and other email attacks
No matter who you talk to or work with, they probably use email as a primary means of communication. Most of us spend about 5 hours a day checking email, sometimes refreshing our inboxes even while in meetings or during meals. Email is integrated into almost every part of our day and, much to the pleasure of cybercriminals, is full of vulnerabilities.
Business Email Compromise (BEC) attacks are skyrocketing as organizations rely on decades-old email protocols and standards, and bad actors perfect social engineering. The good news is that automated email certificates can help organizations avoid these attacks and protect their employees against spear phishing attacks.
Cybercriminals use your people against you
There’s a direct correlation between social engineering and BEC, and your workforce is the gateway to a direct attack. It’s no longer accurate to assume that breaches are caused by brute force. Instead, bad actors are savvy social engineers that use spear-phishing emails as a primary entry point.
IBM X-Force Red, IBM’s autonomous team of veteran hackers that get hired to break into organizations and uncover risky vulnerabilities that criminal attackers may use for personal gain, reports that 26.5% of recipients click on malicious links sent through email. Phishing is consistently successful.
Bad actors keep a pulse on your organization for remote working, operational changes, or the good old email from the boss, which is prime for targeting one of your good-natured and helpful employees with a personalized email.
For example, let’s say your accounts receivables manager gets an email from the CFO or other finance executive that requests an aging report that contains all customers that owe the company money, how much, and when payments are due. And it’s urgent for an executive meeting today. The familiar and influential sender, personalized information, realistic scenario, and sense of urgency may cause even the most well-intentioned employee to quickly share that sensitive information.
However, the sender is not a company executive but a criminal who has used a spoofed email address. Now the criminal can turn that financial data into payment requests to your customers that funnel any payments into their own bank account. Completely unaware, employees become an accessory in severely damaging BEC attacks.
Cybercriminals use social engineering to prey on human emotion and:
- Gain access to employee credentials, customer and employee personally identifiable information (PII), financial accounts, private conversations, and other non-public secrets
- Trick employees to click links to malware sites to infect computers in the enterprise and possibly to perpetrate a ransomware attack
- Deceive employees into wiring money to accounts that appear to belong to suppliers or other partners but are really controlled by criminals, and more.
Despite the dangers, many adopt a “that won’t happen to me” mentality and miss early warning signs and the chance to update their infrastructure before it’s too late. When it comes to email attacks, every organization is vulnerable unless strategic precautions are taken. There’s a high cost to believing that infiltration won’t happen to you.
Damaging BEC attacks have a major financial impact
In 2020, the FBI reported 19,369 BEC and email account compromise complaints that led to adjusted losses of over $1.8 billion. According to the APWG, a nonprofit group that works to unify the global response to cybercrime, there was a noticeable increase in the average wire transfer loss from damaging BEC attacks from $54,000 in the first quarter of 2020 to $80,183 in the second quarter.
Still not convinced? The Internet Crime Complaint Center (IC3) handled 166,349 incidents worldwide between June 2016 and July 2019, exposing a $26,201,775,589 loss. There’s no safe geography, industry, or segment. If you have a team with email accounts, they’re being targeted – and so are you.
S/MIME certificates defend against email-based attacks
Clearly, enterprises must rethink their strategies for securing email communications and systems. To protect email from today’s sophisticated attacks, enterprises need a complete security approach that enables both email encryption and authentication of digital identities for all employees and devices.
Leveraging numerous sophisticated security features, S/MIME (Secure/Multipurpose Internet Mail Extension) email certificates give employees the confidence to trust their digital correspondence and avoid many of today’s attacks by authenticating the sender, encrypting email content and attachments, and assuring integrity that the email hasn’t been altered during transmission or storage.
Just as cybercriminals evolve their practice, so does the automated technology to counter those attacks and protect their employees against spear phishing attacks. There’s a newfound ease using S/MIME certificates for email security, as both public and private S/MIME certificates can be issued from a single, cloud-based platform. Security, identity, and compliance are simple to achieve with a zero-touch and automated system that is invisible to the user.
Damaging BEC attacks are increasing, and, in parallel, damages are only getting worse. With bad actors on the loose targeting your workforce, your organization’s aging email infrastructure and practices are no match. This exposure can put your enterprise in jeopardy of non-compliance and have grave financial consequences. Modernizing your email security with a zero-touch email certificate deployment helps avoid these attacks and protect your workforce against email attacks.