How Should You Better Protect Your Organization Against Email Threats?

If you’re based in Nevada or doing business there, you may be at a higher risk of cybercrime than anywhere else in the country.

The latest cybercrime data from the FBI’s Internet Crime Complaint Center (IC3) revealed that Nevada has the largest number of cybercrime victims and perpetrators per 100,000 internet users at 801 and 150, respectively. By comparison, runner-up Iowa only has 342 victims per 100,000 users, and Alaska—whose population is roughly a quarter of that of Nevada—is third with 322.

Simply put, a cybercriminal manages to victimize at least five users via countless means. One of their preferred methods is email—in this case, business email compromise (BEC). Last year, the FBI reported that it had been responsible for USD$43.3 billion in losses globally between June 2016 and December 2021. Here’s a look into how your business can avoid becoming a statistic.

Raising Awareness

A scam, online or otherwise, can only be a scam if you don’t believe it to be one. Sadly, people continue to fall even for the most blatant email scams because they’re designed to do so. As University of Florida professor and cybersecurity expert, Daniela Oliviera explained in a TED interview: “Deception is as old as human beings, and phishing is deception in cyberspace.”

BEC incidents are prevalent because it doesn’t take much to pull off one, unlike direct attacks like hacking. A perpetrator can create a fake email and a message concerning a legitimate yet urgent business deal. In most cases, the emails are close variations of official emails, banking on the probability that recipients won’t be able to spot the minute difference.

The FBI also stresses that perpetrators employ malware to intrude into a business’s network and peek into its internal communications. They use that information to send their fraudulent emails promptly, mitigating the risk of suspicion on the recipient’s part. Businesses that lack advanced security measures won’t be able to detect such intrusions until it’s too late.

Every member of the business hierarchy should be aware of BEC and how it works. The more an employee knows about it, the more cautious they can be moving forward. If the damage has been done, the FBI recommends contacting the financial institution that facilitated the wire transfer. It also advises filing a complaint with one of its local branches and the IC3.

Employing Defense-In-Depth

The continued evolution of technology applies to perpetrating cybercrime as much as preventing them. Hardware and software have become more affordable to produce over the years, fostering cybercrime growth. Their advanced features for ease of use also ensure that a strong password alone is no longer sufficient.

Because of this, experts have called for defense-in-depth cybersecurity, also known as layered security. This approach calls for a secure email structure protected by layers of other defensive systems. While not impenetrable, defense-in-depth ensures that every attempt will be costly at the perpetrator’s expense, particularly time. 

Most defense-in-depth doctrines state that a network must have at least seven layers. Here’s a look by order from top to bottom.

• Policy Layer – internal policies set by the company to manage employee access to data
• Physical Layer – perimeter controls like security cameras and time-locked doors 
• Network Layer – managing the transfer of data packets within and beyond the network
• Endpoint Layer – managing device access to data (e.g., work PCs, tablets, smartphones)
• Application Layer – codes in an app that contribute to its secure function
• Data Layer – inspection of data packets to protect them from any compromise
• Mission-Critical Layer – the data (in this case, the email) in question

You might think having this many is overkill, and you aren’t entirely wrong. Not all forms of data warrant a defense-in-depth system, but crucial assets such as email messages do. More importantly, as humans are regarded as the “weakest link” in any cybersecurity system, the layers serve as redundancies in case an employee unwittingly lets an intruder through.

A defense-in-depth system can be further enhanced with zero-trust principles. Exactly as the term suggests, zero-trust principles assume that no individual or group within or outside the business’s office or network should be entrusted with its data. No matter how many times an individual has accessed the data, a zero-trust architecture will keep asking for verification.

Experts have urged private and public institutions to implement a zero-trust architecture in their networks, especially in their emails. Current security solutions, such as pattern matching, have struggled to catch up with evolving BEC attacks as perpetrators have gotten better at crafting their messages to look like the real deal.

The industry has developed at least four types of email security protocols since 2014, though many businesses have yet to integrate any one of them into their networks. These include:

• Sender Policy Framework (SPF) – determines if the sender sent the email from an authorized IP address or mail server
• Domain Keys Identified Mail (DKIM) – attaches a digital signature produced and validated by the mail server to vouch for the email’s legitimacy; ideal for forwarding
• Domain-Based Message Authentication Reporting and Conformance (DMARC) – verifies an email through domain records verified by SPF and DKIM
• Brand Identifiers for Message Identification (BIMI) – brands an email that passes SPF, DKIM, and DMARC checks in the form of a logo

As explained here, it’s impossible to employ one of these protocols because they work together. There are other protocols in use, but industry experts agree that these four are the closest to a zero-trust architecture for email security. If you have other ideas for a zero-trust architecture, the important thing is always to remember to trust no one, not even yourself.

Conclusion

Email continues to be a widely-used medium for communication amid the rise of alternatives such as chat. Data from Statista projects a modest upward trend for the number of email users worldwide, reaching nearly 4.6 billion by 2025. If another technology out there is set to replace email, it may take a generation or two to do so.

However, for cybercriminals, the increase in usage also means an increase in potential victims. As long as email remains relevant moving forward, they’ll keep sending disguised messages to con businesses out of their money. Companies should pay attention to their emails and safeguard them as much as their resources allow.