Email Security
The theme for this month continues with Email Security. The topics / safe practices we have discussed thus far: Phishing, Malware, Password Security and Data Classification all contribute to an organisations Email Security hygiene. It is clear to see that a layered approach (Defence in Depth) is required in Security.
Defence in Depth is a fundamental cybersecurity strategy that involves layering multiple security measures to protect an organization’s assets. Rather than relying on a single security solution, this approach aims to create overlapping layers of defence.
Examples of email-based threats:
-
- Phishing
Email sent by threat actors designed to manipulate end user into providing sensitive information by posing as a trustworthy source
Attackers trick a user into sending money or providing confidential information
-
- Spam
Users receive unsolicited email, usually in bulk, some of which contains malware
-
- Spear Phishing
A type of phishing attack where the email is sent to specific and targeted emails within the organization
-
- Whaling
A type of phishing attack similar to spear phishing, but targeting senior executives within the organization
-
- Password/Email Exposure
Employees use organizational email accounts and passwords to sign up for social media, leaving them susceptible to email and/or password exposure in a social media breach
Business Email Compromise
According to the Microsoft Security insider Cyber Signals Issue 4: “Business email fraud continues to rise, with the Federal Bureau of Investigation (FBI) reporting more than 21,000 complaints with adjusted losses over $2.7 billion. Microsoft has observed an increase in sophistication and tactics by threat actors specializing in business email compromise (BEC), including leveraging residential internet protocol (IP) addresses to make attack campaigns appear locally generated.”
Business email compromise (BEC) defined
Business email compromise (BEC) is a type of cybercrime where the scammer uses email to trick someone into sending money or divulging confidential company info. The culprit poses as a trusted figure, then asks for a fake bill to be paid or for sensitive data they can use in another scam. BEC scams are on the rise due to increased remote work—there were nearly 20,000 BEC complaints to the FBI last year.
To assist individuals and organizations further in avoiding BEC, the FBI has also published a list of red flags and tips for recognizing and preventing such BEC attempts
Unexplained urgency: Be sceptical of last-minute changes to wiring instructions or recipient account information.
Last-minute changes to wire instructions or recipient account information: Verify any changes of information via the contact on file—do not contact the vendor through the number provided in the email
Last-minute changes to established communication platforms or email account addresses: Be alert to hyperlinks that may contain misspellings of the actual domain name.
Communications only in email and refusal to communicate via telephone or online voice or video platforms: Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it is coming from.
Requests for advanced payment of services when not previously required: Be wary of last-minute changes to wiring instructions or recipient account information.
Future Cybersecurity Landscape
What does the future hold in the evolving landscape of Cybersecurity? According to a recent report by Orange Cyberdefense, titled Cy-Xplorer 2024: “Cyber threats will continue to evolve, and we must continue to adapt to the threat.
GenAI has yet to show us what contribution it can make, beyond being an enabler for social engineering and phishing attacks, as well as increasing one’s attack surface. The evolution of GenAI is a real catalyst for automating attacks has yet to have an impact”.