Online threats are on the rise. According to a report by Check Point Research, the Asia Pacific region experienced a 168% increase in cyberattacks between May 2020 and May 2021, with Singapore one of the country’s worst affected by this increase. A diligent approach to cybersecurity should therefore be a priority for all organisations in the coming years, but sadly many enterprises fail to account for one of their most significant cybersecurity vulnerabilities: poor cybersecurity awareness.
There are many common misconceptions about the way cyber criminals operate. Cyber criminals or ‘hackers,’ as they’re often termed, are often thought to be skilled criminal masterminds who possess advanced technical knowledge that lets them circumvent network security measures. While such cyber criminals do exist, the vast majority have no such skills, and instead perform opportunistic attacks that rely on a high degree of end user compliance.
According to recent data, around 80% of data breaches can be traced back to user error or negligence, with mistakes ranging from database misconfigurations which leave sensitive data exposed to the sharing of account credentials to someone (wrongly) believed to be a trusted entity. Keen to exploit poor end user security knowledge, cyber criminals have developed a variety of tactics to penetrate corporate networks, with one tactic surpassing all others in terms of efficacy and prevalence…phishing.
What is Phishing?
‘Phishing’ refers to a range of techniques whereby scammers impersonate trusted individuals or corporate entities typically to extract compromising information or a direct financial reward from their victims. Phishing is most often conducted using email, but scammers can also use text messaging - SMS phishing or ‘smishing’ - as well as phone calls – voice phishing or ‘vishing.’
Phishing messages can take many forms, but more often than not they contain coercive language designed to evoke panic, a sense of urgency, or occasionally excitement at the prospect of an enticing prize or unique opportunity. The aim of this language is to have the victim comply with further instructions without considering the risks involved, due to fear or excitement clouding their judgement.
Malware is also frequently deployed in phishing scams, with ransomware or spyware-infested attachments often found pinned to phishing emails.
Accounting for around 54% of successful cyber attacks, Phishing is the most widely encountered cyber threat out there, and one that many end users are ill-equipped to spot. Additionally, many organisations believe that email filtering tools offer adequate protection against such scams, and while they are an effective and helpful security measure, they do have their limitations.
Why aren’t email protection tools sufficient on their own?
A range of technical measures can, and should, be used to limit the threat posed by email-based threats, including Phishing. Email anti-virus, spam filters and phishing protection platforms are indeed effective at intercepting rogue emails and malicious attachments, and the use of email encryption is a beneficial measure for protecting sensitive data in transit.
Such measures should however be used in conjunction with security threat awareness training to ensure that users know how identify threats that inevitably slip through the protective net. Here’s why email protection tools aren’t 100% effective:
‘Zero-Day’ attacks go undetected
Most email filtering tools use something called ‘signature-based detection.’ This involves comparing the profile of inbound mail (URLs and attachments) against a library of known threat signatures. While largely effective, the system offers no protection against newer threat sources that haven’t yet been added to this library (zero-day attacks), resulting in such mail making its way through to email inboxes.
Email Spoofing attempts can go unchallenged
When you send an email using a typical email client your email address is automatically entered in the ‘From’ field, displayed when the recipient opens the message. Unfortunately, using simple coding, hackers can alter this address in order to impersonate someone trusted by the victim, with the email’s true origin only revealed through close inspection of the email header. Not all email security tools are configured to detect this type of attack making security awareness training a vital line of defence.
Many email security tools can’t detect internal threats
Email gateway protections are typically configured to detect incoming threats, and are no use at thwarting threats originating from within an organisation. A compromised corporate email account could therefore be used to propagate malware or obtain sensitive information unless staff are able to spot a malicious sender.
Criminals can develop tactics to get round email filters
By accessing the MX record for a particular domain name, cyber criminals can see what filtering techniques an organisation is using and develop evasion techniques accordingly. Quite often the information email scammers need to evade detection can be obtained via a quick Google search.
With the global cost of Cybercrime expected to rise to $10.5 trillion by 2025, and with email the attack medium of choice for over 50% of attacks, it’s never been more important to ensure your staff know how to spot email-based threats.
That’s why Asia Cloud has partnered with Phished, a leading security awareness training provider, to offer their innovative employee training services as part of our comprehensive AC360 Shield email security offering. Stay tuned for our next article where we’ll explain how AC360 Shield offers holistic email security that recognises the risks posed by poor end user security awareness.
AsiaCloud - Your Trusted IT Partner
Secure, backup and educate…email security requires a three-pronged approach, something that so many IT providers fail to comprehend.
Combining cutting-edge, dynamic email gateway security, immersive employee email security training and a dedicated cloud backup, AC360 Shield aims to address every vulnerability present in your corporate email service and give your team the skills to thwart even the most convincing email scammers. Why not get in touch today to find out more.