Few email users fork over their bank account numbers to Nigerian princes or click links to claim lottery prizes anymore. In fact, as digital natives enter the workforce, the collective sophistication of email users grows.
Yet email scams are still big business. That’s because while users are increasingly savvy, so are the bad actors. Today’s hackers craft emails that look better than legitimate communications from companies. No one is immune to the threats lurking in email inboxes, including organizations that invest heavily in security.
Email threats arrive via three main vectors. The first is spear phishing — bad actors utilizing email to convince people to use their identity and privilege to gain access to something. Another is the installation and execution of ransomware. If users click on malicious links, hackers can take data hostage and demand payment to get it back. The third vector is using email as a vehicle of impersonation. For instance, it could be a message that appears to come from an organization’s chief financial officer with instructions to wire money to a client.
Abandoning Reactionary Security
Educating users can minimize threats, but there’s a point of diminishing returns. It’s counterproductive to expect a mid-level account executive to critically examine every email he receives, because it draws his focus and energy away from the work he’s paid to do.
Traditionally, the security world has been reactionary — we were always fighting the last war. And many organizations continue to augment and expand their existing security arsenals. But new players are taking an entirely different approach — one focused on advancing ahead of the bad actors.
Traditional solutions examined what was attached to emails. They scanned for viruses or malware inside of messages. But those types of threats are obsolete.
Today’s email includes inline pictures, HTML, scripting and functionality, which turns messages into pseudo-web browsers. It can be a powerful marketing tool, but it means that scanning email attachments for viruses or malware is no longer enough. Just opening an email can now serve as the “click” of a URL that takes users to the malware as opposed to bringing it to them in an attachment.