There has been no shortage of reports concerning the boom in popularity of phishing attacks in the wake of the COVID-19 pandemic. But new research is now emerging, months on from the peak of such attacks, that suggests that email attacks are not only still prominent as 2020 wears on, but have become more proficient and subtle.
This is reflected in a recent report released by Mimecast, which indicated that while 77% of survey respondents say they have a cyber resilience strategy, 60% of respondents believe it is inevitable or likely they will suffer from an email-borne attack in the coming year.
Cyber attackers are learning and adapting as millions work from home, and this has caused concern for some security experts: almost half of survey respondents in Mimecast's study reported anticipating an increase in email spoofing in the next 12 months, with concern always rising.
To better understand the rapid developments in the world of email security, TechDay spoke to Mimecast Australia principal technical consultant Garrett O'Hara.
Phishing has been around for a while, it's not new. But attackers globally are getting better and better at knowing what buttons to push to get people to compromise an end-user.
The days are over where bad grammar and signatures are an obvious indicator of phishing. That's gone away now, these emails are perfect in so many ways – to the point where the things we're looking for as indicators are so small.
This new sophistication is definitely something we're seeing.
It's especially evident in brand impersonation, or brandjacking. Domains are being registered for $20 that look like another brand, and then websites are being cloned by sending in a Reaper which crawls through a website, pulls down the CSS files and the images, which can then be replicated on to that similar-looking domain.
With sophisticated brandjacking and convincing emails, if I'm distracted at work and someone sends me an email, I'm not really primed to slow down and really pay absolute attention to everything I see – and that's how attackers are succeeding now.
COVID-19-related attacks have made up a sizeable portion of the year's attacks, but the reality is, we see the same stuff happening during Black Friday, Christmas, any world event really.
The difference here is that COVID-19 just happened to be a beautiful convergence of factors at a massive scale, where people are working from home globally and there's anxiety and distraction, and people are working on a home ADSL router without the usual corporate protections.
I think business leaders are only now starting to get to grips with what this means. It's often challenging for cybersecurity managers to get the point across to the business around the risk that this stuff actually presents.
But I'm definitely seeing a huge shift, where it actually feels like 2020 is a pivotal year – it's starting to really be understood business decision-makers.
We're seeing an increase in efficient email-borne attacks, but we're also seeing a corresponding increase in the understanding of what this actually means for businesses.
The evolution of thinking for cyber resilience as a discipline culminates in an understanding that you have to build your strategy around the idea that you're not going to be 100% successful.
It doesn't matter how good perimeter security, internal security or security awareness training is within an organisation. The reality is, at some point, somebody who's not security-aware will click on a beautifully created business email that will compromise the system.
It sounds terrible, but to be a good security leader these days you do have to be pessimistic about your strategies so you can accept that you need a plan in place for when things go awry.
This can mean having backups off-site that are away from anything that might be encrypted by attackers, or secondary services so that if a CRM or email server goes down that there is a way to continue business.
The vast majority of attacks are email-based. It's phishing, it's messages with lures, it's credential harvesting – all happening through emails.
Mimecast has a heavy focus on email security – we're a global leader in terms of stopping that stuff from getting to the end-users in the first place.
We also have a strong play in web security. All the expertise we've built up over the years in the email space, so much of that applies to web. For example, if an employee clicks on a malicious link in their Gmail or Outlook, there needs to be a way to block these links that are outside of an email sphere – which we've been doing for a long time.
We also try to head off brand exploitation by looking for combinations of domains that look like they're from a legitimate website, and proactively taking them down using API's before they're ever used on employees or end-users.
It's also about getting people to buy into the culture of security, rather than just having an understanding of it. Having active engagement in security awareness training and trying to change security behaviour is becoming very critical.
To read up on Mimecast's recent State of Email Security Report, click here.
To learn more about COVID-19's direct impact on cybersecurity, click here.
To read Mimecast's Cyber Resilience for Dummies, click here.