Email is the foundation of most business operations. Individuals can receive dozens and sometimes hundreds of emails per day. Cybercriminals have and will continue to exploit email to bypass security infrastructure. Using deception and obfuscation, cybercriminals work persistently to deceive and coax users into actions that to load malicious software, steal credentials or authorize illegitimate financial transactions.
These attacks have become well known among security teams: ransomware, phishing, business email compromise (BEC), supply chain fraud and account takeover. Defeating these threats requires a holistic effort of both technical and administrative controls.
For technical controls, such as an email gateway, cloud account compromise detection, authentication and isolation can dramatically improve organizational resilience in defeating email-based attacks. However, piecing the solution together with disparate products leaves gaps in protection. The only way to best safeguard people from these phishing tactics targeting them or defend your organization from threats is to secure an integrated and multi-layered threat protection platform.
For administrative controls, the focus is on user knowledge and awareness; understanding how attackers will lure them into unsafe actions. By keeping users aware of the techniques and tricks of a cybercriminal, you can transform them from targets to defenders. Defenders can identify, avoid, and report malicious emails and keep the organization's data, operations, and finances safe.
Figure 1: Overview of CISOs’ top cybersecurity concerns for the next 12 months (Source: Proofpoint 2021 Voice of the CISO Report)
How to Combat Email Threats
Implement technical controls that can adapt to evolving threats
Defeating email threats requires a holistic effort, using both administrative and technical controls. Technical controls like an email gateway, cloud account compromise detection, authentication and isolation can dramatically improve organizational resilience in defeating email-based attacks. However, piecing together disparate products to create a solution can leave gaps in protection.
That’s why an integrated and multi-layered threat protection platform for security is a more effective approach to protect your organization and users from email-based threats. You’ll also want to have controls that use artificial intelligence (AI) and threat intelligence, so you can adapt to evolving threats.
An effective, integrated and multi-layered threat protection platform should provide:
Email and cloud detection:
- Dynamically detect and block email and cloud threat variants
- Identify various threat tactics
- Tag external email to alert recipients of its origin
- Analyze multiple email attributes (email header, sender’s IP, reputation and message body) for urgency
- Use Advanced BEC Defense, a machine learning-based detection engine that learns in real time and analyzes every message detail
- Enforce email authentication, such as SPF, DKIM, and DMARC Block all attempts to send unauthorized emails from your trusted domains
- Dynamically report on lookalike domains across digital channels
- Identify the Very Attacked People™ (VAPs) in your organization to identify which users are being attacked with impostor threats
- Provide granular threat details
- See which suppliers pose the highest risk to your organization
- Uncover malicious lookalikes of your domains and your suppliers’ domains
- Reveal who is sending emails using your domain, including trusted third-party senders
- Quarantine or remove suspicious or unwanted messages with one click—or automatically
- Automate abuse mailbox process
- Enable users to report suspicious messages directly from the warning tag
- Isolate user browsing sessions automatically based on their risk profile
Implement administrative controls (in this context, security awareness training) that ensure users understand the do’s and don’ts of email fraud and security
User knowledge and awareness also play a critical role in improving email security. By keeping users aware of the techniques and tricks of cybercriminals, you can help them transform from targets to defenders who can identify, avoid and report malicious emails—and help keep the organization’s data, operations and finances safe.
User awareness should focus safe computing practices and cautions. Organizations should leverage tools that provide routine micro-learning to help improve users’ knowledge and awareness about common security threats involving email. The following is a summary of good practices that user awareness training should provide to reduce the risk of email fraud and phishing attacks
- Be wary of emails requesting immediate payments, account information or tax records.
- Emails that demand secrecy are a big red flag.
- Be on the lookout for requests that ask you to change accounts where routine and repetitive payments are made.
- Always look at the email address carefully; the actual address may not match the company or person requesting the money.
Cloud account compromise:
- Remember that anyone can be a victim.
- Use complex, long passwords. Attackers can easily guess passwords based on dictionary words, pets’ names or other personal information. Also, change your password routinely.
- Verify any email from your support or IT organization asking you to provide your password. Always validate these requests.
- Do not download add-ons unless your IT organization approves them.
Supply chain attacks
- Confirm all payment requests using a trusted form of communication.
- Do not open or download documents unless you verify that those documents are from a known partner and they are part of a legitimate and known business process.
- Never enable content or macros in documents in unsolicited or unexpected documents.
- Be wary of unexpected emails that have links or attachments.
- Always look at the email address carefully; the email address may not match the actual address of known companies, work colleagues or friends.
- Be sure to back up your data routinely in case ransomware is accidently loaded; you can then restore your data and not pay.
- Be careful of “scary” emails that inform you that an account or personal information has been compromised and you must take immediate action by clicking a link or providing secret information.
- Be wary of “too-good-to-be-true” emails that provide windfall offers or lead you to believe you’ve won a prize and provide a link to claim the offer or prize.
- Never provide confidential or personal information in an email form.
- Always carefully examine email addresses to ensure they match who the email is purportedly from.
Get Started Now on Raising User Awareness: Use the Proofpoint Email Fraud and Security Awareness Kit
To help organizations raise users’ awareness and knowledge about email fraud and security further, we’ve curated a selection of free resources to support users’ understanding of best practices to apply to work and personal email.
The Proofpoint Email Fraud and Security Awareness Kit provides written, visual and video content that can be emailed, displayed, posted or presented to reinforce safe email practices. In the kit, you’ll find a description on how to use the materials, a suggested communication plan and deployment schedule. You’ll also find guidance and tips for successfully executing a password improvement awareness campaign using the materials provided.
You can access the kit here.
Learn more about email security and protection
Learn about our market leading solutions and how to defend against phishing, email fraud, ransomware and more here.
Subscribe to the Proofpoint Blog