For most small businesses, email is the most valuable tool they have, providing a direct connection between them and their customers. The problem is that this connection is open to anyone who has an interest in exploiting communications to get to sensitive data or access a company’s systems.
The email security facts listed in this article show why email is one of the most favored attack methods among cybercriminals. The direct and yet impersonal nature of email is also the main reason why email-based cyber attacks are so effective. To protect your business against them, you need to understand what you’re up against and think like an attacker to strengthen the weakest sections of your defenses. Let’s start with the former.
Fact #1: Email Is the Main Attack Method
Sending a malicious email message to a business located on the other side of the world is as easy as clicking a button. On top of that, sending hundreds of thousands of malicious email messages is something anyone can do using readily available spam tools.
Since abusing email so easy, most cybercriminals do it, which is why Cisco Talos intelligence puts the average daily spam volume at 320 billion (yes, billion). Even though it’s true that most spam emails never reach their intended recipients because they get intercepted by spam filters, some do, and they’re collectively responsible for a staggering 91% of all cyberattacks.
Fact #2: Social Engineering Attacks Depend on Email
Most email-based cyberattacks are like a stranger dressed up as someone trustworthy walking up to an employee and asking them to borrow the keys to the office. In the real world, the chances of someone pulling off a social engineering attack like this are slim because humans are good at recognizing other humans. But when a person is reduced to just an email address, determining if they really are who they claim to be becomes much trickier.
It’s so tricky, in fact, that 96% of social engineering attacks are delivered by email, while only 1% are associated with phone or SMS communications
Fact #3: Email-based Phishing Often Leads to Data Breaches
Phishing—the act of sending a deceiving message to trick someone into revealing confidential information or acting against their best interest—is responsible for nearly ¼ of all data breaches, according to the 2020 Verizon Data Breach Investigations Report.
The cost of a single data breach incident goes way beyond the immediate financial impact of downtime. The repercussions to a company’s reputation are just as serious, and they can last for years, negatively impacting the ability to attract new customers and keep business partnerships.
What’s more, the information revealed in a data breach can be used to target other victims, setting in motion an avalanche of cybersecurity incidents.
Fact #4: The Pandemic Has Accelerated Phishing Attacks
The pandemic has forced employees across many industries to leave the office and start working from home. As a tried-and-tested communication tool, email plays a critical role in the life of any remote worker, and cybercriminals are happily aware of this.
Between February 2020 and May 2020, phishing attacks increased by up to 600%, according to NetSTAR. Before 2020 ended, 74% of organizations in the United States experienced a successful phishing attack. Although the world is slowly but surely getting the pandemic under control, the threat of COVID-19-related phishing remains high.
Fact #5: Windows Executables Are the Most Common Malicious Attachment Type
A Windows executable (.exe) is a file whose sole purpose is to tell Windows to do something, like run a program. In phishing emails, these can be delivered as attachments or as a link within the body of an email.
Those that attempt delivery in an attachment can be sub-divided based on the type of malicious file being delivered, which is exactly what security company ESET did at the end of 2020. Here are its findings:
- Windows executables (74%)
- Script files (11%)
- Office documents (5%)
- Compressed archives (4%)
- PDF documents (2%)
The fact that Windows executables are the most common malicious attachment type shows how unequipped most employees are for their first encounter with a phishing scam because the average employee has absolutely no reason to ever download and open a Windows executable file.
Fact #6: Microsoft Is the Most Impersonated Brand Globally
According to Check Point Research´s (CPR) analysis, 43% of all brand phishing attempts globally involve email messages that appear to come from Microsoft. Their brand popularity among phishers most likely stems from the fact that the majority of businesses use their tools. Other commonly impersonated brands include DHL (18%), LinkedIn (6%), Amazon (5%), Rakuten (4%), IKEA (3%), Google (2%), PayPal (2%), Chase (2%), and Yahoo (1%).
Fact #7: Small Organizations in the Healthcare Industry Are Woefully Unprepared
KnowBe4’s Phishing By Industry Report found that across small organizations (1-249 employees), the healthcare industry holds the top spot when it comes to the likelihood of falling victim to a phishing scam, followed by the education industry, with the not-for-profit industry coming up third spot.
Fact #8: Phishing Attacks Are Becoming More Targeted
Casting a wide net by pretending to be a well-known brand and sending the same phishing message to thousands and thousands of email users works in some cases. But not in all. For instance, an attacker needs a more strategic approach when targeting an executive who communicates only with a small group of employees.
Phishers know this, and email security statistics reveal that spear phishing is becoming increasingly popular among them. According to Europol, 65% of cybercriminal groups now use spear-phishing as the primary vector of infection.
This effective version of phishing targets specific individuals with personalized emails based on information that the scammer gathered from a variety of sources, such as LinkedIn and the rest of the web. To protect themselves against it, executives must proactively educated themselves and their workers, as well as invest in intelligent email protection.
Fact #9: Bec (Business Email Compromise) Causes the Biggest Financial Loss
BEC (Business Email Compromise) is an email scam that involves an attacker using real or impersonated business email accounts to make seemingly legitimate wire transfer requests. This form of spear-phishing caused losses of 1.8 billion in 2020, which is more than any other attack.
Considering that the last year saw a dramatic 15% increase in the number of BEC attacks between Q2 and Q3, it’s likely that the financial losses caused by this email scam will be even higher this year. Organizations that don’t prepare for this new reality risk becoming a statistic themselves.
Fact #10: Email Security is Outpacing the Threats
Considering some of these facts, it might seem that the best step is simply to abandon email altogether. In reality though, the future of email security is bright, and it’s beating back the threats. Businesses need to evolve their security mindset with the times and start taking advantage of email security solutions to strengthen the weakest sections of their defenses.
Instead of attempting to secure a dusty in-house email server, it’s almost always better to move email to the cloud. For example, Microsoft analyzes 400 billion emails for security threats to protect the users of its Outlook.com and Office 365 emails services, which are used by over 90% of Fortune 500 companies but accessible even to small businesses on tight budgets.
The Bottom Line: Email Security Investments Are Well Justified
As long as email is a core business tool, cyberattackers will find ways to exploit it. And since small businesses need to optimize their use of every tool that they have available, they also need to ensure their security can stand up to the mounting risks.
Fortunately, cybersecurity has grown in leaps and bounds, and it continues to evolve every day. Make sure your company can grow as well by protecting its digital safety just as you would a fire or flood. Contact us to today to learn how we can not only install the most cutting-edge monitoring and alert tools, but also train your staff and set up regular testing. We’re happy to talk security anytime.