With the rise in cloud applications for business communication, it’s easy to downplay the role that email plays in our day-to-day lives. The reality, though, is that email is still a functional tool for business and personal communication, and it’s still an attractive avenue for cybercriminals to launch their attacks.
After analyzing email samples and data spanning two years (2021-2022), VIPRE has compiled some notable trends. The 2023 Email Security Trends Report looks at the current risk landscape and what the future may hold.
The Email Threat Landscape
VIPRE processes 1.2 billion emails monthly, protecting organizations in the ever-changing threat landscape. Email remains a prime attack vector due to the ease of reaching targets and the always-on nature of email servers.
Email threats are particularly worrisome for organizations as they rely on the human element. While a business can employ robust security measures to protect its network and perimeter, a simple mistake by a trusting end user can have detrimental results.
In 2022, phishing accounted for nearly one-quarter of spam emails, up from only 11% in 2021. Spam emails also included scams and commercial emails, yet phishing is a rampant threat. A staggering 82% of data breaches in 2022 involved the human element, highlighting the important role end users play in security strategy.
Phishing is among the top five risks for data breaches, with the construction, eCommerce, and financial industries most heavily represented in 2022 attacks. Financial institutions claimed nearly half (48%) of phishing emails, and the construction and eCommerce sectors each took a 17% piece of the pie.
Email risks come in many forms as phishing grows more lucrative – and sophisticated – as an industry. Seemingly harmless spam can contain harmful links and initiatives; unfortunately, some people take the bait. The number may be small – an estimated 2.9% – but it only takes one click to open the doorway into your network and avail valuable data to bad actors.
Unfortunately, cunning criminals know how to hit people in their most innocent or optimistic moments. According to the email threat report, common spam attack vectors include:
Holiday spam, by which criminals capitalize on the momentum of holiday offers to launch their attack. In 2022, more than one-third (36%) of Americans fell victim to a holiday spam attack, either clicking on links for offers that are too tempting to ignore or clicking on a tracking link and populating personal information only to find out too late that it wasn’t a genuine source.
Job spam is a popular approach, particularly as the workforce shifts in a post-pandemic world. Many hiring processes were fully digitized to match as job seekers sought remote or hybrid roles or reconsidered their current career path. Scammers caught on and developed clever schemes to reach out to these would-be candidates and offer them a perfect job opportunity.
While the report contains an in-depth look at a variety of email risks, some noteworthy risks to consider when building your cyber strategy include the following:
Malicious links remain a risk, while malicious attachments are a rising trend.
Legitimate businesses aren’t the only ones with increasing preference -as-a-service models – cybercriminals are also commoditizing this approach, making it easier to launch exploits on subscription models.
Authentication is a key step to security, yet innovative hackers are conducting MFA sidestepping by posing as the MFA vendor.
As QR codes have become common in advertising, restaurants, and more, criminals increasingly use codes to supply malicious links.
Causing a chain reaction within an organization, business email compromise (BEC) results from a hacker gaining control of a corporate email account and using it to send seemingly-legitimate requests to other employees.
More than half of internet users use the same password across multiple accounts. Cybercriminals send a false account renewal notice, trick a user into supplying their details, and then use that password to access other accounts.
Predictions for 2023
Based on trends and data collected over the last two years, we can make some predictions about the 2023 email threat landscape. There are three key areas organizations and end users should be aware of:
Remote Work Risk
As workforces continue to embrace remote and hybrid models, conversations that may otherwise happen in person are now taking place via email. That means email communication is rising again, and with it, the potential for cyber attacks. Employees working from home tend to be less guarded and are more likely to make a casual mistake – such as clicking a link or opening an attachment – that can lead to disastrous results.
As mentioned above, the -as-a-Service (-aaS) economy has made cybercrime easier and more accessible for would-be criminals. It’s been reported that cybercrime, if measured on a global scale, would be the third largest economy behind the US and China. Troubling for businesses but tempting for criminals, there is a supportive underground -aaS model that makes it easier than ever to join the offense.
As the headlines cover high-profile cyber incidents, it’s easy to forget that SMEs are frequently targeted. Cybersecurity is a common agenda item for large organizations discussing budgets and strategies, and security training and hiring ranks as a top priority. Smaller organizations with smaller teams and fewer resources are increasingly viewed as low-hanging fruit for bad actors, and we expect to see more successful attacks as a result.
Email remains a crucial communication tool for modern businesses. As the risk landscape evolves and cybercriminals turn their attention to creative email threats, organizations must do their due diligence to stay one step ahead.
About the Author
Stefanie Shank. Having spent her career in various capacities and industries under the “high tech” umbrella, Stefanie is passionate about the trends, challenges, solutions, and stories of existing and emerging technologies. A storyteller at heart, she considers herself one of the lucky ones: someone who gets to make a living doing what she loves. Stefanie is a regular writer at Bora.
Disclaimer: The author is completely responsible for the content of this article. The opinions expressed are their own and do not represent IEEE’s position nor that of the Computer Society nor its Leadership.