Additionally, a Data Breach Investigations Report from Verizon showed that web applications and email are the top two vectors for breaches. Because they’re often internet-facing, web apps and email can provide a useful avenue for attackers to try and slip through an organization’s perimeter – and their tricks are only growing more sophisticated.

So what can security teams and end users do to combat these increasingly sophisticated email threats? Here are a few tips on how to keep email attacks from getting through.

Watch out for evolving phishing attempts

Many successful email compromises can be attributed to phishing attacks becoming more advanced. Historically, BEC would entail a bad actor stealing a user’s alias and password – maybe by sending them a fake Office or Google login form to fill out – and hoping they don’t encounter multifactor authentication (MFA), which could remediate the attack.

However, the last few years have seen new approaches, like an increase in the use of social engineering to secure MFA tokens, where bad actors trick users into providing their one-time MFA passcode. The attacker may try push bombing, where they spam the end user with notifications to authenticate until the user finally accepts it out of fatigue. Or they may use newer malicious proxies and tools that adopt the traditional phishing approach of stealing a username and password by sending a fraudulent link for the user to click. But these proxies can bypass MFA by completing the entire authentication transaction and securing an authenticated session.

Unfortunately, all these new approaches and commoditized tools mean BEC continues to be a lucrative attack vector for malicious actors. With defense often one step behind, end users must stay vigilant. Whenever something looks suspicious, rely on other communication channels to confirm a message’s legitimacy before carrying out an action that could be damaging to you or your organization.

Adopt a layered security approach

There is no magic bullet to cybersecurity; you can’t rely on a single control, policy, or training session for end users. Therefore, a layered approach with various tools, procedures, and training is necessary to be effective. Should one layer fail, another will be there to pick up the slack.

Security teams must identify the technical controls they can implement to minimize the impact of phishing in the instance that an attack gets through. A DNS firewall prevents network users and systems from connecting to known malicious internet locations and can effectively neutralize links to a bad destination. To combat malware, proactive anti-malware tools can monitor unusual behavior (instead of using signature-based detection) to identify malicious software and keep it from infecting computers and other devices.

Make sure to employ tools that can quickly identify and respond to attacks that slip through the cracks. Strong endpoint detection and response (EDR) tools can enhance visibility within your network to detect malicious activity and act on it before the incident grows. Finally, leverage MFA, as it remains the single best measure a security team can implement to protect against authentication attacks. Reinforce MFA with social engineering training for end users so that this line of defense remains strong.

Build a security-first culture

Most security professionals understand that no defense is perfect, especially with human behavior involved. They recognize the need for security awareness training since a successful attack is often the result of human error. The importance of training only grows as the methods for deceiving end users continue to evolve.

Security teams must continuously train users to be hyper-aware of business email compromise. Put a heavy emphasis on email phishing, spear phishing and social engineering. Since many attacks can come from vectors beyond email – via text message, over WhatsApp or other messaging applications, or voice calls via deepfake software – it’s important that users understand the entire range of threats.

Building a culture that promotes security awareness and in which users are comfortable coming to the IT team to flag an issue or suspicious activity is key. If a user is the victim of a phishing attempt, empower them to quickly notify IT so the threat can be addressed swiftly. Shaming them will only have negative consequences. You don’t want a user to hide a mistake they made, resulting in further risk of damage to the organization. Create a culture where users feel they are part of the security team and on the lookout for phishing attempts and malicious activity. More watchful eyes will create strength in numbers.

A skeptical mindset is a necessary tool in the current threat landscape. A bad actor will often compromise the account of a familiar party like a co-worker, partner, or vendor and use that in a phishing attempt. Remember: A message that appears to be from a trusted source isn’t always a trusted message. Take an extra second to double-check suspicious requests and cover your bases. Staying alert is the best protection you can have.

When it comes to email or other messaging-based cybersecurity threats, the reality is you will never get the click rate down to zero. But your security team should focus on getting your click rate as low as possible so your technical controls can pick up the slack wherever it’s needed.

______________________________________________________________________________________________________________________________________

Trevor Collins, is a Network Security Engineer at WatchGuard Technologies.

The post Email Attacks are Evading Security Protections. Here’s How Security Teams Should Respond. appeared first on My TechDecisions.

The feature, which is starting to roll out now to all Exchange Online tenants worldwide now through mid-March, is essentially an improvement of the classic recall feature in Outlook for Windows that gives senders the ability to recall messages.

However, that classic message recall feature was limited, allowing user to “at least partially recall an email” with an average success rate of only about 50%, according to an Exchange Team blog.

“So, for most message recall requests, it’s been a best-effort or better-than-nothing action, rather than a full sigh-of-relief experience,” the Exchange Team writes.

Based on its use by Microsoft employees over the last several months, the new message recall feature is more than twice as effective, according to Microsoft.

In addition to improved performance, Microsoft has also improved usability by creating an aggregate recall status report for each recalled message to replace the potentially hundreds or thousands of individual recall status email notifications, according to the blog.

In addition to being more effective at successfully recalling messages, recipients no longer must have Outlook for Window open for recalls taken from their mailboxes to be processed. Instead, the recall happens with the cloud mailbox, not on the client. This allows recipients to use any email client that syncs with Exchange Online mailbox, and the client doesn’t have to be open for the recall to process, the company says.

The new recall feature can also recall “read” messages and messages from any folder or sub-folder within the mailbox, not just the inbox. However, admins can disable the ability to recall read messages. Eventually, admins will be able to completely disable the message recall feature, according to the blog.

Senders still need to use Outlook for Windows to trigger a message recall, the company adds.

Like the old recall feature, there is no time limit, but Microsoft may add the ability for admins to customize a time limit for their organizations.

“The new Message Recall won’t stop you from accidentally sending ‘Oops’ email messages, but with its high success rate and ease of tracking with the new recall status report, it should help bring you a lot more peace of mind for when you do,” The Exchange Team writes.

The post Microsoft Rolls Out New Message Recall Feature for Exchange Online appeared first on My TechDecisions.

According to Google, Workspace Enterprise Plus, Education Plus and Education Standard customers are eligible to apply for the client-side encryption beta until Jan. 20, 2023.

The enhanced security feature is designed to protect sensitive data in the email body and attachments, making them indecipherable to Google servers. Customers will retain control over encryption keys and the identity service to access the keys, Google says.

While the company already uses the “latest cryptographic standards” to encrypt all data at rest and in transit between facilities, client-side encryption in Gmail can help strengthen the confidentiality of data and address data sovereignty and compliance needs, Google says in a Workspace updates blog.

In a support document, Google says content encryption is handled in the client’s browser before any data is transmitted or stored in Google’s cloud-based storage, preventing Google servers from accessing encryption keys. Admins can then choose which Gmail users can create client-side encrypted content and share it internally or externally.

Client-side encryption is already available for Google Drive, Google Dogs, Sheets, Slides, Google Meet and Google Calendar (beta).

Eligible Workspace customers can apply for the beta after completing several steps, but the feature will be off by default. It can be enabled at the domain, OU and Group levels, according to Google.

When enabled, end users can add client-side encryption to any Gmail message by clicking the lock icon and selecting additional encryption and creating the email as normal.

In a support document, Google says client-side encryption will be available for other Google services in a later release.

The post Google Rolls Out Client-Side Encryption Beta for Gmail on the Web appeared first on My TechDecisions.

Instead of being used to directly steal money, these new campaigns are designed to spoof emails and domains to impersonate employees of legitimate companies to order food products. The victim company fulfills the order and ships the goods, but the criminals never pay, according to a joint advisory from the FBI, Food and Drug Administration and Department of Agriculture.

Criminals may repackage the stolen products for individual sale and skirt food safety regulations and practices according to the advisory.

The agencies list several recent examples of this kind of activity, including one U.S. sugar supplier that received a request through their web portal for a full truckload of sugar to be purchased on credit. The request contained grammatical errors and came from a senior officer of a non-food company in the U.S. The sugar supplier independently contacted the company to verify that the request was fraudulent.

In that case and others listed, domain names were slightly misspelled or contained an extra letter in an attempt to trick the victim companies.

According to the advisory, these are the tactics, techniques and procedures (TTPs) that food and agriculture organizations should be looking out for:

• Creating email accounts and websites that closely mimic those of a legitimate company. The accounts and web addresses may include extra letters or words, substitute characters (such as the number “1” for a lower case “l”), or use a different top level domain (such as .org instead of .gov).
• Gaining access to a legitimate company’s email system to send fraudulent emails. Spear phishing is one of the most prevalent techniques used for initial access to IT networks; personnel may open malicious attachments or links contained in emails from threat actors to execute malicious payloads that allow access to the network.
• Adding legitimacy to the scam by using the names of actual officers or employees of a legitimate business to communicate with the victim company.
• Copying company logos to lend authenticity to their fraudulent emails and documents.
• Deceiving the victim company into extending credit by falsifying a credit application. The scammer provides the actual information of a legitimate company so the credit check results in an approval of the application. The victim company ships the product but never receives payment.

Read the advisory for more information on these incidents and preventing business email compromise.

The post U.S. Agencies Warn Food Industry About Business Email Compromise Campaigns appeared first on My TechDecisions.

The report sheds new light on how email has remained the “lifeblood” of any organization’s communication tools despite the proliferation of messaging and videoconferencing platforms such as Zoom, Microsoft Teams, Google Meet, Slack and others. The pandemic accelerated the use of those platforms, but the number of emails sent and received per day is still rising steadily, jumping from 306.4 billion in 2020 to nearly 320 billion in 2021 and an estimated 333.2 billion this year.

According to Tessian’s “State of Email Security Report,” 94% of organizations experienced a spear phishing or impersonation attack, and 92% suffered ransomware attacks over email this year. Impersonation attacks were the most common and rank as the top email threat that security leaders are concerned about.

On average, security leaders reported 148 impersonation attacks in 2022, followed by 141 spear phishing attacks and 138 email-based ransomware attacks, the report says. Over a third (37%) of IT and security leaders said the most prevalent impersonation was threat actors posing as employees, followed by vendors (32%) and executives (31%).

The report also dives into ransomware delivered via email, finding that 92% of global organization shave seen at least one email-based ransomware attack in 2022, and 10% say they have received over 450 such attacks this year.

In addition, almost three-quarters (72%) of security leaders experienced account compromise or takeover in 2022, the report found, which suggests that organizations are still not taking email and credential compromise seriously.

“We all rely on email at work and at home, and as the gateway to valuable data and access, email accounts are always a valuable target to adversaries, especially those seeking to compromise business,” says Josh Yavor, chief information security officer at Tessian. “We can also expect threats to continue to expand into other communication platforms like instant messaging tools, personal email or social media accounts as attackers seek to evade detection.”

Yavor also calls on organizations to deliver proactive security training that addresses common types of email threats, tailored to roles and departments.

“Company cultures also play a significant role in protecting employees,” Yavor adds. “Security leaders should emphasize a culture that builds trust and confidence, which will ultimately improve security behaviors.”

The post Email Compromise Attacks Wreaking Havoc, Report Finds appeared first on My TechDecisions.

According to email security firm Tessian, researchers are seeing Ukrainian-themed phishing emails skyrocket, with new domains containing “Ukraine” up more than 200% from last year, with an average of 315 new domains with the besieged country’s name in it registered each day since Feb. 24. The vast majority of those are deemed to be suspicious based on early indicators, the company says.

In a report, Tessian shows that the number of Ukraine-related domains started picking up in February with about 2,500, but then exploded as the Russian invasion of its neighbor matured into March, when there were more than 6,000 such domains registered.

Further analysis of phishing emails flagged by the company shows an upward trend beginning in late February, declining a bit after the first week in March, and then again in early-to-mid March as the Ukraine crisis unfolded.

Much of the exploitation of the crisis is by fraudsters seeking donations purportedly for humanitarian aid causes, such as the Red Cross, UNICEF, Actalliance and the Australian Council for International Affairs. Emails contain logos, messaging and branding associated with those organizations to trick users into believing the emails are legitimate.

The threat actors in these cases are largely requested donations be made in Bitcoin. Some emails even contain QR codes designed to make it easier to send donations that open locally installed payment apps that support Bitcoin.

Other scams are sent from newly registered domains impersonating legitimate organizations, such as the Red Cross in Ukraine. Emails contain links to convincing websites, some of which have links to addresses for cryptocurrency wallets for Bitcoin, Ethereum and Tether.

Tessian also details spam campaigns that send links to fraudulent e-commerce sites that push the sale of t-shirts and other items with slogans in support of Ukraine.

If you run across these domains, steer clear of them, Tessian says:

• redcrossukraine[.]org
• mimoprint[.]info
• mabil-store[.]com

Tessian advises users to be cautious of any emails claiming to solicit donations to support humanitarian efforts in Ukraine. Some charities do accept donations made in Bitcoin and other cryptocurrencies, so be extra vigilant when those come to the inbox, the company says.

The post Ukraine-related Phishing Emails Up More than 200% appeared first on My TechDecisions.

DMARC is built from to important security protocols known as the Sender Policy Framework (SPF) DomainKeys Identified Mail (DKIM). They both detect fake sender addresses to protect the recipient from phishing and scams, cryptographically verifying a sender’s email and marking suspicious messages as spam or rejecting them completely if it can’t be properly validated.

Agari, which has a commercial stake in the email security space, confirmed that neither Bernie Sanders, Joe Biden, or Donald Trump among most other presidential hopefuls do not use DMARC on their campaign domains. The company warns that the candidates’ campaigns are at risk of being impersonated by spam campaigns and phishing attacks.

This is all despite the fact that more than 80 percent of the government was using the security feature by last October, which was the Department of Homeland Security’s deadline. Thanks to pressure from Congress, the U.S. government has actually made increasing efforts over the past few years to roll DMARC out across federal domains, which Sen. Ron Wyden (D-OR) once called “a no-brainer that increases cybersecurity without sacrificing liberty.”

There has also been a slight uptake in DMARC use within the private sector. 16% of Fortune 500 companies are using it, doubling 2017’s 8% figure.

“DMARC is more important than ever because if it had been implemented with the correct policy on the domain used to spearphish John Podesta, then he would have never received the targeted email attack from Russian operatives,” said Agari’s Armen Najarian.

The post Warren the Lone Presidential Candidate Using Basic Email Security appeared first on My TechDecisions.

Considering Gmail has over one billion users, 100 million isn’t that consequential to an individual user. It adds up to only be one extra blocked spam email per 10 users on the Google platform, which will likely go unnoticed by almost all Gmailers. The advance, however, does have exciting implications for the future of Google’s AI capabilities.

“At the scale we’re operating at, an additional 100 million is not easy to come by,” Neil Kumaran, product manager of Counter Abuse Technology at Google, tells The Verge. “Getting the last bit of incremental spam is increasingly hard, [but] TensorFlow has been great for closing that gap.

As a free AI that allows developers to apply it to a variety of tasks, TensorFlow is known for its flexibility, capacity to scale, and compatibility with other Google programs. Such comprehensive technology has significantly boosted Google’s place in the AI market by encouraging users to buy computing power, off-the-shelf vision, and speech algorithms from Google.

TensorFlow’s flexibility also makes spam filters more customizable so that users can rely on AI to keep out spam but can also have a say in what exactly spam is to them. “There’s no one definition of spam out there,” Kumaran continued, highlighting the importance of user involvement in spam filtering to help the program in “turning those signals into better results.”

The post Gmail AI Blocks 100 Million More Spam Emails Daily appeared first on My TechDecisions.

The issue is increasingly scandalous due to its resemblance to former Secretary of State Hillary Clinton’s personal emails, which were a major talking point throughout Donald Trump’s campaign during the 2016 presidential election in which he dubbed her “Crooked Hillary.”

Trump reportedly claimed not to be familiar with many of the details regarding relevant rules, and the White House referred requests for comment to her attorney and ethics counsel, Abbe Lowell. Peter Mirijanian, a spokesman for Lowell, admitted to Trump using a personal email before being briefed on security policies, qualifying that none of her emails contained classified information.

In an effort to differentiate Trump from Clinton, Mirjanian qualified: “Ms. Trump did not create a private server in her house or office, no classified information was ever included, the account was never transferred at Trump Organization, and no emails were ever deleted,” Mirijanian said. Clinton had relied on private email system as secretary of state, bypassing government servers entirely.

“There’s the obvious hypocrisy that her father ran on the misuse of personal email as a central tenet of his campaign,” said Austin Evers, executive director of the liberal watchdog group American Oversight. “There is no reasonable suggestion that she didn’t know better. Clearly everyone joining the Trump administration should have been on high alert about personal email use.”

Fewer than 100 emails reportedly contained classified information, many of which were replies to other emails that came from other personal accounts. Ms. Trump pleads ignorance as Clinton did, but “Lock Her Up” chants still echo at Trump rallies.

The post Ivanka Trump Used Personal Email in Government Matters appeared first on My TechDecisions.

BBC News says that people “on the way to work were catching up with emails sent ahead of the coming day – while those on the return journey were finishing off work not completed during regular working hours.”

Employees who were busy parents said they took advantage of this time to finish up work so that their evenings were freed up later. This time was also used to “transition” from their role at work to their role as a parent. Similarly, others used their time on the train to decompress from the day. “The majority of the time it’s an option for me to, you know, clear the decks for the day, relax and put work behind me more than anything else,” said a passenger in the study.

Takeaways for decision makers – clear the blurred lines:

While this commute time, which is often called “dead time,” proved productive to some, the study showed it might be doing more harm than good. Specifically, the study demonstrated that people were putting in extra working hours when checking email on the go, BBC News says. As a result, this clouded the clarity between work and life, an item that is already blurry in today’s working culture.

Further, Julia Jain, a researcher involved in the study, said that if travel time eventually counted as working time, then employers might “want more surveillance and accountability for how commuters were spending that time before arriving at their desks.” This could put a dent in employees’ moral, and might leave “the door to stress and lower productivity.”

As a result, decision makers might want to consider this study before implementing a work culture shift. Take a step back and evaluate the current company culture, and how employees are using their time. Jamie Kerr, from the Institute of Directors, suggests through BBC News that decision makers make the culture and line between work life and home life crystal clear: “defining where leisure begins and work ends will be vital for both employers and individuals, as well as a complex task for regulators,” he says.

The post More People Are Using Commute Time to Check Emails – But It Might Not Be A Good Thing appeared first on My TechDecisions.