Three-quarters of businesses braced for ‘serious’ email attack this year

IT security leaders at three-out-of-four global businesses expect an email-borne attack will have serious consequences for their organization in the coming year, with the increasing sophistication of attacks a top concern, according to the 2023 State of Email Security (SOES) report.

Businesses’ use of email is increasing, with 82% of companies reporting a higher volume of email in 2022 compared with 2021 and 2020, the 2023 SOES report found. More email has led to more email-based threats, and 74% of respondents said these have risen over the past 12 months. While the increasing number of threats is a problem, it’s the growing sophistication of email attacks that poses the greatest danger, according to the report. “Cybercriminals continue to refine and adapt their strategies, and malware kits on the dark web make it possible even for common criminals without technology smarts to employ highly sophisticated methods of incursion,” it read. The increasingly sophisticated nature of attacks is the biggest challenge for 59% of respondents, with 76% predicting that an email-borne attack will have serious consequences for their organization in the coming year. Of these, 7% believe that such an attack is “inevitable,” while another three out of 10 consider it “extremely likely.”

Security vendor Mimecast commissioned research firm Vanson Bourne to survey 1,700 IT and cybersecurity professionals for the SOES report, the largest sampling since the first such study in 2016. Respondents were drawn from 13 countries including the US, Canada, UK, France, Germany, Singapore, and Australia with CISOs, CIOs, IT security directors, and SOC managers among those surveyed.

Hybrid working and AI advances are making things worse

Email-driven attacks have been expanding in volume and velocity since the adoption of hybrid working, and recent advancements in AI technology have exacerbated the issue, Kiri Addison, senior manager for product development at Mimecast, tells CSO. “Threat actors have enhanced their ability to steal data through the proliferation of social engineering attacks, shifting their focus from targeting the larger enterprise network itself to capitalizing on the vulnerable behaviors of the individual employee.” With the evolution of AI and Large Language Models (LLMs) like ChatGPT, human-centric attacks will increase in sophistication as they work to eliminate well-known signs of an email-attack, like spelling or grammatical errors, Addison adds. “In addition to attacks that harvest sensitive data from the organization via individual employees, brand impersonation attacks can put the organization at another level of risk. Though the attacks may not compromise sensitive customer data or have tangible monetary losses at first, brand impersonation attacks put the entire brand identity at risk.”

Phishing, ransomware, spoofing most prevalent email threats

Phishing, ransomware, and spoofing are the most prevalent email-borne threats respondents and their businesses face, the report found. A significant 84% of security decision-makers said they have seen increases in at least one of these attacks over the past 12 months, with phishing the most widespread. The majority (59%) of respondents said they experienced more phishing attacks than in prior years, something more prevalent among large enterprises with more than 10,000 employees (71%). Among all respondents, 80% said they had suffered at least one phishing attack where the threat had spread from one infected user to another.

Meanwhile, two-thirds of respondents (66%) admitted falling victim to ransomware in the last year, with smaller businesses affected most severely. Companies in certain industries also fell victim to ransomware more frequently, with more than 80% of organizations in the consumer services, energy, healthcare, and media and entertainment sectors “seriously damaged” by a ransomware attack, according to the report.

As for email spoofing, 91% of respondents were aware of attempts to misappropriate their email domain, and close to half (44%) saw an increase in this type of activity in 2022, most pronounced among government agencies and other public institutions (54%). Less than a third (29%) of those polled feel their business is fully prepared to cope with illegitimate uses of their email domains, and whilst 88% of companies plan to use the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol to thwart email spoofing in the next 12 months, just 27% have actually deployed it.

How to defend against evolving email threats

With hybrid working structures here to stay, organizations must take proactive steps that better position them to combat evolving email attack tactics and techniques, Addison says. “Organizations need to adopt reliable email and collaboration security tools that enable real-time protection and response capabilities for business communication channels. A critical component of this is ensuring those products also protect third-party integrations for optimal threat intelligence sharing.” Advancements in AI can be a benefit for threat actors and organizations alike, and by adopting and integrating AI-enabled tools, security teams can work in tandem with technology to simplify complexities and maximize protections for email and collaboration tools, she adds.