Phishing Tools Are More Sophisticated Than Ever; How To Think About Email Security In 2023

Caffeine could be like any other cloud-based email Internet service. It has three service pricing tiers – “Basic”, “Professional” and “Enterprise”

Caffeine could be like any other cloud-based email Internet service. It has three service pricing tiers – “Basic”, “Professional” and “Enterprise”, and while it’s relatively expensive ($250/month, $450/month, and $850/month), it has a robust set of features, including a full email and landing page customisation kit, the ability to track campaign activity, and unlimited customer service support.

But Caffeine is not a benign cloud-based email service for people with mailing lists and customers. Caffeine is designed to facilitate phishing scams, and it is concerning because, unlike so many other phishing-as-a-service solutions, this one has virtually no barriers to entry. Almost anyone can set themselves up with Caffeine and immediately start targeting companies and individuals with highly effective, “best practice” campaigns.

Platforms like Caffeine are why 75 per cent of cyber security practitioners believe that email-based attacks as the most dangerous ongoing threat to their organisations. 90 per cent of all cyberattacks begin with a phishing email. The Australian government reported that losses from business compromised email scams rose by 21 per cent in the previous year, to $98 million. Because they can target anyone in the organisation and subsequently give criminals access to the entire environment, prioritising email defence remains a critical job for CIOs into 2023.

Despite the pervasive and growing threat posed by email and phishing, too often the solution posed seems to be, simply, “education.” As the wisdom goes, if you inform your employees about the risks posed by phishing and help them to spot a red flag in a suspicious email, you can prevent your organisation from being impacted by scams.

It’s true that ongoing education is an effective step in combating phishing and other email scams. Much like first aid, the more people in the organisation that go through a mandatory training session once or twice per year, the better poised the organisation will be to quickly flag and limit the impact of phishing attacks.

However, this also shifts the burden and responsibility of the entire organisation’s security to each individual and with that, too, the blame if an attack is successful. It is not a healthy approach to take with security, both for the well-being of employees, and the broader organisation. The prevalence and sophistication of phishing attacks are such that even the savviest can potentially have a lapse in judgement and accidentally fall for one. For that reason, it’s imperative that CIOs create a dedicated email security strategy, and deploy solutions that will assist in protecting the organisation from a successful phishing attack.

Building a secure email environment
Email security requires a multi-faceted approach, which can handle known threats, leverage intelligence to help identify both known and unknown risks, and provide encryption to prevent the hijacking of data.

Effective solutions will commonly include URL protection, which blocks malicious URLs across all devices. Another key feature is attachment protection, which will safeguard against dangerous attachments – including advanced static file analysis, MS Office and PDF safe file conversion. This will be supported by anti-virus solutions that will kick in in the event that a malicious file does get through the protections.

Then there’s impersonation protection, which is designed to assist employees in using their own best judgement to identify emails that impersonate people and brands. Finally, encryption for all outgoing emails is central to many effective email security strategies.

It’s also critical that the organisation looks to move to a zero trust approach to its overall IT security strategy. Credentials are a common vector of attachment with phishing. Rather than try to get someone to download a virus-laden attachment, a cybercriminal will leverage a platform like Caffeine to attempt to get login details and other information from a target, which they can then use to get access to the entire business network.

The most effective protection against this is zero trust security, which requires consistent authentication, and leverages AI smarts to identify and isolate malicious activity. Through zero trust, even if a data-gathering phishing attack is successful, the cybercriminal will be greatly limited in what they can subsequently access.

In short, email security needs to be considered as a core part of a broader and holistic security strategy. CIOs can engage a company like Protectera to architect, deploy and manage such a solution, leveraging tier-1 email security vendors. Combined with rigorous and ongoing education for all employees, as well as perpetual vigilance, organisations will be able to protect themselves against even the worst that can be achieved through Phishing-as-a-Service platforms like Caffeine.