The spies inside your emails

Unprotected emails can leave us open to exploitation on a massive scale, including government agencies. How can we fight back? Brian Wall reports

It has become a common event that we receive nuanced emails designed to threaten us or push us into actions that enable bad actors to take actions against us and the enterprises in which we work. However, according to Mark Forrest, CEO of Cryptshare, this is no longer news, nor is the prevalence of email-borne malware seeking to disrupt our lives. "Phishing, spoofed emails and so on are still there in huge volumes, but the real threat has moved on," he says. "That is not to say there are no victims - commercially-oriented attacks are on the increase and ever more sophisticated, because they are succeeding.

"But what is new is the value of the data that can be farmed from our emails, if they are not protected, and this value is not just to bad actors, but also commercial organisations, who are looking to exploit in-depth profiles about us, and government agencies seeking to influence our behaviour. Sinister? Yes, very." An unencrypted email is in plain text, as are any attached files and meta data, and these reveal huge amounts of information about us, our activities and beliefs, relationships, preferences and issues, he states. "This is the primary tool used to manipulate us; more credible data lowers our defences. Some years ago, it was a common response to this threat to say, 'Who cares?', 'Who is really looking?', 'Surely there is simply too much to be scanned', and, in the past, this may have been true. Today, it is now due to emerging AI technology, cheap storage and faster computers."

Artificial intelligence routinely scans vast amounts of data, bringing structure to it, based on areas of interest to those who have gathered it. "If in doubt, imagine what happens when you search the web with any search engine," Forrest suggests. "Harvesting unencrypted data from email is easy and, with AI tools that are cheap and available, analysis is now simple. But who is doing this? Is it just Facebook looking to sell advertising or bad actors looking to gain access to your pension fund, or political parties looking to influence your vote? Probably all of the above, but it gets worse.

"Your email data and multiple other sources of information about you (Facebook, WhatsApp, Google search and multiple mobile apps) can be combined and then used to bring even more detail about you, for a myriad of reasons. This is a fast-moving threat to us all."

So, what can we do? "First, protect everything you can, always use email encryption, which is now easy and cheap, to reduce the volume of information out there that might be used against you," Forrest advises. "In your enterprise, classify the most sensitive information, so others know to protect it. Create awareness of the risks and policies for data use, including how devices of all kinds are deployed, including turning off the data sources (microphone, geo-spatial data and cameras). GDPR [General Data Protection Regulation] laws have been created with good intent to protect our privacy; but, for a nightmare scenario, look at how AI is being used in Eastern provinces of China! Start now by protecting your email."

Of course, phishing is still one technique that continues to be extremely successful. "This is because phishing attacks rely on manipulating people's trust and, more often than not, appear to be a legitimate email from a trusted contact - for example, the phishing kit '16Shop' was recently found to be posing as both Apple and Amazon," says Ed Macnair, CEO of Censornet. "All it takes is one individual to fall for a phishing email and a whole company can be compromised as a result, meaning that human error continues to be a great threat when it comes to email security."

He points to how phishing attacks are also getting more sophisticated every day. "The crude mass-email with a compromised link or attachment has fallen out of vogue and increasingly we are seeing criminals send extremely specific, customised emails to catch employees out. These attacks focus on individuals who have access to high-value information, often use email addresses very similar to a colleague or family member and contain content that, on the surface, is not suspicious at all.

"These attacks are therefore much harder for traditional email security tools to catch and employees often struggle to keep up with what to look out for," states Ed Macnair. "They might know not to open a generic email from an unknown sender, but they might not look twice at an email that appears to come from their boss, asking for the company card details for an urgent payment."

Across all sectors, ongoing education at all levels is an important component of any strategy to prevent these attacks - caution and vigilance are the most important ways that users can protect themselves. "However, it is impossible to ensure that employees will never slip up," he warns. "That is why it is crucial that businesses have protection software in place, to reduce the chance of phishing emails slipping through the net undetected and presenting an opportunity for employee fallibility."

In order to keep up with the latest threats and protect their employees to the best of their ability, organisations should be deploying algorithmic analysis to identify suspicious emails, in addition to traditional pattern matching, Ed Macnair says. "Historically, email security tools worked using pattern-based approaches, looking at messages for elements that had already been observed in a live spam run or previous spam run. This approach is still valuable, although fairly rudimentary, and it is not enough to catch the new, customised approach hackers are taking.

As threats have evolved, email security tools have had to as well. Rather than purely looking at email content, algorithmic analysis breaks down the email into its core characteristics and attributes, and assigns each email a weighted score on how suspicious it is. Using this far more sophisticated analysis, alongside pattern analysis, which still has its place, organisations can go a long way to halting incoming attacks." Threat intelligence is also becoming increasingly important in many aspects of email security, he concludes. "Domain-based threat intel will provide a high-risk rating, if the registrant has a criminal track record of registering domains and using them to launch attacks or distribute malware."

Focusing for a moment on spear phishing, attackers research their targets and craft carefully designed messages, often impersonating a trusted colleague, website or business. Spear-phishing emails typically try to steal sensitive information, which is then used to commit fraud, identity theft and other crimes. Mike Flouton, Barracuda Networks, recommends several best practices that any business should consider "to protect against these sophisticated, targeted and costly attacks".

Take advantage of artificial intelligence
"Scammers are adapting email tactics to bypass gateways and spam filters, so it's critical to have a solution in place that detects and protects against spear-phishing attacks, including business email compromise, brand impersonation and sextortion. Deploy purpose-built technology that doesn't solely rely on looking for malicious links or attachments. Using machine learning to analyse normal communication patterns within your organisation allows the solution to spot anomalies that may indicate an attack."

Don't rely solely on traditional security
"Protect against attacks that use 'zero-day' links," says Flouton. "Don't rely on traditional email security that uses blacklists for spear-phishing and brand-impersonation detection. A reputation analysis of URLs doesn't provide protection against some attacks, because zero-day links are often hosted on domains that weren't used in previous malicious attacks or that have been inserted into legitimate websites."

Deploy account-takeover protection
"Many spear-phishing attacks originate from compromised accounts; be sure scammers aren't using your organisation as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognise when accounts have been compromised and that remediates in real time by alerting users and removing malicious emails sent from compromised accounts."

Implement DMARC authentication and reporting
"Domain spoofing is one of the most common techniques used in impersonation attacks. DMARC authentication and enforcement can help stop domain spoofing and brand hijacking, while DMARC reporting and analysis helps organisations accurately set enforcement."

Use multi-factor authentication
"Multi-factor authentication, two-factor authentication and two-step verification provide an additional layer of security above and beyond username and password, such as an authentication code, thumb print or retinal scan."

Train staff to recognise and report attacks
"Educate users about spear-phishing attacks by making it a part of security-awareness training. Ensure staff can recognise these attacks, understand their fraudulent nature and know how to report them."

Conduct proactive investigations
"Conduct regular searches to detect emails with content known to be popular with hackers, including subject lines related to password changes and security alerts."

Maximise data-loss prevention
"Use the right combination of technologies and business policies to ensure emails with confidential, personally identifiable and other sensitive information are blocked and never leave the company."

One sector that is particularly vulnerable to cyber threats is the legal profession. "Companies are increasingly aware of cyber threats, but many in the legal sector are still focusing their defence efforts on their employees, which isn't a good place to start," advises Andy Pearch, head of IA Services, CORVID. "Commonly-heard phrases such as 'users are the weak link in cyber security' are prompting rigid user training programmes, in the hope they will give employees the skills they need to spot a potential cyber attack, saving the firm from the resulting repercussions. "With other messages highlighting that more than 70% of cyber attacks start with email, it's easy to see why companies start to believe that user training is the best approach to take - especially when law firms have been scarred by past incidents of email-based diversion fraud, where clients have transferred payments to criminals rather than law firms. That's a situation no law firm wants to be in."

Realistically, companies cannot risk their business reputation and base their security posture on the assumption that employees will never make a mistake; especially employees who are up against the clock, adds Pearch. "Fraudulent emails are sophisticatedly designed to fool users, so how can a company assume that no user will ever act on a fraudulent email that landed in their inbox? Relying on users to spot malicious emails is not a strategic approach. Of course, it's still important for users to be aware of security issues, but they cannot be expected to identify malicious emails without being given sufficient information. This simply sets users up to fail."

On top of this, he points to liability concerns. "While the majority of diversion fraud emails have followed the impersonation model, where a criminal masquerades as the law firm to entice a client to send funds to alternative bank details, firms must also consider business email compromise, where the law firm is compromised and the email actually comes from the firm's own system. In the former case, the client/law firm relationship is strained, to say the least, but the law firm is not liable. For the latter, however, a law firm would be liable and would be likely to incur the associated costs, as well as facing the consequences of reputational damage." Pearch believes email security and threat protection can be transformed by the use of multiple sophisticated detection engines and threat intelligence sources. "Fraud detection and content checking in real time automatically highlight phishing and social engineering techniques, removing the burden from users and leaving technology to do its job. Furthermore, technology enables potentially concerning emails - such as those attempting to harvest credentials, mislead users or spread malicious elements - to be automatically flagged, meaning users can make quick, informed and confident decisions as to whether the email should be trusted.

"With such sophisticated technology available and a growing threat landscape that shows no sign of slowing down, there is no need for - and no excuse for - putting the burden on users when it comes to mitigating email compromise. It's time for law firms to make a change and appropriately protect themselves from incoming cyber attacks."

One thing is certain in all of this - email is increasingly at the core of so much we do in our business and personal lives. And that makes it the most desirable of targets. "Email has become the de facto standard for communications in enterprises on a global level," states Mike Ahmadi, CISSP, Global Director - IoT Security Solutions, DigiCert. "This is certainly not news to most, if not all, of whoever may be reading this. In many cases it is easier to exchange information quickly over email than it is using a phone call, as many people, and particularly executives in large enterprises, are simply unreachable by phone in a timely manner. I am sure we have all experienced this.

"As email becomes more critical in daily organisational operations, the need to keep it secure also becomes more critical. Despite all attempts at training individuals and organisations on avoiding opening emails with attachments, or following links to websites that require credentials, or performing actions that would otherwise be considered questionable, we still see an enormous number of security breaches."

Securing email communications, however, is not an impossible task, he points out. "Organisations have had the ability to both digitally sign and encrypt communications, through the use of digital certificates, for years. When the CEO of an organisation, for example, sends out a corporate communication, it is critically important for the message to be authenticated with a digital signature, as well as digitally encrypted. Spoofing a message from the CEO of a company to all employees asking them to visit a link is a very easy way to compromise the enterprise and is likely to be highly successful for the attacker. This becomes very complicated to carry out, if the organisation requires certificate-based authentication."

The latest efforts to improve security and authenticity of emails involves the use of verified logos and trademarks in email messages, which are authenticated through a standardised process to prevent spoofing. "This is being piloted by large email providers, including Verizon Media and Google, and DigiCert has been selected as one of the certificate authorities providing trusted authentication for the Brand Indicators for Message Identification (BIMI) project, under which the project is taking place," says Ahmadi. "Verification through an easily recognisable and trusted logo will serve to quickly and easily provide email recipients with assurance that the email message came from a trusted source."

Most wise organisations use proper authentication within their email systems today, he adds, but there are an enormous number that do not, and there really is no good excuse for why they are not doing so. "Managing security is an ongoing challenge and those who choose to ignore the tools that are available to make it easier to do so will always be forced to learn their lesson the hard way. Email is a useful tool. Do the right thing and you can trust it."