It has been 20 years since sender identity fraud shifted to the world of email and became known as phishing. In the early days, email threats were largely content-centric and usually included a malicious link or attachment to trick a user into a trap. But particularly in the past five years, phishing has matured: 89% of all attacks now utilize impersonation to initiate social engineering attacks.
If you’ve ever received a fake email from your “CEO” asking you to rush out and purchase a myriad of gift cards, or if an email tricked you into thinking your CFO needed your full bank account number via email, you were the target of a social engineering attack.
In fact, the vast majority (90%) of today’s phishing emails don’t contain malware — malicious files or attachments — that might set off content-scanning alarms. These emails easily bypass most current email defenses due to their lack of identifiable malicious content. Instead, they aim at creating a relationship of trust with you, the recipient. Once established, that relationship can be exploited by the attacker to get you to do something against your interests, like wiring $37 million to the wrong bank account.
The threat continues
Unfortunately, the problem of email threats remains prevalent and, given the lack of identifiable malicious code, even more difficult to solve. Since the beginning of COVID-19, email security providers (ESPs) reported a surge in pandemic-themed phishing attacks. These scams took advantage of people adjusting to working from home, in environments where they’re easily distracted, with less-secure computer hardware and networks.
Work-from-home tie-in or not, phishers continue to readily deploy attacks, with the average phishing campaign lasting a mere 12 minutes. Google has stated that it blocks over 100 million phishing emails per day, and that 68% of them are new, never-before-seen scams. This comes from criminals leveraging automated phishing to avoid detection through incremental changes from one scam to the next.
Given the changing landscape, an updated classification of phishing attacks is in order:
Types of identity-based email attacks
Identity-based email attacks fall into one of three types. Each exploits a specific vulnerability in content-centric email defenses.
- An exact-domain attack, also known as domain spoofing, is an email directly impersonating a trusted sender by using their domain in a message’s “From” field. Example: “<Your boss>@<yourcompany>.com”.
- Domain impersonation attacks, also known as untrusted-domain attacks, are emails that originate from slightly modified “lookalike” or “cousin” domains. Example: “<Your boss>@fedexx.com”.
- Open-signup attacks, also known as user impersonation or friendly-from emails, show a legitimate sender name in the “friendly from” field — the part that ordinarily displays your full name. However, these emails come from an account created on a free consumer online email service like Yahoo or Gmail. Example: “Your friend’s name <firstname.lastname@example.org>”.
Why pattern matching doesn’t work on modern attacks
The majority of anti-phishing solutions on the market today are dependent on recognizing and responding to specific patterns. They scan emails for suspicious content like links, attachments, phrases, or keywords, and apply machine learning to identify the bad actors.
Unfortunately, while these solutions do a respectable job on email content, they cannot provide actionable, reliable information in regard to sender identity. This is especially true when the phishing email comes from a domain spoofing attack and uses a well-crafted message that is virtually indistinguishable, in form and content, from a legitimate message. In this case, the content looks legitimate — the sender looks legitimate — and the anti-phishing system is fooled into thinking it’s a legitimate message. Even rough facsimiles can cause major disruptions, such at the recent Iranian spoofing attack directed at Democratic US voters.
In addition, phishers have automated attacks, using machines to constantly modify their messages slightly to try and stay ahead of the filters. This game where the criminal makes incremental changes, then the email filtering algorithm responds with an incremental change, is a never-ending and expensive process to defend against. Attacks are easier than ever to deploy due to the cost to do so plunging, machine speeds accelerating and the ability to rent automated bots. There is no end to this back-and-forth, as there are infinite combinations of misspellings, phrasing, and deception. Worse yet, the attacker only has to “win” once while the defender needs to be right every time - a highly asymmetrical scenario. In the meantime, businesses continue to be tricked by illegitimate emails and with every news cycle, criminals become further incentivized to continue with this kind of deception.
To address some of this asymmetry, a different approach is needed. It is far easier to define and then enforce legitimate communication behavior rather than evolve, predict, and grow a list of all the patterns that would describe all possible bad behavior. In other words, it’s easier to define a finite set of good behaviors than an infinite set of bad behaviors.
Understanding the legitimacy of behavior in communication applications starts with identity and attribution, and there is no better way to ascertain the identity of a communication participant than to enforce authentication when communication begins.
Enter: A zero-trust approach
Content-centric solutions that evaluate each message based on how likely it is to be bad create a gap through which identity-based email attacks can slip. A zero-trust email security model is vital to closing that gap.
Zero-trust may also be characterized as zero-assumption. You should assume nothing and authenticate everything, in order to eliminate the areas of policy ambiguity where criminals sneak through. This principle underlies most digital interactions, such as payments, logging into websites, authenticating employees, etc. Yet in email, for historical reasons, the basic overriding approach is “allow everything through, stop the bad stuff”.
Instead, a zero-trust approach redefines email security: no email is trusted until it proves it deserves to land in an inbox. Such a model doesn’t allow messages to arrive in the inbox unless they originate from an authenticated sender who has been granted explicit permission to deliver messages to that specific inbox.
A zero-trust solution puts the focus on identifying trusted senders. This enables the inbox to automatically flag, block or send-to-spam everything not on the trusted sender list. Users don’t need to stress about regularly finding, analyzing or evaluating the infinite array of possible bad senders previously entering their inboxes.
To put this into perspective, think of a traditional login system. It positively identifies known and trusted users and doesn’t make you worry about analyzing the countless possible bad logins to determine the likelihood that each one is suspicious. On a similar note, a zero-trust email security system positively identifies known and trusted senders while removing the worry of looking for bad senders. Thanks to open standards and support across the email vendor landscape, a zero-trust approach is now not only realistic, but considered a fundamental part of effective email security.
In short: If you only permit communication from a list of known-good senders, you don’t need to spend time looking for all the bad ones.
The perfect email solution doesn’t exist
Perfect is a little too subjective, but true security is not. When evaluating any one solution or company to entrust your organization’s email security with, ask the following:
- Which open standards does the solution align with? DMARC, DKIM, SPF and BIMI? These are well-accepted authentication standards that are helping push email to a fundamentally zero-trust philosophy, also known among email insiders as “no auth, no entry.” While these standards are not mandatory now, they are best practices and may be required someday.
- What level of control will you have? If you need to approve certain senders typically marked as bad, will your solution let you? Or will they be entirely too lenient and not keep you from making a bad decision?
- How often are they validating your emails? Instantaneously? Or once a day, during which time similar bad actors can slide into an inbox?
- How much time will you have to spend managing the solution? It is important to have a simple, straightforward interface that lets you do what you need to do, and then move on to other tasks. Unnecessary complexity is the enemy. Count the steps required to perform common administrative actions, and look for solutions that allow you to make the most informed decision, while requiring the fewest clicks.
We must evolve to stop email fraud
Businesses and organizations must protect their email security in order not to fall victim to a phishing attack. The cost of phishing is already too high and only getting worse. We must adopt a new zero-trust first framework - the current approaches are simply not keeping pace with the attacks. The most reliable foundation for email security is a zero-trust first approach: Make senders prove they deserve to enter your inbox before they actually do. Then, add a filtering solution on top of that solid zero-trust foundation in order to catch anything that slips through, such as messages sent from compromised accounts.
In other words, authenticate, then filter. Only with this zero-trust approach to email security can we create a world where email can be truly trusted.