There has been a massive increase in impersonation attacks over e-mail.
This is according to e-mail and data security company Mimecast in its E-mail Security Risk Assessment (ESRA), a test which measures the effectiveness of e-mail security systems in use by thousands of organisations globally.
In its second quarterly assessment, Mimecast found both known and unknown attacks, as well as spam, are continuing to get through incumbent e-mail security systems.
In addition and of particular concern, are e-mails that contain no malware, and instead rely on duping recipients into responding to a request that usually involves sending the attacker money or highly monetisable data, says Mimecast.
In comparison to the data initially reported in the February 2017 ESRA, the number of impersonation attacks detected this quarter rose more than 400% quarter-over-quarter, says Mimecast.
It explains that impersonation attacks consist of social engineering heavy e-mails that attempt to impersonate a trusted party such as a C-level executive, employee or business partner.
This simple method of attack is being exploited at an alarming rate as it can be used to dupe recipients into initiating wire-transfers and sending back other sensitive data, leading to significant financial loss - as evidenced by widely publicised recent attacks, the e-mail security company explains.
In fact, it says, a public service announcement issued by the Federal Bureau of Investigation stated that between October 2013 and December 2016, business e-mail compromise scams resulted in a total loss of more than $5.3 billion. Between January 2015 and December 2016 alone, there was a 2 370% increase in identified exposed losses.
This latest ESRA reflects findings from inspecting the inbound e-mail for more than 44 000 users over a cumulative 287 days received by participating organisations.
The data reinforces the concerning reality that the industry must work towards a higher standard of e-mail security, as 90% of attacks start with e-mail. In general, organisations everywhere are struggling with prolific ransomware attacks, like Locky, says Mimecast.
"Cyber criminals are constantly adapting their attack methods. For instance, this latest ESRA analysis reflects how impersonation attacks are getting through existing e-mail security defences at an alarming rate," says Ed Jennings, chief operating officer at Mimecast.
"If a CISO [chief information security officer] isn't reviewing an organisation's current e-mail security solution on a 12- to 18-month basis, they may be surprised at what threats are now getting into employees' inboxes.
"At the same time, e-mail security providers need to ensure they're doing their due diligence to protect customers from new attacks, whether they be advanced or simple. The Mimecast ESRA results show a clear need for the security industry to come together in the fight against e-mail-borne threats."
Falling victim
Earlier this month, Reuters reported the bosses of Wall Street banks Goldman Sachs and Citigroup fell victim to an e-mail prankster who also managed to connect with the head of Barclays and the governor of the Bank of England.
While neither Goldman CEO Lloyd Blankfein nor his Citi counterpart Michael Corbat revealed any sensitive information, the exchanges raised questions about the way banks' computer systems handle e-mails to addresses outside their companies.
Due to concerns about hoaxing and security, a small group of the Wall Street elite refuses to say anything substantive in an e-mail, text or chat, and some will not communicate digitally at all, Reuters reported in November.
Share