In 2023, email remains the most vulnerable threat vector for gaining access to corporate networks. It’s no wonder Tessian Research calls email “every company’s riskiest channel” in its most recent report, which found that nearly one in five advanced email attacks is successful. Over 90% of organisations have had to deal with a data breach caused by an end-user email error, and despite having a cloud security solution is place, six in 10 businesses have experienced threats that have bypassed those defences. So, what does it take for a business today to keep the keys to the kingdom safe, especially when you take into account that there’s been a major shift from on-premises to cloud email security providers?
Anna Collard, SVP content strategy and evangelist at KnowBe4 Africa, says AI- and ML-empowered next-generation capabilities can augment security teams by providing constant analysis and faster and more accurate threat detection. “As most security teams are overstretched and understaffed, it makes sense to use as much automation as possible to support the initial response and analysis phase.” Jolene Castelyn, a marketing executive at Ricoh Southern Africa, says that even though AI-driven threat detection is becoming more sophisticated, identifying patterns and anomalies to combat evolving threats, balancing human error with next-gen tech involves creating a synergy between the two. “While AI can provide swift and accurate threat detection, human oversight is crucial to interpret complex threats, refine AI algorithms, and address nuanced attacks that AI might miss,” she says. “Regular training and communication help users make informed decisions and minimise errors. Human analysts should always review and verify AI-generated alerts to prevent false positives or negatives, while implementing solutions that learn from user behaviour to adapt and improve accuracy over time.”
Looking at Mimecast’s ‘State of Email Security’ report for 2023, it becomes obvious that employee awareness and email security are inextricably linked; poor password hygiene remains the most common mistake contributing to cyber incidents, with the misuse of personal e-mail ranked second.
According to the report: “At every company, regardless of size, a basic understanding of the risks and most common types of attacks needs to become common knowledge. Employees at all levels must recognise that cybersecurity isn’t just an IT issue, but something that affects them personally and for which they are directly responsible.”
Common mistakes by employees contributing to cyber incidents worldwide, as of November 2022
WHOSE EMAIL IS IT ANYWAY?
While it’s easy to dismiss inbox scams from Nigerian princes or foreign lottery winnings, an email from someone in corporate – especially when it comes from the correct address – can be harder to detect. Trend Micro has a solution to prevent business email compromise (BEC) attacks called Writing Style DNA, which analyses different elements within an email. “We know that 94% of any threats will still be originated from an email perspective. Whether it’s coming in via a malicious link or attachment, email is still a good entry point for a lot of bad actors,” says Zaheer Ebrahim, a solutions architect at Trend Micro. “One of the main concerns we’ve seen from a lot of our customers is happening with C-level executives or those in supply chain management – anyone, really, who has the power to make payments in an organisation.”
Writing Style DNA is one of Trend Micro’s AI components and, according to Ebrahim, it works in a similar way to biometrics, in that people have a unique style of writing, especially when it comes to email. “We all have our own way of doing email. I would end an email with the word, ‘thanks’, you would end it with, ‘kind regards’; I use punctuation marks at different points…what we do with Writing Style DNA is benchmark how someone types or sends an email – it’s a continuous learning pattern,” explains Ebrahim. “So in the future, if someone decides to spoof your email address, we will compare the spoofed email to how you usually send a mail and try to match them up. If no match occurs, it will pick up that this is a spoofing email.”
Machine learning and business email compromise detection are used together to pick up fake emails from highprofile users.Zaheer Ebrahim, Trend Micro
From sentence to word length, repeated words, punctuation, paragraph length, pronoun and adjective usage, the AI solution combines the different data types found in an email to better understand what Trend Micro refers to as “high-profile users”. “It’s an automated system, so there’s no real heavy lifting that has to be done by the end user,” Ebrahim says. “You just put in the user’s email address and then the AI engine will start training itself.” He adds that an AI solution like this is vital for an organisation to use to defend from someone trying to mimic staff. In a similar way someone can use ChatGPT to write something and there are AI engines to tell you whether or not this has been written by AI, the AI solution can determine how an email came into the environment based on its content, analysing 7 000 writing styles in less than a quarter of a second.
“Machine learning and business email compromise detection are used together to pick up fake emails from high-profile users,” adds Ebrahim.
TOP TARGETED HIGH PROFILE USERS
It may sound odd to get a phishing email from the C-suite, but research from Trend Micro has shown that someone with the title of CEO or director is most likely to be impersonated; one scenario where this is increasingly common is mergers and acquisitions.
“When an acquisition happens between two companies, there is so much chaos that happens in-between – change of banking details, change of CFOs, etc. A bad actor will target company A saying that they’re from company B using display name spoofing, and that money needs to be paid into a certain bank account and they spoof the domain of company B,” says Ebrahim. “Not knowing if company B’s email is legitimate because it is a new acquisition is where Writing Style DNA can work, to protect both companies. Using Writing Style DNA, we’ve been able to pick up a phishing attempt that came into the organisation in this situation.”
THE FOUR MAIN CULPRITS
From phishing to spoofing, email-borne threats are legion. Phishing is the most widespread and, according to Kaspersky experts, there are four key social engineering email scam themes and tactics prevalent in the Middle East, Türkiye, and Africa region (META).
1. Undelivered parcels
Exploiting human curiosity, many people have received emails and SMSes from postal and courier services providing links to confirm payment or to unsubscribe. Clicking on these links redirects individuals to a fake page that steals sensitive information.
2. Know Your Customer (KYC)
Cybercriminals have been posing as prominent banks requesting people to complete KYC verification to comply with financial regulations or avoid suspension of transactions. The objective is to exploit human fear by highlighting words such as “urgent” in the email to manipulate victims. The format and design of the email, and the KYC link, look authentic to visually trick people.
3. Unusual email account log-in activity
These fake alerts flag false sign-in/ log-in activity into an individual’s email account and provide a link to report the user. The email includes sign-in details such as country, IP address, date and browser, which make the alert appear legitimate and cause worry. Coupled with the international travel season, this scam theme can increase the cybercriminal success rate.
4. Free money
These fraudulent emails play on elements of human greed and curiosity. Cybercriminals attempt to convince people to open a malicious email attachment related to money deposits. In reality, the attachment is an HTML page that redirects the victim to a fake Microsoft Outlook page to steal email credentials.
EXPECTING A DELIVERY?
Kaspersky experts detected a wave in scams in South Africa related to RAM Hand-to- Hand Couriers. “Cybercriminals are sending deceptive emails that appear to be from the company, falsely claiming that a package was not delivered due to pending customs fees,” says Bethwel Opil, enterprise client lead at Kaspersky in Africa. “To create a sense of urgency, the email urges users to click on a link for further instructions. When users click on the link, they are redirected to a fraudulent website masquerading as a legitimate RAM courier service portal. Falling prey to this scam exposes individuals to potential identity theft, financial fraud, and significant personal losses.”
While AI can provide swift and accurate threat detection, human oversight is crucial to interpret complex threats, refine AI algorithms, and address nuanced attacks that AI might miss.Jolene Castelyn, Ricoh Southern Africa
One of the most noteworthy aspects of this attack is that RAM is a domestic courier and does not import goods for clients, which means there will never be a request for any customs or import fees or charges. “A receiver of a RAM shipment will never be required to make payment for outstanding shipping costs. If there is ever any reason for a short billing or additional fees to be paid, it would be for the sender’s account,” says Steven Friedman, CIO at RAM Handto- Hand Couriers. RAM’s advice to avoid falling victim to impersonation scams is to check that an email is coming from a RAM domain, which is in line with the company’s website URL, in other words, @ram.co.za. “In addition, customers should look out for warning clues such as distinct grammar or spelling errors, the use of generic greetings such as ‘Dear Customer’ or ‘Dear Client’, demands for urgent attention,” says Friedman. Even though RAM does continually advise clients and customers to be vigilant and warn them against being scammed, it finds that it has to intensify the frequency of communication and reminders via all its communication channels during peak season. “Phishing attacks remain a critical threat as cybercriminals are becoming more and more sophisticated. Fraudulent emails masquerading as a courier is one way of mounting such an attack,” adds Friedman. “It’s not just a RAM Hand-to-Hand Couriers or a South African issue; it’s a global issue and trusted ‘courier brands’ worldwide are used to bait people.”
* Article first published on brainstorm.itweb.co.za