Email is still the biggest attack vector out there, and it needs to change
January 2024 by Roman Brunner, GVP Sales EMEA / Managing Director – DigiCert.
The inbox is like a digital part of our own home. It’s where we spend much of our time, it’s often our central point of access with colleagues, partners, friends and family and it’s often where we feel most comfortable. The trust we place in that inbox is one of the key reasons it’s been the biggest - and most successful - vector for cyberattack for years. In fact, phishing accounts for over a third - 36% - of all data breaches in the US.
Trust is the central concept here. We trust our inboxes - if only because of the familiarity which we view it with - and it’s the trust that attackers seize upon. When we see an email in our inbox, we often trust its provenance without considering that it’s a key attack vector. This becomes ever more the case when we think of spear phishing - also known as BEC (Business Email Compromise) - in which an attacker impersonates a friend or colleague in order to compel them into taking an action which could compromise their workplace or personal security. While the average click rate for a phishing campaign is 17.8%, the average for a spear phishing campaign is 53%.
Businesses have taken this seriously and cybersecurity practitioners have developed many solutions in order to combat this dogged threat. Anti-phishing training is now a common feature of the workplace in which users are taught to spot phishing emails. However, despite these myriad attempts to vanquish it, phishing remains a reliable breach point for attackers. It’s growing too - In 2022, the Anti-Phishing Working Group logged nearly 5 million phishing attacks, representing a growth of more than 150% since 2019.
Furthermore, phishers are becoming more sophisticated in their attempts. Training often instructs people to look for telltale signs of a phishing email - such as poor grammar or odd use of language. However, AI services like ChatGPT are allowing threat actors to write more convincing - and longer - phishing emails which can avoid spam filters and circumvent training techniques as well as other anti-phishing measures.
Some solutions have proven more effective than others. DMARC (Domain-based Message Authentication, Reporting and Conformance) with VMCs (Verified Mark Certificates) have emerged as a way to combat the problem and add a level of trust and transparency to email interactions.
DMARC is effectively a TXT record stored in DNS that allows receivers to verify the authenticity of emails. Using Sender Policy Framework (SPF) and DomainKeysIdentified Mail (DKIM) protocols, DMARC allows a recipient to see if the purported sender aligns with previously held knowledge about that domain. If it does not - and that email is flagged as potentially fraudulent - it then offers the choice to reject or quarantine the potentially fraudulent message. This can be augmented with Verified Mark Certificates (VMC) which allow senders to display verified logos within the sender field of email inboxes, confirming that an organisation is both DMARC compliant and that the email has been sent from a trusted and verified domain. These are particularly useful when establishing the trust level of one-to-many emails.
Many aren’t aware of these kinds of already-existing assurances like these. Gmail, MS-Outlook and Yahoo - among other popular services - are adding visual markers to indicate trusted emails along with text to explain what they indicate. When it comes to one-to-one or one-to-some messages, emails encrypted with S/MIME certificates are protecting the content of messages and providing digital signatures to verify the sender identities. This can be seen within MS-Outlook which shows a red mark in email headers - which users can click to verify that the sender’s identity has been validated with a trust source like DigiCert. Together, VMC and S/MIME comprehensively cover trust verification across one-to-many and one-to-one/some email messages.
Like so many struggles in cybersecurity - the fight against phishing is a long and constantly evolving struggle. Phishing is one of the oldest tricks in the book but Phishers are changing their tactics to adapt to new conditions, and defenders have to change their anti-phishing strategies to accommodate this new reality and educate users of the safeguards that are already in place - such as VMC and S/MIME - in widely used email services.