Despite many companies investing heavily in getting defenses set up, millions of malicious email messages made their way to the end-user, placing many of them at risk of data breaches, fraud and ransomware.
This is according to a new report from Tessian, which analyzed millions of emails passing through its email security tool between July 2020 and July 2021, finding that two million malicious messages bypassed “traditional email defenses”, such as secure email gateways.
The report hints that criminals are doing all they can to catch the victims off guard, tired, and distracted. For starters – most of the emails were sent during the holiday season in Q4 2020, with the last three months of the year seeing 45% more malicious emails compared to the quarter before.
With 90,000 emails detected during the Black Friday sales, November 2020 was the month with the highest email spike.
Criminals then looked to send the email during the time of day when they believe victims are most likely tired or distracted – which was found to be either 2PM, or 6PM.
The contents of the emails themselves are similar – they’ll try to impersonate either a popular business, or an individual the victim knows, personally. Name spoofing was used in 19% of malicious emails, while domain impersonation was used in 11% of threats.
Just 2% of attacks were account takeover.
Of all the different brands, Microsoft, ADP, Amazon, Adobe Sign and Zoom were the most popular ones among crooks.
Spear phishing here to stay
On average, an employee would receive 14 malicious emails every year, the report claimed. However, not all industries are created equal, and with the average number of attacks at 49 – retail is by far the most attacked vertical.
Tessian’s CISO, Josh Yavor, says highly targeted spear-phishing email attacks are all the rage nowadays, “because they reap the biggest rewards.”
“The problem is that these types of attacks are evolving every day. Cybercriminals are always finding ways to bypass detection and reach employees’ inboxes, leaving people as organizations’ last line of defense. It’s completely unreasonable to expect every employee to identify every sophisticated phishing attack and not fall for them. Even with training, people will make mistakes or be tricked.
That’s why, Yavor concludes, businesses need a more advanced approach to email security, “because it’s not enough to rely on your people 100% of the time.”