One in Five Advanced Email Attacks Were Successful in 2022, According to New Report
Friday, November 11th, 2022
New research from email security company Tessian, the State of Email Security Report, found that enterprise email is now the No. 1 threat vector for cyberattacks. According to the report, 94% of organizations experienced a spear phishing or impersonation attack, and 92% suffered ransomware attacks over email this year.
Organizations send and receive thousands of emails per day, making email a massive vulnerability for the enterprise and opening the door for advanced attacks like spear phishing, impersonation and ransomware.
Organizations in the U.S. receive on average 1.5 times more spear phishing and impersonation attacks than the global average.
Impersonation attacks (where attackers attempt to create legitimate-looking email addresses) were the most common type of advanced email attack in the first nine months of 2022. These types of attacks also ranked as the top email threat that security leaders are most concerned about. On average, security leaders reported 148 impersonation attacks in 2022, followed by 141 spear phishing attacks and 138 email-based ransomware attacks. When asked who was being impersonated the most, over a third of IT and security leaders (37%) responded with threat actors posed as employees in attempts to trick end-users in their organization. This was closely followed by a vendor (32%) and a C-level executive (31%).
Ransomware also continues to be a top threat with 92% of global organizations experiencing at least one email-based ransomware attack in 2022 and 10% of the security leaders surveyed saying they received over 450 email-based ransomware attacks since January 2022. In addition, almost three-quarters (72%) of security leaders experienced account compromise or takeover in 2022. This happens when a threat actor acquires legitimate login credentials, and uses those credentials for example, to send more attacks, posing as the individual they've successfully impersonated in attempts to steal money or sensitive information.
Most organizations have a secure email gateway (SEG) or native security from a cloud provider in place to keep employees secure on email. However, the report found that 62% of security leaders said advanced email threats bypassed SEGs in 2022, leaving enterprises susceptible to financial losses and leaked customer data.
Almost all respondents (99.5%) recognized that AI and machine learning can enhance and improve email security. Faster threat detection (66%) and more accurate threat detection (56%) were the top two AI benefits cited by security leaders. Almost half (44%) of respondents also noted that automated approaches to email security could alleviate administrative burdens on their already stretched security teams.
"We all rely on email at work and at home, and as the gateway to valuable data and access, email accounts are always a valuable target to adversaries, especially those seeking to compromise business," said Josh Yavor, chief information security officer at Tessian. "We can also expect threats to continue to expand into other communication platforms like instant messaging tools, personal email or social media accounts as attackers seek to evade detection."
Inbound emails are not the only threat that security leaders are concerned about. Employees also pose a risk to data and company security through data loss and exfiltration. Nearly two-thirds of security leaders (63%) said that their staff exfiltrated data over email in 2022, while 92% of companies experienced a data breach caused by an end-user making a mistake on email – such as sending an email to the wrong person or failing to send the correct attachment. Nearly one in five companies (16%) dealt with over 50 data breaches caused by users' errors on email in 2022 alone.
Employee mistakes on email remain a pervasive issue for security leaders and can have serious repercussions. A separate study from Tessian found that two-fifths (40%) of employees sent an email to the wrong person, with almost one-third (29%) saying their business lost a client or customer because of the error. Even worse, one in four respondents (21%) lost their job because of the mistake.
Yavor added: "To keep employees secure on email, organizations should be proactive in delivering security training that addresses the common types of threats on email that's tailored and personalized to their role and department. Company cultures also play a significant role in protecting employees. Security leaders should emphasize a culture that builds trust and confidence, which will ultimately improve security behaviors."
About the Research
In September 2022, Tessian commissioned third-party research house Censuswide to survey 600 IT and security leaders in organizations across US, UK, Middle East and Africa.