The past year has seen a remarkable laundry list of email-based attacks. Phishing, spear-phishing, whaling, business email compromise (BEC), CEO to CFO scamming, email impersonation — whatever names you attach to this bewildering variety of attacks, it’s clear that hackers are using the full range of email techniques available to them. Citizen Lab calls phishing “the royal road to account compromise,” and with good reason. It’s cheap, scalable, effective, and — for now — most companies have erected few technical barriers to phishing.
IT managers tend to consider phishing a variety of social engineering, and their response is effectively a shrug: Train users more, and hope for the best.
Unfortunately, training doesn’t work very well. That’s because ⅔ of inbound phishing attacks use a company’s own domain name in the From field, making them extremely hard to detect.
That’s why 2016 had the highest number of phishing attacks on record. Until 2017 came along and turned the flood of phishing into a torrent, that is.
I’m not going very far out on a limb when I predict that 2018 will see the phishing epidemic continue. Meanwhile, articles will continue to appear that essentially blame users for clicking on links, while technical solutions to the phishing problem remain underutilized.
I see seven big trends in email security coming to the fore in 2018:
1. The frequency and variety of email-based attacks will continue to rise sharply throughout 2018
Don’t hold your breath hoping for a tapering-off of email attack vectors. Email is used by half the planet’s humans, according to research by Radicati, which makes it the most ubiquitous, effective, and inexpensive way to reach out and touch people — whether you’re trying to deliver a friendly message or some kind of malware.
2. 15 banks with revenues of $1B+ will suffer losses due to phishing attacks in 2018
Phishing attacks directed at financial institutions doubled in the first half of 2017, yet only 10 percent of major financial companies are defending themselves against these attacks. These factors will combine in 2018 to produce a rash of phishing attacks on major banks.
3. At least 20 major health care institutions will be successfully hacked via phishing emails…
…and several of those hacks will result in patient records being exfiltrated. Less than 4 percent of U.S. health-care companies with $1B+ revenues are protected against email impersonation. This sector is wide open to email fraud right now. Note: the first such attack hit the headlines in the first week of 2018, when a Florida phishing attack compromised data for 30,000 patients.
4. Most U.S. federal government domains will implement DMARC in 2018
A recent mandate (BOD 18-01) from the Department of Homeland Security directs agencies to implement email authentication with DMARC by January 15, 2018, and while agencies have made a lot of progress, we’re only a little more than halfway there. We’ll be much closer by the end of the year.
5. Multiple malicious email impersonation attacks will be directed at discrediting the U.S. media, government and business sectors
These attacks will originate from state actors in Russia, China, and North Korea. In addition to targeting government and business, they will impersonate our news organizations to discredit them and perpetuate the “fake news” meme.
6. Several webmail clients will begin indicating whether or not incoming email has been authenticated
This will enable recipients to see, at a glance, who the true sender of the message is.
7. Email authentication will become more mainstream and the focus will shift to brand protection and email deliverability
Focus in the private and public sectors will shift from merely deploying authentication to enforcement, where a domain’s published email policy directs mail servers worldwide to block unauthenticated email. In the private sector, this shift will be driven by CMOs and marketing departments, who view authenticated email as a brand protection tool — and also value the 10-15% increase in email deliverability it conveys.
Authentication may seem like an abstruse topic, but it will become increasingly significant in a wide range of fields, including email. We already have widespread authentication for people (with single sign-on tools like Okta and OneLogin), authentication for credit cards (through credit card approval networks and the increased sophistication of the new chip card), and authentication for secure cloud services (through cloud access security brokers, or CASBs). Why wouldn’t we authenticate the most fundamental form of communications that business uses today — the email message?
As email security disasters continue to proliferate in 2018, I predict that more and more CIOs and CISOs will be asking that question.