Mimecast expert: Cybercriminals prepared to wait longer before launching email attacks

Mimecast expert: Cybercriminals prepared to wait longer before launching email attacks

With the cybersecurity landscape in the Middle East constantly evolving, cybercriminals are upping their game. Jeff Ogden, Vice President Middle East and India at Mimecast, tells us bad actors are prepared to play more of a waiting game as they launch increasingly sophisticated attacks.

Mimecast, a leading email and data security company, has announced the availability of its latest Email Security Risk Assessment (ESRA).

The quarterly assessment is an aggregated report of tests that measure the efficacy of widely used email security systems. This quarter’s ESRA report found a significant increase in Business Email Compromise (BEC) attacks, emails containing dangerous file types, malware attachments and spam being delivered to users’ inboxes from incumbent email security systems.

The latest ESRA found a 269% increase in BEC attacks, in comparison to the same findings in the last quarter’s report. This trend was also reflected in recent research, the State of Email Security 2019 report, which found that 85% of the 1,025 global respondents experienced an impersonation attack in 2018, with 73% of those victims having experienced a direct business impact – like financial, data or customer loss.

The ESRA report found 28,783,892 spam emails, 28,808 malware attachments and 28,726 dangerous files types were all missed by incumbent providers and delivered to users’ inboxes, an overall false negative rate of 11% of inspected emails.

In light of the report, Intelligent CIO spoke to Jeff Ogden, Vice President Middle East and India at Mimecast, about the state of the cyber-landscape in the region.

What can you tell us about the latest cyberthreats?

You get the odd targeted attack that’s coming through into organisations and sometimes it’s difficult to determine where they come from. But I think in our experience the simplest route remains targeting people through email, targeting individuals. Most attacks still start with people being socially engineered.

So sometimes the outcome is difficult to determine but well over 90% of attacks are coming through email.

Have the attacks become more sophisticated?

Absolutely. The thing that is happening now is reconnaissance. Cybercriminals always used to do that reconnaissance to find out what your attack surface was, by scanning a network to look for vulnerabilities.

But now what they’re doing is they’ll break into a Gmail account or they’ll break into an Internet based email account of some sort. Then they’ll sit on it for a while, and they’ll watch the style and they’ll watch the footers, and they’ll look at the PDF documents that are created for invoices, and they’ll gather all of this information before they do anything about it.

So actually, when they do send the email they’re intimately aware of the way the CISO talks or the  way the CFO talks on his emails or what he’ll accept as an email or invoices he’ll accept.  

So we tend to find the first attack is harvesting credentials, so cybercriminals will get somebody to fill in their credentials, through a simple website screenshot that they’ve taken, and then they’ll sit there for five or six months to gather that information.

Then when the attack comes it looks very sophisticated. It looks sophisticated because they know who the admin is, they know who’s running finance, they know the approval processes. They know the supply chain, and all of those things come together, so it’s a well-crafted email when it finally comes.

Isn’t the willingness to wait a new thing?

In terms of our customers and prospects we have been talking to, cybercriminals seem to be waiting a little bit longer now before they craft these emails in an attempt to improve their success rates.

What is the impact of this on businesses?

It’s enormous. There’s so many different use cases associated with these sorts of cyberattacks. So, for example, if you’re a shipping company and you’ve got ships all over the world then you may have to fill them with fuel, for example. An attack or a misplaced invoice that goes to the wrong account or to the wrong individual, but gets approved for payment, can have hundreds of thousands of dollars impact in that sort of situation. There’s a thousand different use cases where people get invoices to pay through their supply chain that end up costing them tens of thousands of dollars.

Do cybercriminals deliberately target senior executives?

The impersonation attacks are growing significantly. I think quarter on quarter we’ve seen almost 300% growth in impersonation attacks. So that’s the biggest threat and the biggest growing threat. So that is targeting the CIO, the CFO, the CISO, those sorts of people inside the organisation.

How have cybercriminals been trying to maximise their chances of success?

I think it’s understanding the workflow that’s taking place. So it’s making sure that they understand exactly how an invoice gets paid, for example, and they watch those emails come through. And then they craft them, and then send them at the appropriate time so if that invoice gets paid in a payment from the first week of every quarter that’s when they’ll craft it to be sent and suddenly it seems like a normal email.

Can you explain the concept of the human firewall?

So most of the attachments that are opened are due to individuals. So, educating the individual is probably the most important thing to do. So, make them aware of what they should be looking for.

The problem with a lot of security awareness programmes is they may be 30 minute presentations or 10 minute videos that you have to watch. Typically people don’t tolerate that sort of information now in that form, so what we do with a lot of end-users now is we use very short punchy videos.

We keep it to three or four minutes and we use a lot of humour. So we always deliver the message in a comedy form.

So we actually have a character called Human Error. He’s a funny guy and he will say things like ‘press on the link, don’t worry about your email, put it on a post-it and have the same password for everything.’ So that humour really appeals to people and we’re finding it works incredibly well compared to the traditional presentation and formal training courses.

I think the other key thing is we’re using real data nowadays. So in the past we used to craft these attacks. They used to be done as penetration tests, or what we call phishing tests. Nowadays, what we do is we take real data that’s coming through that’s targeted at your organisation and we defang it and forward it on to the users.

So the users can’t cause any issues, if they press on the link, but we can measure the effectiveness of our training by testing everybody through the organisation and then give them a risk score. So in the same way that the business has a view of risk for financial losses or anything else we can give you a risk of the people inside the business and their prevalence to cyberthreats.

So it’s changed completely. Now, the content is far more consumable and far more effective in terms of measuring how risky your individuals are.

How can a company ensure its cybersecurity without becoming a nuisance to the operation of its employees?

I think the key thing is, is making sure that you’ve got intrinsic value, so that as you’re going through your normal day to day process where your email comes in, that it’s just a natural part of your daily activity.

So for example if you get something through that looks suspicious if you go on to the menu bar of any application, those features are there for you to say ‘this looks like a spam email, can you test it for me?’

So having integrated solutions that are targeted from a user’s perspective is really important. So our products focus very much on having all of that built into the applications that people are using on a day to day basis.

Browse our latest issue

Intelligent CIO Middle East

View Magazine Archive