Key findings of Armorblox 2023 Email Security Threat Report, which documents the rise in targeted attacks, a shift in trends across a broad range of attacks, and highlights the use of language to bypass existing email security controls. See some of the key findings of this this report, a study of email-based attack trends compiled by analyzing over 4 billion emails and stopping over 800,000 threats every month, while protecting over 58,000 customers.
On April 11th, 2023, Armorblox proudly published our second, annual 2023 Email Security Threat Report, which documents the rise in targeted attacks, a shift in trends across a broad range of attacks, and highlights the use of language to bypass existing email security controls.
This report is a study of email-based attack trends compiled by analyzing over 4 billion emails and stopping over 800,000 threats every month, while protecting over 58,000 customers. Comparison of threat data from 2022 to data collected from 2021’s report by the Armorblox Research Team identifies and provides a snapshot of attack trends over the past year so organizations can stay vigilant in protecting their end users and organizations from these targeted attacks.
To summarize some of the key findings, the Armorblox 2023 Email Security Threat Report found that Business Email Compromise (BEC) attacks have increased dramatically by 72% year-over-year. And we continue to see high volumes of language-based and socially engineered attacks targeting organizations of all sizes and across industries, where language in the email is used to compromise a user’s trust. Additional findings include a rise in vendor compromise and fraud as a new attack vector and graymail is wasting 27 hours of security teams’ time per week.
Key findings in the report include:
- 56% of attacks bypassed legacy security filters
- 52% of all attacks involve sensitive user data
- 58% of account compromise attacks targeted SMBs
- 53% of vendor compromise attacks targeted technology organizations
- 77% of BEC attacks that bypass legacy security solutions involve language as the main attack vector
- 27 hours per week are wasted on manual remediation of graymail by security teams
Let’s break down these key findings to understand why these attack trends are pertinent for organizations to consider as we get farther into 2023.
56% of all attacks in 2022 bypassed legacy security filters
In 2022, 56% of all threats bypassed legacy security solutions, indicating that organizations without proper security measures are at higher risk of these attacks and the negative impacts they can have on the organization. Traditional security solutions that rely on signature-based detection and static rule sets are no longer sufficient to protect against the increasingly sophisticated attacks of today. As evidenced by this data, attackers are finding ways to circumvent these legacy security filters with alarming frequency. Organizations can detect and respond to threats in a more timely and efficient manner by adopting an API-based email security, that either replaces or sits on top of current email security layers – providing a more comprehensive approach to cybersecurity with technology that leverages advanced threat intelligence, large language models, and understands the language within email communications.
Half of all attacks involve sensitive user data, such as user login credentials (52%)
Users rely heavily on email in order to accomplish the majority of their day-to-day tasks, and bad actors are still infiltrating legitimate business workflows. With half of all attacks involving sensitive user data, bad actors aim to compromise legitimate business workflows and alter sensitive business information, such as assigning new routing numbers for payment requests. The high reliance on email for day-to-day tasks, combined with the increasing sophistication of bad actors, makes it crucial for organizations to take proactive steps to protect their sensitive information. Utilizing email security solutions with built in Data Loss Prevention for outbound emails can drastically help lower potential exposure of sensitive data.
Half of account compromise attacks targeted SMBs (58%), proving to be a persistent and prevalent threat
With the widespread use of email for business communications, data from Armorblox shows that small and medium-sized businesses are particularly vulnerable to compromise attacks. With account compromise attacks, bad actors gain access to email accounts within an organization; allowing them to monitor email conversations, intercept confidential information, and even execute lateral attacks. Unfortunately, due to the perceived notion that SMBs lack sophisticated security tools and processes compared to larger enterprises, bad actors take liberty to test the security infrastructure at these smaller organizations more frequently – placing them at greater risk of being a target of these attacks and cybercriminals gaining unauthorized access to organization- and user-specific information.
More than half of vendor compromise attacks targeted technology organizations (53%)
Vendor compromise attacks continue to be a prevalent threat for businesses, and with cybercriminals aiming to target third-party vendors and suppliers, the result can be unauthorized access to sensitive data and the interception of business email workflows. Small and medium-sized businesses (SMBs) are particularly vulnerable to vendor fraud and supply chain email attacks, and last year more than half of vendor compromise attacks targeted technology organizations. By implementing an email security solution that monitors vendor relationships and establishes communication and behavior baselines, businesses can find peace in knowing that these targeted threats are minimized, reducing the risk of costly data breaches and financial losses.
Language remains the main proxy in 4 out of 5 (77%) BEC attacks that bypassed legacy solutions in 2022
BEC attacks continue to evolve and maintain their high effectiveness because they exploit human vulnerabilities, such as trust and the desire to be helpful, rather than relying solely on technical exploits or system vulnerabilities. Bad attackers often rely on social engineering tactics to craft emails that appear to be from a trusted source, such as an employee or vendor, and use convincing language to persuade the recipient to take a specific action. It is due to the language-based nature of BEC attacks that result in their high bypass rates for legacy solutions. Organizations can better protect themselves and their human layer from BEC attacks that use language at the main proxy by implementing API-based email security solutions that use large language models, such as GPT, and NLU that understand the content and context of email communications.
Security Teams can find themselves spending upwards of 27 person hours a week manually sorting and deleting graymail across inboxes
Large numbers of graymail emails sent to users across the organization often result in security teams manually sorting and deleting these emails across user inboxes. This can lead to email overload, making it difficult for end users to identify and respond to important emails promptly. This can have serious consequences, particularly in industries such as healthcare or finance, where timely communication is crucial. For enterprise organizations, security teams can find themselves spending close to 30 hours a week manually remediating graymail emails. On the other hand, cybercriminals can use legitimate marketing emails as a cover to send malicious emails that may go unnoticed by end users or security teams. These emails may contain phishing links, malware attachments, or other forms of cyber attacks that can compromise the security of an organization's network. Organizations who implement API-based email security can automate the remediation of recon email attacks and classify graymail communications, saving time for security teams and protecting end users.
