While alternative options for functional communication channels are steadily growing for business users, email remains inextricable from your daily routine. It is easy to check. You browse it often. And even more so than your social media accounts or your favorite apps, it serves as a personal, direct line to you.
As such, the messaging vanguard still remains enormously popular with users, even millennials. Marketers love it too: Email newsletters (for example, shameless plug alert, Trustwave Digest) are back in vogue. If consumers are going to hear from brands, they want it to be done via email.
But there is one other, far more perfidious, group who also adores email: Cybercriminals.
They prey upon the curiosity, urgency and emotions you feel when you hear that enticing ding from your computer, signaling a new addition to your inbox. And they descend upon you in droves. According to the 2017 Trustwave Global Security Report, phishing and social engineering rank as the second-biggest factor contributing to compromises (only behind remote access). Other studies have found that nine out of every 10 breaches has a phishing or social engineering connection.
Our Global Security Report also discovered that in 2016, 60 percent of all inbound email was spam. Meanwhile, 35 percent of those spam messages contained malware, up three percent from the prior year.
Phishing attacks often originate from spam botnets such as Necurs and can take on many forms, from the well-document scourge of "CEO fraud" that has pillaged companies of millions of dollars to a fresh wave of malware disguised as legitimate Microsoft Office files.
Given the success rate of email-based attacks, coupled with the ease by which they can be launched, your adversaries won't be giving them up anytime soon. But there are steps you can take to lower your risk and force your foes to look elsewhere.
Carefully consider your organization's inbound email policy. Quarantine or flag all executable files, including Java, JavaScript, .vbs and .wsf attachments, as well as all suspicious and/or unusual file attachments, such as .cpl, .chm, .hta and .lnk files. Create plans for how to handle these potentially dangerous files coming into your organization.
At the least, organizations should enable macro protection in Microsoft Office while making users aware of the threats.
Many email attacks succeed because of unpatched client software, such as Office and Adobe Reader.
Perform checks with the email gateway, the web gateway or both.
Do this at the email gateway and deploy techniques to detect domain misspellings that may indicate phishing.
Everyone, from the rank and file up to the C-suite, needs to comprehend the nature of today's email attacks. Conducting mock phishing exercises against your staff shows employees that phishing attacks are a real threat, and they need to be wary.
The security gateway should be on premises or in the cloud with multiple layers of technology, including anti-spam, anti-malware and flexible policy-based content filtering capabilities.
Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.