Do Australian companies struggle to meet the challenge of evolving email threats?

A recent international study by Barracuda found that more than a quarter (28%) of Australian organisations find it hard to deal effectively with everyday phishing attacks – and many also feel underprepared to tackle more sophisticated email-based threats such as account takeover attacks (22%), conversation hijacking (21%), spear-phishing (21%), and business email compromise (17%).

Despite these concerns, a considerable number haven’t implemented security tools to address such threats. For example, the same survey found that just 26% of Australian respondents had tools to protect against spear-phishing and only 20% had defensive measures for account takeover attacks.

Understanding and addressing such apparent mismatches is a priority for organizations and also for the partners and security vendors that support them. The cyberthreat landscape never stands still and the tactics and techniques used in email-based attacks continue to evolve. Regardless of whether the attack is a fairly rudimentary mass-phishing attack or a subtle, targeted and convincing conversation hijack, attackers continuously introduce new tricks in their attempts to bypass security and trap victims.

The ever-evolving email threat landscape

For example, new threat insight research highlights some novel tactics that we detected in phishing attacks during January 2023.

One such tactic uses Google Translate web links that take users to a fake but authentic-looking website that is in fact a phishing site controlled by the attackers. These attacks are difficult to detect since they contain a URL that points to a legitimate website. As a result, many email filtering technologies will allow these attacks through to users’ inboxes.

Another tactic involves using an image in the email, without any text. The image can be a form such as an invoice that includes a malicious link or callback phone number. Because these attacks do not include any text, traditional email security can struggle to detect them.

The use of special characters in attacks is another novel tactic we’ve seen. Special characters, such as a zero-width (no) space within the malicious URL embedded in a phishing email, break up the URL pattern so that security technologies do not detect it as malicious.

And while the overall volume of attacks using these tactics is currently low – with each tactic making up less than 1% of attempted phishing attacks – they are widespread, with between 11% and 15% of organizations affected, often with multiple attacks. And we believe they will increase in popularity.

The impact of a successful hit

Traditional security needs to keep pace with evolving threats, because a failure to do so doesn’t just mean the attacker gets the account credentials, money or access they’re after – the business impact on the victim can be significant. According to our international study, the fallout for Australian organisations from a successful email-borne attack included downtime and business disruption (affecting 42% of the organisations surveyed), loss of employee productivity (41%), and damage to their brand and company reputation (37%).

Security in the face of change

Email is an accessible and low-cost attack tool and phishing is a common starting point for many cyberattacks, including ransomware, financial fraud and credential theft. Phishing can also lead to more sophisticated, follow on email attacks such as account takeover and conversation hijacking. It is not surprising that attackers continue to develop their phishing approaches to trap unwary recipients and avoid being spotted and blocked.

Our researchers have identified 13 types of email threat, and we expect the range of email-based attacks to continue to evolve as attackers try to evade security measures by leveraging AI and advanced social engineering tactics.

Australian businesses need to ensure they understand the latest tools, tactics and approaches used by attackers to protect their operations and employees against existing and evolving email-borne threats.

In many cases this will involve adapting the security strategy to leverage AI/machine learning to detect and block newly evolved and advanced email threats. It is also important to train employees to identify and report potential attacks.

Having a strong email protection solution in place alongside alert employees who know what to look for and what to do next can provide a powerful security barrier for your business. Don’t be afraid to turn to third parties – service providers and security vendors for help. It’s why we’re here. Let’s talk if you want to learn more.