Cybercriminals have used email to scam more than $13 billion out of organizations since 2013, according to the most recent Internet Crime Report. Phishing is rising by the day, and despite advancing threat-detection technology, the problem is getting worse.
Why? Fraudsters are becoming more sophisticated at identifying targets and crafting messages that evade traditional secure email gateways. And humans, despite an avalanche of warnings and millions spent on security awareness training, continue to make flawed decisions about what is trustworthy and what simply is not.
Zero Trust Does Not Work
Zero Trust — the security principle that everything inside and outside a network needs to be validated before gaining access — can harden systems against external and internal attacks that lead to data breaches, embezzlement, fraud, and other malicious activities. In terms of machine interaction, it’s effective. But add people to a system and things change.
Criminals know that people are the weakest point in most systems, so they go after them. Last year, there were more than 22 phishing attacks sent every minute of every day. These organized fraudsters also know that security is always evolving, so they continuously adjust their techniques to avoid detection by SEGs and appear more convincing to their targets.
So in a world full of headlines about scams and cons, why are people so trusting? Stanford business professor Roderick M. Kramer wrote in the Harvard Business Review that not only do we come into the world hardwired to trust the people around us, but most of us go on to treat trust as a one-time decision, which we don’t revisit when we get new information.
If we’ve decided to trust emails from the CFO, we keep on trusting them, even when an urgent request to make a secret wire transfer seems a little off. Once we’ve decided to trust the emails sent from our Director of Human Resources, it takes something big to make us change our mind. The same can be true of third-parties you’ve worked with in the past and big-name brands you know and love.
This drive to trust can, and often does, override anti-phishing training, which is why 30% of trained recipients will still open a malicious email. Not only do many people fall for phishing even after training, but they also mistake a lot of legitimate messages for fraud. Our own survey recently found that worldwide, over half of phishing reports sent by employees to SOCs are false positives. Triaging each false positive report eats up nearly six hours of SOC analyst time.
Cybercriminals are taking advantage. Millennials — now the largest generation of workers and consumers — have the most confidence that they can spot phishing attempts. Unfortunately, they’re also more than twice as likely as older adults to get phished. So long as deceptive messages make it into inboxes, phishing attacks will succeed, and SOC teams will spend hours triaging both legitimate and false alarms. Clearly, the traditional approach is not working.
Phishing Fallout Beyond Direct Losses
The average loss per successful BEC attack is $1.3 million. And because 96% of data breaches now start with a malicious email according to the Verizon Data Breach Investigations Report, there is also the potential for higher breach-related losses stemming from phishing. Let’s not forget the potential loss of employment for executives deemed responsible, loss of shareholder value, and loss of money by consumer victims of brand-impersonation attacks.
When customers get scammed, they often take their business elsewhere, driving up churn rates and customer acquisition costs. In financial services, a popular target for phishing and account takeover scams, 28% of customers leave their bank after unauthorized account activity. For all industries, Deloitte projects a 30% rise in customer attrition after a company has a cybercrime incident, with above-normal attrition rates for the next three years.
There’s harder to quantify relationship damage too, as brands involved in email scams experience the kind of press that simply cannot be considered good press. Consumers who see new stories about data breaches or warnings from the FTC may avoid those brands going forward. Making matters worse, email can see a drop in ROI if customers stop opening messages because they cannot trust the safety of them.
A Smarter Approach to Email Security
Relying on end-users to decide who to trust in the inbox is a setup for costly losses. Email security focused entirely on detecting the bad will always be forced to play catch-up when new types of attacks emerge. Between the rapid evolution of tactics and the constant nature of human behavior, is complete email security possible? We believe that it is, and it requires a radical change in approach.
The system we’re building and growing at Agari focuses on modeling the good, to ensure that recipients can trust everything in their inbox and that new exploits are detected and shut down before they can inflict major damage. Our AI-driven Agari Identity Graph™ leverages real-time data, a clear-eyed view of human nature, and a community of users — a smart community — committed to making the email ecosystem safer for everyone.
In my next post, we’ll see what smart communities look like and how they can detect and prevent email attacks more effectively than any other option.
Learn how the Agari Identity Graph uses the power of a smart community to model trusted email communication in this white paper.