Editor’s Note: This blog post was originally found on the Agari Email Security blog.
By Patrick Peterson
If you want to know why business email compromise (BEC) and other advanced email attacks keep working so well, just ask Dilbert.
In one particularly biting installment of Scott Adams’ popular workplace comic strip, our tech geek hero sits in his cubicle perusing an email that reads, “Enter your bank account number.” Dilbert’s thought bubble reads “Scam.”
Quick cut to engineer Alice. Same email, same thought bubble: “Scam.” One last cut, this time to Pointy-haired Boss as he too reads, “Enter your bank account number.”
His unflinching response: “Okey-Dokey!”
Ouch. Nothing like a few laughs at the expense of the top dog to drive things home, right? But painful as it may be, Dilbert makes a point. While heightened risks may have led you to boost spending on cybersecurity in recent years, the bad guys have been fine-tuning attacks on a vector that lets them bypass all those security controls right from under your own nose: email.
That’s right. Despite the nearly $100 billion executives will greenlight to harden defenses this year, a growing number of organizations are contending with attacks aimed not at computer systems, but at specific individuals — including your very own executive team.
The damage done to the execution of your business plan can be as jaw-dropping as the worldwide losses to businesses. Business email compromise alone has contributed to more than $26 billion in losses since June 2016.
Six Degrees of Impersonation
Indeed, while some fraudulent messages have malware attachments or malicious links, the most sophisticated attacks take advantage of emotional responses that are inherent to human behavior — emotions such as fear, anxiety, and curiosity. And they rely on social engineering to make recipients believe they’re responding to a trusted friend or colleague.
In a recent survey, 85% of people report having received an impersonation attack, and about two-thirds of those saw this type of attack increase over the previous twelve months. The average loss from a standard-issue business email compromise scam is now more than $157,511. When it results in a data breach, that price increases dramatically.
For chief executives and their teams, uncertainty over the legitimacy of inbox messages can hobble executive communications and impede the ability to conduct business via email — potentially derailing their best-laid strategic initiatives. The good news is that there there is an answer.
The Rise of ‘The Intelligent Inbox’
As the risks of BEC, executive spoofing, and other scams increasingly come to light, many organizations make the mistake of fighting the last battle, increasing security controls in the wake of a successful attack. Others at least go a step further, training and re-training employees to spot and report phishing emails. But this can be counterproductive as an overabundance of false alarms raised to the SOC can be costly to manage.
Ideally, employees should be able to trust their inbox instead of questioning the authenticity of every email they receive. What if businesses could perform predictive trust decisioning on inbound email in real time — before they ever hit the inbox?
With a large enough dataset, an AI-based approach informed by real-time intelligence can do what neither humans nor traditional email security controls can — extract insights from a massive volume of global email messages, and use these insights to perform automated real-time inspection of incoming email.
It is this AI-backed approach that we deliver with Agari Advanced Threat Protection. By analyzing trillions of emails annually, the solution models good emails and behaviors to deliver the good and block the bad. Machine learning models are continuously updated to address both known and never-before-seen threats. And even though your business might not have seen the threat, it’ is highly likely that our network has, so we can stop those threats before they ever hit your inboxes.
This always-on, cognitive approach applies rules, makes decisions, and gets smarter with each new sender identity analyzed. And as new organizations implement Agari, the dataset and intelligence grow exponentially. It’s a true network effect in action.
More Smarts, Less Uncertainty?
As for the business benefits of this safer, smarter approach to email security? Unbeatable.
For the first time ever, employees at every level of the organization can click on any message in the inbox and know they can open and respond to it with confidence.
No more wasting time assessing an email’s legitimacy, because a thorough assessment has already been performed. No more making calls or sending texts to confirm a message’s authenticity if there’s ever a doubt. No more clogging up the precious cycles from your already overwhelmed SOC. And no more mad scrambles to mitigate the damage when even highly-intelligent people fall for phish bait.
Yet for all of this, there’s another reason why tweaking existing security controls in the face of advanced email threats may come up short by comparison. The fact is, this predictive AI-backed approach is fast becoming table stakes for modern internal accounting and security control.
The sheer volume and severity of new attacks also continue to be unrelenting. With losses from email scams rising every single day, and 94% of all data breaches starting with a well-targeted email, proper protection is no longer an option — it is pure necessity. Whatever the path to achieve it, pursuing an “intelligent inbox” approach to neutralizing BEC attacks and other advanced email threats could be a very wise choice. Just ask Dilbert.
To learn more about how Agari Advanced Threat Protection prevents BEC and other advanced email attacks, check out our self-service demo.
