It is impossible to run a business without email. That’s a simple fact. Businesses across industries depend upon email as an indispensable communication method, keeping employees in touch with customers, partners, vendors, and, of course, each other.
But email communication has its drawbacks. Messages and attachments can be spied upon, altered, and faked, leaving businesses and organizations vulnerable to a wide range of spear phishing attacks that can result in the loss of industry secrets, confidential information, or even money from company accounts. What’s worse, these incidents can also place enterprises into non-compliance status with mandatory regulatory requirements.
The potential for damage here is very real. A recent FBI report indicates that there have been $12 billion in fraud loss since 2013 as a result of 78,000 Business Email Compromise (BEC) attacks—a specific form of spear phishing attack that ends in sending money to the spear phisher. And, those are just the incidents that were reported, indicating the true number is likely much higher. In fact, losses from BEC attacks are higher than any other form of cyber-enabled crime, a clear indication that email security must be among the primary cybersecurity concerns for any businesses.
Spear phishing attacks come in many forms, but the most common form involves impersonating someone within the organization—likely a CEO, CFO, or other leadership figure. Employees in departments such as finance or HR might receive an email urgently asking them to do something like process a payment or relay confidential information, with the sender claiming to be unavailable to confirm the authenticity of the request.
This may seem straightforward, but cybercriminals can be sneaky. You may have heard of approaches like typo squatting, where criminals register domains a letter or two different from legitimate domains and use them to register email addresses that appear authentic at first glance. The truth is, in many cases, this isn’t even necessary. Email “from” addresses are perfectly spoofable—meaning that the phisher can simply put the email address they want to appear in the “from” field into the appropriate place in the email header, and that is what the recipient will see. Even eagle-eyed individuals wary of typo squatting and other simple phishing methods may not recognize a fraudulent email if it appears to come from a legitimate source.
Don’t worry—there is good news. During the next few weeks, the Sectigo team will break down how organizations can defend against these attacks (and others like them) using digital certificates. Secure/Multipurpose Internet Mail Extension (S/MIME) email certificate technology can address the problems and vulnerabilities inherent to email, improving both an organization’s protection against spying and protecting its employees from social engineering attacks that depend on email. S/MIME sets itself apart from standard email protections such as antivirus programs by verifying the sender, rather than simply analyzing an email for threats once it has been received. It also protects the contents of email during transit.
How does S/MIME do it?
There are three distinct ways in which it improves the security profile of email communications.
This continuing blog series will explore specific ways that businesses and organizations can deploy S/MIME technology, including as a method of defense against spear phishing and as a way to remain compliant with information security regulations such as GDPR and HIPAA. As more and more organizations adopt this important technology, understanding its many applications will help provide a fuller picture of S/MIME’s value.
Next up: S/MIME 101: Protecting Yourself from Spear Phishing Attacks