It's 4:48 pm on the Friday before a long weekend, and you have just received an email from the CEO requesting immediate payment or an important deal will fall through. This could be genuine, but most likely, it is email fraud. Email fraud is a constant and costly problem. Austin Berglas, Global Head of Professional Services at BlueVoyant explains that “email fraud is on the rise due to the consistent reliance on digital communication, keeping it as an attractive attack vector for cyber criminals who exploit both technological vulnerabilities and human psychology. In addition, the rapid shift to remote work has increased the use of email for business communications, creating more opportunities for fraud, and employees working from home may have weaker security measures compared to corporate environments.”
The 2024 InsurSec Rankings: Email Security and Financial Fraud Edition report from At-Bay, a provider of cyber insurance and cybersecurity support, lays out specifics on the growth and costs of email-based cyber-attacks. “As an InsurSec company, we are uniquely positioned to objectively measure and assess the effectiveness of today’s top email solutions at reducing cyber risk,” said Ayelet Kutner, Chief Technology Officer at At-Bay. According to the report, which is based on the analysis of claims from At-Bay’s policyholders, financial fraud accounted for 61% of email-related claims in 2023. For small and medium-sized businesses (SMBs), 9 of 10 financial fraud claim incidents originated with an email. The average incident resulted in a loss of over $200K, with the top stolen amount being $5 million.
Costly Email Cybercrime a Growing Problem
Email is an important business application. According to a survey of U.S. workers, the most common form of business communication is via email, and a plurality of workers prefer to use email for work communications. Employees spend five (5) hours per week reading and writing emails on an average week. This usage and familiarity make email the perfect vehicle for cybercriminals.
The most popular and successful email fraud attack method is business email compromise (BEC). These attacks accounted for 63% of the financial fraud claims At-Bay handled in 2023. BEC attacks rely on impersonation and social engineering. Cybercriminals will either gain direct access to an actual email account or create an email account to masquerade as someone who can request a payment be sent to attacker-controlled accounts. BECs can be associated with internally created fraud requests or be externally based where fraudulent emails are from a compromised vendor or partner. The InsurSec report says these two types are distributed evenly. For these attacks to be most effective, the two parties need to have an established relationship. Only about 10% of the financial fraud involved a previously unknown third party.
There are examples of the damage successful financial email attacks can cause. Johnson County Board of Education lost $3.4 million when someone impersonated the online curriculum vendor. Elkin Valley Baptist Church was cheated out of $793K in money donated to build a new church, but an email from the construction firm that provided payment instructions was cloned by online thieves. Commodities trade Scoular was tricked into handing over $17M for a fake M&A deal.
These examples illustrate that companies of all sizes can fall victim to email fraud but interestingly the report highlighted that companies with more than $100M in revenue were three times (3X) more likely to have a fraud claim than companies with less the $25M in revenue. Large companies are attacked more, have more money available, have more email accounts, have more vendors, and have a bureaucracy that can be manipulated.
Performance of Email Services and Security Solutions
By analyzing their data, At-Bay uncovered insights into the effectiveness of email services and security solutions. They studied the frequency of claims submitted by customers who have various solutions installed to uncover trends.
Using the average of all claims as the baseline, customers with Mimecast and Proofpoint email security solutions installed experienced better-than-average outcomes. Businesses using Mimecast had 37% fewer incidents than the average, and Proofpoint customers reported 11% less. The offerings from both companies improved their effectiveness in 2023 when compared to 2022.
The report looked at the performance of the most common email solutions. The analysis only compared solutions that were not paired with a security solution. In this analysis, Google Workspace had significantly lower instances of fraud claims than both Microsoft 365 and Microsoft Exchange. Google Workspace has many security features enabled by default. At-Bay noted that Microsoft 365’s large market share makes it more likely that attackers will target these systems.
Defend Against and Recover from Email Fraud
Email is critically important to business operations. It remains a target of cybercriminals as they seek entry points into an organization for criminal activities. Attackers will not stop in their efforts, but organizations can be successful in preventing fraud and recovering funds when an incident occurs. Between January 2023 and June 2024, At-Bay was able to assist their policyholders in recovering $61M in stolen funds.
The tools and actions required to reduce the risk of a successful email fraud attack are available. Chad Graham, Cyber Incident Response Team (CIRT) Manager at Critical Start, spells out how organizations can effectively protect their email systems from ongoing and future threats. “Companies should implement a multi-layered security approach that combines technological solutions with employee awareness and robust policies. Implementing multi-factor authentication (MFA) adds an extra layer of security by requiring additional verification methods beyond passwords to access email accounts, reducing the risk of unauthorized access. Utilizing advanced email security tools that offer features such as spam filtering, phishing detection, malware scanning, and link protection can help prevent malicious emails from reaching users' inboxes.”
Additionally, At-Bay recommends strengthening the financial transaction process. All transaction details (such as account numbers and routing numbers) need to be validated using a trusted communications method other than email. This is normally done via a phone call using a number from a previous contract or filed number, not the number on a potentially fraudulent email.
Businesses have tools available to prevent cyber fraud. They must ensure employees are security aware and that policies exist that require validation of financial transactions requested by email. All of these require organizations to prioritize email security today.
