The latest cyber insurance claims data indicates that email security focused on catching phishing and malware attachments no longer provides appropriate protection.
Security and IT professionals need to expand their ideas of what it takes to secure email as a communications channel.
While phishing and malware tactics remain a threat, email security tools are increasingly effective at blocking them, especially when backed by a robust security awareness training program. However, the threat from malicious emails still continues to rise.
Our claims data shows that despite many companies employing best-in-class email security tools such as Mimecast and Proofpoint, email-related cyber incidents increased by 48% from 2021 to 2023. However, unlike in previous years, phishing is no longer the loss leader it once was. Instead, increasingly sophisticated financial fraud attacks have replaced phishing as the number one driver of loss in email-originated attacks, accounting for 61% of total claims in 2023.
This tells us that while email security tools are effective at blocking phishing attempts, they are proving ineffective at catching emails that elicit fraud.
Attackers appear to be shifting their focus away from hacking victims’ computers to hacking their brains, to increase their success. Claims trends show a rise in attacks leveraging carefully crafted emails that aim to manipulate recipients into victimizing themselves by redirecting funds or (in nearly 5% of cases) physical goods.
Phishing vs financial fraud
It’s important to distinguish between phishing and financial fraud. Digital financial fraud encompasses many attacker tactics, but for clarity, we define the two categories as follows:
Phishing is a social engineering attack that typically relies on email to manipulate victims into clicking malicious links, downloading harmful files, or disclosing sensitive information. Phishing fundamentally targets computers. These attacks require user actions that expose their systems to exploits, allowing attackers to install backdoors or steal data.
Financial fraud, on the other hand, also leverages social engineering but does not rely on malicious links or attachments. Instead, these attacks target the recipients directly and manipulate them into performing activities that create financial loss. When financial fraud succeeds, there is often no malware installed, no malicious activity for security tools to detect, and no clear digital evidence trail. The threat actor walks away with a payout sent directly by the victim.
Because financial fraud attacks lack easily identifiable indicators such as links and malware, email security tools must rely on analyzing email content to determine when an attack might be in progress. Training employees to spot these attacks is challenging, as fraud often exploits seemingly safe and familiar relationships: 75% of these incidents involve a known vendor or partner, and 89% occur during an expected transaction.
Three approaches to email security
While large enterprises can afford to deploy layers of controls against phishing and fraud, mid-market and smaller businesses must reconsider the anti-fraud capabilities of the individual solutions they can afford and make changes where they fall short. Security capabilities for email come from three sources: security functions built into your email solution, secure email gateways (SEG), and Integrated Cloud Email Security (ICES) solutions. Each has its own advantages and limitations when it comes to stopping financial fraud and phishing.
Secure email gateways
Layering an SEG with a cloud email solution gives businesses an improved ability to identify malicious content, along with some anti-fraud capabilities (such as flagging emails from suspicious domains). Analysis of our claims data found the combination of a cloud email solution and a market-leading SEG to be so effective in previous years that our insurance carrier has made this configuration a core security recommendation for its customers.
However, in 2023 we found that the most common cause of loss among businesses was from financial fraud and that email contributed to 9 in 10 of these cases. This indicates that while SEGs remain effective against phishing, they fall short in preventing fraud.
The next generation of protection
Integrated cloud email security solutions are designed to address the limitations of built-in email security and legacy SEG. These sophisticated systems leverage AI to deeply analyze not only links and attachments but also the content of emails themselves, assessing the tone, intent, and urgency to identify signs of complex attacks like business email compromise (BEC) and payment redirection.
Integrated cloud email security solutions can even detect impersonation tactics where an attacker pretends to be a vendor or coworker to trick employees into divulging confidential information or making unauthorized transactions.
These tactics represent a major threat: In 2023, almost half of all financial fraud occurred as an impersonation. In addition, among those attacks, attackers impersonated a vendor 36% of the time, and they impersonated someone in the business 11% of the time.
Despite their advanced capabilities, ICES solutions can create new challenges – especially for mid-market and smaller businesses with limited resources – due to the high volume of alerts they generate. Reviewing each alert requires significant work for already-busy IT teams, not to mention the bandwidth required to perform remediation action when needed.
The noise generated by frequent and sometimes false alerts can lead to alert fatigue, where critical warnings might be overlooked or dismissed by analysts who aren’t skilled at assessing malicious emails. Further, significant expertise may be required to properly integrate these technologies into existing IT infrastructures, to fine-tune settings according to the specific needs and threat exposure of the business, and to keep them configured correctly over time.
If a mid-market business can afford a solution like this but doesn’t have the team to manage it, the added capability makes consideration of managed service options worthwhile.
Conclusion
Insurance claims data shows that email fraud is on the rise, and traditional anti-phishing and malware detection solutions are inadequate in preventing these attacks. Tools with robust anti-fraud capabilities are essential for mitigating the risk of email-based crime and ensuring email defenses align with today’s most prevalent threats.
ICES solutions are emerging as the most effective tool against modern email-based threats. However, their complexity limits adoption among mid-market and small businesses. While outsourcing security management can help address this challenge, managed email security services remain costly and scarce.
The cybersecurity industry must develop more accessible solutions to support smaller businesses, ensuring they can protect themselves against the growing threat of financial fraud. Investing in the right email security measures can help businesses prevent costly cyber incidents and safeguard financial well-being.
The writer is the general manager of security services at At-Bay. He has two decades of experience in cybersecurity and cybersecurity operations and was a security leader at Kivu Consulting, Longbow (co-founder), McKinsey & Company, and EY. Before becoming a consultant, he worked as a software developer, architecting and implementing cybersecurity tools for the US defense and intelligence communities. He served as a cybersecurity officer in the US Army.