The digital world that we live in today increasingly relies on digital communication such as email, which makes us more vulnerable to cyber-attacks like phishing.
The purpose of phishing attacks is to target employees of an organization, so workers must understand how these attacks work, as well as how to respond accordingly in order to protect from them. Regular cyber awareness training provides employees with the skills to identify malicious URLs and handle emails with suspicious attachments, but it is often not enough.
For this reason, Cybernews contacted Gerasim Hovhannisyan, CEO of EasyDMARC – solution for securing customers' domain and email infrastructure – to find out tactics cybercriminals use to bypass spam filters and what can be done accordingly.
How did EasyDMARC come about? What has your journey been like?
Back in 2016, a multi-billion dollar company experienced a severe email phishing attack, resulting in financial and reputational damage. At the time, I was an information security consultant tasked with finding a solution to mitigate the aftermath and protect the company from such incidents in the future.
I explored the latest and greatest email security technologies only to realize that no single available product could produce effective and sustainable results. As a result, I decided to create an all-in-one platform for easy and smart email authentication deployment.
Together with EasyDMARC's other co-founder, Avag, we finalized the product's first version at the end of 2017. In January 2018, we put up a landing page and woke up to discover an acquisition of more than a thousand subscribers overnight. All with no marketing or sales.
Can you introduce us to what you do? What are the main issues your platform helps solve?
EasyDMARC is a B2B SaaS solution that makes email authentication simple for small and medium businesses in the IT, Finance, Education, Nonprofit, and Healthcare industries. In short, we secure domain and email infrastructure, protecting you and your business from phishing (email spoofing) attacks and increasing email deliverability. Our platform helps to easily identify and quickly solve existing email security problems.
Valuetainment Media recently tweeted that 89 % of marketers pointed to email when asked about their primary lead generation channel. At the same time, Verison DBIR 2021 mentions that 93% of the world's successful cyberattacks were carried out through phishing emails.
The only sovereign and independent communication method on the internet, email, has always been a hard and convoluted problem. Although you own and manage your business email infrastructure (no large corporation or government involved), the channel is still weak and non-secure. Thus, email protection is more critical than ever.
We ensure that businesses gain the following:
- Visibility to business email environment: Most business owners and IT specialists need help to manage their own email infrastructure. EasyDMARC allows them to take control of their domain ecosystem.
- Business identity control: Brand impersonation is a massive issue for companies worldwide. According to the 2022 State of the Phish report, 65% of organizations faced Business Email Compromise (BEC) attacks.
- Operations and communication security: Over 90% of successful cyberattacks start with email phishing. But most of them don't end there. Phishing, spoofing, and BEC attacks act as entry points into the company infrastructure, finances, and operations, creating further issues.
- Email deliverability: Email marketing is super important to businesses because of its inherent unique personalization opportunity and sales power. However, with almost 16% of sent emails never reaching people's inboxes (Email Tool Tester, April 2022) and 15 billion spam emails (CyberTalk.org) sent daily, the efficiency of email marketing diminishes. Email is the best marketing channel, a $1 investment can create 34x ROI. Therefore, improving domain reputation should be a top priority for businesses.
What are cybercriminals usually trying to gain by sending malicious emails? What were the most interesting cases you've encountered?
Bad actors nowadays are all about control. Money, yes, but control is more important.
So, in a world where data governs everything, they work hard to get some. The more information you possess, the more control you have. Once they have the data, they can manipulate any person or company.
Another control point in the digitized and automated environment is gaining access to critical systems. Whether it's transportation, electricity, other utilities, or governance-related systems, they are of high interest and value for cybercriminals.
How did the recent global events influence the way threat actors to operate?
When talking about global events, we can't overlook COVID-19 and the War in Ukraine. Cybercrime skyrocketed in the past two years. According to research, phishing rose 500% during the pandemic.
Remote working also has its role in the rising cyberattacks. First, controlling the security perimeter is more challenging when your employees aren't in the office. Second, employees are more relaxed and less alert in the comfort of their homes. Consequently, they're more prone to dropping the level of cyber hygiene (i.e., using a work computer for leisure, sharing the password to their computer, etc.). Third, heightened emotions due to lockdowns and health issues are another factor for making rash decisions.
All these factors put cyber actors in a more favorable position than the "normal" pre-COVID situation.
Methods aren't changed per se, but pretexts, manipulation topics, and preying opportunities are much ampler due to global changes.
What are the most common tactics cybercriminals use to bypass spam filters and other email security measures?
Spam filters aren't what they used to be in the past. Algorithms are becoming smarter, and making grammatical mistakes to bypass the filters won't cut it these days. Plus, more people are more cyberaware and will spot a spam message with quite a high accuracy. Cybercriminals have become smarter, too, so the constant battle between algorithms and people is constantly on.
It's the more intricate attacks that pose a serious issue. Social engineering is an umbrella term for a go-to tactic for cybercriminals. Most social engineering types are gateways for larger attacks. For example, a pretexting email can lead the victim to a spoofed website, where they enter company details and result in a Business Email Compromise with problems like financial and reputational damage.
The belief that only large and well-known enterprises are prone to cyberattacks is only one of many misconceptions still prevalent today. What cybersecurity myths do you come across most often?
There are a few laughable ones, but one of the most dangerous ones is not even trying to secure email "Because email is too weak." Yes, there's weakness deep in its nature, but cybersecurity experts have developed sturdy tools to make it as secure as possible.
Another misconception is that if an organization uses Microsoft or Google, they don't need anything else. While these tools give organizations some built-in security, they still need additional protection to ensure complete security.
What new types of phishing emails can we expect to see in the near future? Which industries do you think are going to be targeted the most?
Business Email Compromise, and especially CEO fraud (also called whaling), are the most damaging to any organization. This is because they target executive-level positions that naturally have higher access levels than ordinary employees.
If recent years changed anything, it's the focus of cybercriminals. Previously they would target a large pool of victims and hope for the best. Now, with the rise of social media and more free information, they can impersonate whoever they aim to with little research.
What are some of the best practices and tools you think everyone should implement to protect themselves online?
There's a lot to pay attention to, but the top three on my list are:
- Passwords are essential. Don't lend your passwords to anyone, even your closest friends and family.
- CEOs of companies, both large and small, need to keep their personal details like email and phone numbers private, as this information opens many opportunities for account takeovers and impersonation attacks.
- Finally, no matter the size of your business set up solid cybersecurity practices. Whether you set up your email authentication or write code, ensure that you work cybersecurity into your business DNA.
Share with us, what's next for EasyDMARC?
Receiving investment has been a massive motivator to our team, and we celebrated. Now we're back to working hard and reaching new milestones with our incredible global team.