The Rising Threat of Financial Fraud Should Make You Reconsider Your Approach to Email Security

The latest cyber insurance claims data indicates that email security focused on catching phishing and malware attachments no longer provide appropriate protection. Security and IT pros need to expand their idea of what it takes to secure email as a communications channel.

While phishing and malware tactics remain a threat, email security tools are increasingly effective at blocking them, especially when backed by a robust security awareness training program. However, the threat from malicious emails still continues to rise. Our claims data shows that despite many companies employing best-in-class email security tools like Mimecast and Proofpoint, email-related cyber incidents increased by 48% from 2021 to 2023¹. However, unlike previous years, phishing is no longer the loss-leader that it once was. Instead, increasingly sophisticated financial fraud attacks have replaced phishing as the number one driver of loss in email-originated attacks, accounting for 61% of total claims in 2023. 

This tells us that while email security tools are effective at blocking phishing attempts, they are proving ineffective at catching emails that elicit fraud – and attackers appear to be shifting their focus away from hacking victims’ computers, to hacking victims’ brains, to increase their success. Claims trends show a rise in attacks leveraging carefully crafted emails that aim to manipulate recipients into victimizing themselves by redirecting funds or, in some cases (nearly 5%!), physical goods. 

Phishing vs. Financial Fraud

It’s important to distinguish between phishing and financial fraud. Digital financial fraud encompasses many attacker tactics, but for clarity, we define the two categories as follows:

• Phishing is a social engineering attack that typically relies on email to manipulate victims into clicking malicious links, downloading harmful files, or disclosing sensitive information. Phishing fundamentally targets computers. These attacks require user actions that expose their systems to exploits, allowing attackers to install backdoors or steal data.
• Financial fraud, on the other hand, also leverages social engineering but does not rely on malicious links or attachments. Instead, these attacks target the recipient directly and manipulate them into performing activities that create financial loss. When financial fraud succeeds, there is often no malware installed, no malicious activity for security tools to detect, and no clear digital evidence trail. The threat actor walks away with a payout sent directly by the victim.

Because financial fraud attacks lack easily identifiable indicators such as links and malware, email security tools must rely on analyzing email content itself to determine when an attack might be in progress. Training employees to spot these attacks is challenging, as fraud often exploits seemingly safe and familiar relationships: 75% of these incidents involve a known vendor or partner, and 89% occur during an expected transaction.

Three Approaches to Email Security

While large enterprises can afford to deploy layers of controls against phishing and fraud, mid-market and smaller businesses must reconsider the anti-fraud capabilities of the individual solutions they can afford and make changes where they fall short. Security capabilities for email come from three sources: security functions built into your email solution, Secure Email Gateways, and Integrated Cloud Email Security solutions. Each has its own advantages and limitations when it comes to stopping financial fraud and phishing. 

Secure Email Gateways: Strong Against Phishing, Weak Against Fraud

Layering a Secure Email Gateway (SEG) with a cloud email solution gives businesses an improved ability to identify malicious content along with some anti-fraud capabilities (e.g., flagging emails from suspicious domains). Analysis of our claims data found the combination of a cloud email solution and a market-leading SEG to be so effective in previous years that our insurance carrier has made this configuration a core security recommendation for its customers. However, in 2023 we found that the most common cause of loss among businesses was from financial fraud, and email contributed to 9 in 10 of these cases. This indicates that while SEGs remain effective against phishing, they fall short in preventing fraud.

Integrated Cloud Email Security: The Next Best Option, But Not Without its Limitations 

Integrated Cloud Email Security (ICES) solutions are designed to address the limitations of built-in email security and legacy SEGs. These sophisticated systems leverage AI to deeply analyze not only links and attachments but also the content of emails themselves, assessing the tone, intent, and urgency to identify signs of complex attacks like Business Email Compromise and payment redirection. 

ICES can even detect impersonation tactics where an attacker pretends to be a vendor or coworker to trick employees into divulging confidential information or making unauthorized transactions. These tactics represent a major threat: In 2023, almost half of all financial fraud occurred as an impersonation. In addition, among those attacks, attackers impersonated a vendor 36% of the time, and they impersonated someone in the business 11% of the time.

Despite their advanced capabilities, ICES solutions can create new challenges — especially for mid-market and smaller businesses with limited resources — due to the high volume of alerts they generate. Reviewing each alert requires significant work for already-busy IT teams, not to mention the bandwidth required to perform remediation action when needed. 

The ‘noise’ generated by frequent and sometimes false alerts can lead to alert fatigue, where critical warnings might be overlooked or dismissed by analysts who aren’t skilled at assessing malicious emails. Further, significant expertise may be required to properly integrate these technologies into existing IT infrastructures, to fine-tune settings according to the specific needs and threat exposure of the business, and to keep them configured correctly over time.

If a mid-market business can afford a solution like this but doesn’t have the team to manage it, the added capability makes consideration of managed service options worthwhile. 

MDR for Email: The Next Generation of Email Security

Managed Detection and Response (MDR) for Email has emerged as a comprehensive solution to address the limitations of traditional email security approaches. MDR for Email combines advanced cloud-based email security technology with expert human oversight to provide robust protection against both external and internal email threats.

Key Benefits of MDR for Email

1. Comprehensive Protection: MDR for Email offers protection against a wide range of threats, including phishing, malware, business email compromise (BEC), and sophisticated financial fraud attempts.
2. 24/7 Expert Monitoring: A team of cybersecurity experts continuously monitors your email environment, providing rapid response to potential threats at any time.
3. Advanced Threat Detection: Leveraging AI and machine learning, MDR solutions can identify subtle indicators of malicious activity that may evade traditional security tools.
4. Reduced Alert Fatigue: By handling alert triage and investigation, MDR services alleviate the burden on internal IT teams and reduce the risk of important alerts being overlooked.
5. Actionable Intelligence: MDR providers offer detailed reporting and actionable insights to help organizations continuously improve their email security posture.
6. Scalability: MDR solutions can easily scale to meet the needs of growing businesses without requiring significant additional investment in hardware or personnel.

Conclusion 

Insurance claims data shows that email fraud is on the rise, and traditional anti-phishing and malware detection solutions are inadequate in preventing these attacks. Tools with robust anti-fraud capabilities are essential for mitigating the risk of email-based crime and ensuring email defenses align with today’s most prevalent threats.

If you are a large business who can afford to run your own Integrated Cloud Email Security solution, upgrading from a standalone SEG to an ICES solution is your best next option to stopping your risk of exposure to fraud. For mid-market and small businesses who don’t have the resources or money to buy and manage a complex ICES solution, an MDR for Email solution, like the one provided by At-Bay, is a far superior and cost effective option to improve your email security and avoid an email attack. 

At-Bay Stance™ MDR for Email combines cutting-edge email security technology with expert human analysis to help eliminate 98% of the email-based attack risk businesses face today.

• AI-powered threat detection to identify sophisticated attack patterns
• 24/7 monitoring by cybersecurity experts
• Rapid incident response and remediation
• Detailed threat intelligence and reporting
• Seamless integration with existing email infrastructure

Interested in learning more about At-Bay Stance MDR for Email? Learn more here or book a meeting with a security expert.

If you’re an At-Bay Cyber or Tech E&O policyholder with Embedded Security, you have access to At-Bay Stance™ Advisory Services². This team of cybersecurity experts can assess the current state of your email security and advise you on solutions that may fit best for your business.

¹ At-Bay, 2024 InsurSec Rankings: Email Security and Financial Fraud Report

² Access to At-Bay Stance Advisory Services is available to policyholders via the “Embedded Security” fee and the corresponding endorsement. Your Embedded Security Endorsement refers to “At-Bay Stance Advisory Services” as “At-Bay Stance Managed Security.” Please contact your authorized insurance representative for information concerning your Policy.