3 Major Email Security Threats & How to Conquer Them

July 14, 2022

What’s the riskiest channel for data security? It’s email. An estimated 65% of IT professionals named email as their biggest data security villain in a recent survey. It’s also the most likely path for a cyberattack to take to strike an organization. Most of today’s nastiest cyberattacks like business email compromise, credential compromise and ransomware have that route of infection in common. Those are two of the many reasons why email security is a critical part of every company’s defensive posture. Having the right email security in place can save businesses from cybersecurity disasters today, but it’s also an important tool for making sure that a business is ready for the cyber threats that it will face in the future. 


Explore today’s biggest threats & what’s next in The State of Email Security 2022 GET IT>>


These 3 Email-Based Threats Are Growing Fast


Businesses are facing a tumultuous time in cybercrime, with zero-day attacks and new iterations of old favorites flooding inboxes daily. That can make it hard to predict exactly what will come next and the email-based threats that might be coming down the pike.  There are many factors that contribute to the email security landscape. Geopolitical concerns, economics and technology all play a role in shaping cybercrime. However, it’s safe to say IT professionals will want to keep an eye on these emerging trends in 2022. 

This information is excerpted in part from The Global Year in Breach by ID Agent. DOWNLOAD IT>>

1. Growth in cybercrime-as-a-service 

The growth of cybercrime-as-a-service has played a major role in escalating cybercrime rates, and that looks set to keep rolling in 2022. An estimated 90% of posts on popular dark web forums are from buyers looking to contract someone for hacking or other cybercrime services. A high level of activity adds competition to the space, resulting in lower prices. Bad actors can farm out phishing operations through a subscription service for as little as $800 per month. Contracting out for a U.S.-targeted, high-quality ransomware campaign in 2021 cost $1,900, but that price has dropped to $17,00 in early 2022 as more cybercriminals entered the space. The evolution of this industry will continue to make cybercrime easier for the bad guys and keep phishing as their go-to move

2. High supply chain risk 

The supply chain is an increasingly dangerous source of cyberattacks including phishing attacks. Booming dark web data markets ensure cybercriminals will be hunting for fresh stores of data, and they’ll be targeting business services companies and other service providers or suppliers to find it. Supply chains also offer bad actors pathways to conduct backdoor attacks on larger organizations a boon to both garden-variety and nation-state cybercriminals. In the ninth annual Threat Landscape Report, the European Union Agency for Cybersecurity (ENISA) noted that nation-state threat actors conducted at least 17 known supply chain attacks between 2020 and 2021, constituting more than 50% of the attacks they recorded. ENISA also broke down supply chain attacks it recorded in 2021, offering a glimpse at what businesses are likely to face in the future.  

Goals of supply chain attacks  

  • About 66% of attacks focused on obtaining supplier code 
  • About 58% of attacks aimed to access data 

Source: ENISA 


See how to avoid cybercriminal sharks in Phishing 101. DOWNLOAD IT>>


3. Nation-state tension exacerbating cyberattack danger 

Experts have long warned that cyberattacks would be used as an offensive weapon in modern conflicts, and that can complicate email security because nation-state cybercriminals are also big fans of phishing. The problem can be even worse in times of trouble, as exemplified by the high levels of phishing carried out in the Russia-Ukraine conflict. Overall, nation-state cybercrime has doubled since 2017. Compounding the problem, in a challenging economy, nation-state threat actors that serve isolated or rogue states have been increasing their ransomware operations activity to generate income for their country. North Korea pulled in an estimated $1 billion from cybercrime in 2021. ENISA has predicted that state-backed actors will be increasingly involved in revenue-generating cyber intrusions in 2022.   

ENISA’s Top 9 Threats for 2022 

  1. Ransomware   
  2. Malware   
  3. Cryptojacking   
  4. Email-related threats   
  5. Threats against data   
  6. Threats against availability and integrity   
  7. Disinformation/misinformation   
  8. Non-malicious threats   
  9. Supply chain attacks 

Source: ENISA 


Learn the secret to ransomware defense in Cracking the RANSOMWARE Code. GET BOOK>>


Employees & Phishing Are a Recipe for Disaster 


Phishing has been the reigning champion of data breach risks for three consecutive years. Phishing checks all the boxes as a valuable tool for the bad guys. It’s versatile, cheap for cybercriminals to run, requires little to no experience and historically highly effective. Bad actors are unlikely to stop relying on this tool any time soon because they get excellent results from it. CISCO’s 2021 Cybersecurity threat trends report shows that at least one person clicked a phishing link in around 86% of the organizations studied. Those clicks can lead to serious consequences for their organizations  

Unfortunately, employees cannot provide the first or even second line of defense against the email threats that companies are facing right now. Employees are human, and human beings make mistakes, especially when it comes to sophisticated, socially engineered email threats. An estimated 97% of employees in a wide array of industries are unable to recognize a sophisticated phishing email. In fact, one-fifth of employees admit to making mistakes like falling for phishing tricks that caused them to interact with malicious messages at work.   


See 10 reasons why Graphus is better than other email security solutions. SEE THE LIST>>


Here Are the Phishing Tricks Employees Fall for 


Keeping employees from falling for the ruses of cybercriminals is an ongoing struggle. By analyzing the results of thousands of phishing resistance training sessions and phishing simulations with leading security and compliance training solution BullPhish ID, it’s easy to get a snapshot of the trouble that companies face when relying on employees to safeguard them from email threats. 

2021 BullPhish ID phishing resistance training totals    

  • Total number of training campaigns created – 81,484 
  • Total number of phishing simulation emails sent – 2,424,762   
  • Total number of clicks on phishing simulation emails – 106,670 

Top 3 security awareness training courses of 2021 

  1.  Phishing: Introduction to Phishing – 150,163 created trainings 
  2. How to Avoid Phishing Scams – 129,666 created trainings 
  3. Phishing: The Dangers of Malicious Attachments – 100,265 created trainings 

Top 3 phishing simulation campaigns that successfully drew employee interaction   

  1.  Office 365 – Suspicious Login – 10,879 clicked   
  2. FedEx – Package Delivery – 6,535 clicked   
  3. Google Docs – Invitation to Edit – 4,492 clicked   

Top 3 phishing simulation campaigns that captured credentials & data    

  1.  FedEx – Package Delivery – 2,056 captures   
  2. Office 365 – Suspicious Login – 1,736 captures   
  3. COVID-19: SharePoint Webinar – 1,440 captures  

Top 9 industries in which employees supplied their credentials in a phishing simulation 

  1. High-Tech & IT — 3,755    
  2. Medical & Healthcare — 3,504  
  3. Manufacturing — 1,801    
  4. Non-Profit Organization — 1,758   
  5. Education & Research — 1,522  
  6. Finance & Insurance – 1,239  
  7. Business & Professional Services – 1,144  
  8. Retail & Ecommerce — 1,046  
  9. Legal — 704 

Total number of credentials submitted in simulations in 2021 — 23,353 


The road to security success begins with 5 Steps to Ransomware Readiness! GET IT>>


Employees Can’t Click on Phishing Messages They Don’t Receive 


The best way to keep employees from unleashing cybersecurity disasters by falling for the bait in phishing messages is to prevent that phishing message from making its way to them unchecked.  

Graphus is an automated email security solution that is powered by AI that isn’t going to fall for cybercriminal tricks. That means that it can intelligently sort and filter the emails that come into a company’s environment to determine which ones are safe and which ones are suspicious. How does it do that? By using a unique, patented algorithm that fosters machine learning, enabling it to learn each company’s unique communication patterns and refine its judgment criteria all by itself to tailor that company’s protection now and in the future.      

  • TrustGraph® automatically detects and quarantines malicious emails that might break through an organization’s email security platform or existing Secure Email Gateway (SEG), so the end-user never interacts with harmful messages.     
  • EmployeeShield® alerts recipients of a potentially suspicious message to danger that they may not notice by placing an interactive warning banner at the top that allows users to quarantine or mark the message as safe with a single click.     
  • Phish911™ empowers employees to proactively report suspicious and unwanted emails for IT to investigate reducing your exposure to potential disaster.    

Stop phishing immediately with Graphus – the most simple, automated and affordable phishing defense available today. 


Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus