Listen to this article

Businesses love email, because it is a fast, inexpensive communication tool. But cyber criminals love it too, because for them, email can represent an efficient, inexpensive attack vector. In fact, more than 90% of cyber attacks start with email, according to some reports.

Hackers are getting better, but businesses are not keeping up with email security. To counter this disturbing trend, organizations must modernize their email and other security practices. But to build an effective defense, security teams need to first know the nature of the dangers they face. It helps that experts have identified several key email threats, and solutions, for 2024.

A type of social engineering, phishing emails, for example, use fake messages that try to trick people into giving away personal information or downloading harmful software. These phishing attacks are always changing and can come through emails, texts, phone calls, or websites. Today, artificial intelligence lets threat actors easily make their attacks extremely convincing.

Quishing, or QR code phishing, is another growing threat. A QR (Quick Response) code is an array of black and white squares or pixels set in a grid that stores data for a machine to read. You can use them to send and receive payments and for scores of other activities. QR codes are more popular now due to online shopping — and scammers are sending fake QR codes in phishing emails, tricking people into scanning them.

The stated reason could be to confirm a security notice or share a document, to verify a security alert or exchange a file. However, scanning the QR code with a camera could lead to downloading malicious software that may steal personal information or damage your devices. In late 2024, more than 25% of QR code attacks were fake MFA [multifactor authentication] notices, while around 20% were fake alerts about a shared document, according to published reports.

Hackers are also getting better at tricking people with malicious “spear phishing” emails. They might deliver an email conversation that looks like it is between someone you know and someone from another company. The goal is to trick the target into downloading harmful files or taking other actions that put their digital assets at risk.

Email threats can also include fileless attacks with deceptive links or attachments that can trigger an exploit, posing a risk to users. These kinds of attacks often initiate actions in legitimate programs, like the Windows registry, without downloading any files. This approach allows them to bypass traditional antivirus scans, leaving no discernable attack traces until they have done the damage.

More Tech Intelligence

• How to hit a cybersecurity home run with digital defenses
• As businesses tap AI for efficiency, regulatory concerns are mounting
• Businesses need to allocate responsibilities and work out indemnification issues before an attack occurs
• As retail operations move online, theft also takes an omnichannel approach

A good email cybersecurity plan begins with strong passwords. Policies should include requiring a mix of uppercase and lowercase letters, special characters, and no repetitive or sequential passwords like “12345678.” Finally, long passwords or passphrases greatly improve password strength. National Institute of Standards and Technology password guidelines advise checking user passwords against breached password lists.

But strong passwords alone will not provide sufficient protection. Organizations should also implement a layered cybersecurity approach that features software and other automated defenses. One suggestion: multifactor authentication, where you use more than one credential across mobile and other devices to confirm your identity when logging in or making a transaction.

Another defense is email filters that can stop harmful messages before they reach you. Defense systems should also block dangerous file types, URLs and QR codes that can lead to harmful websites. Organizations can use tools like DMARC, developed using industry standards like DKIM [DomainKeys Identified Mail] and SPF [Sender Policy Framework], to help prevent email spoofing and tampering, ensuring email integrity.

Training programs are another component of a layered defense. Employees should be taught to question QR codes, links and attachments, even if they seem to be from a trusted source. And they should report any hacking attempts to designated individuals. Personalized security awareness training – tailored to specific teams and individual roles – represents another layer. And this training should include immersive experiences, such as phishing simulations that engage users and test their understanding.

Nation-state and other cyber criminals are leveraging artificial intelligence to develop increasingly complicated email and other threats. But businesses can work with cybersecurity managed services providers to create customized defense strategies based on their specific needs and resources.

Carl Mazzanti is president of eMazzanti Technologies in Hoboken, providing IT consulting and cybersecurity services for businesses ranging from home offices to multinational corporations.