Think Your Secure Email Gateway Protects You from Phishing? Think Again

Posted by Stephen Ferrell
Stephen Ferrell

A quick google of the term 'Secure Email Gateway' (SEG) yields an astonishing 106,000,000 hits.

2019 Special Phishing Report

Equally surprising is that many of the top SEG providers were evaluated in our 2019 Special Phishing Report. The analysis in our report found 16,000 successful phishing email deliveries, that, in every case, sailed through the SEG's who all self-advertised as phishing solutions. The question is, how is it possible that applications that advertise themselves as phishing solutions can let these attacks slip through?

How do Secure Email Gateways (SEGs) let Phishing Attacks Slip Through?

Part of the reason is that SEG's are often built on legacy technology using methods and algorithms that have long past their sell-by date, in other words, their phishing solutions are solving yesterday's problems, not today's and certainly not tomorrows.

In the early days of phishing, nefarious emails were generally delivered as large generic mass spamming events, and they mostly followed a pattern, odd word usage, generic calls to action and questionable grammar and spelling were all easy giveaways for nascent phishing solutions.

Since the spam emails were so similar to each other, the early phishing solution providers were able to build statistical algorithms to hunt for and identify these flavors of email, and hunt they did, in most cases very successfully. However, phishing attacks have evolved to the point where today they are far from generic, they cloak themselves like legitimate messages, stealing terminology and iconography from your cell phone company, your bank, your credit card and sometimes your boss.

SEG based Phishing Solutions are, for the most part, woeful at catching CEO and C-Suite impersonation. Many of the successful Phishing attacks we noted in our 2019 Special Phishing Report are structured in such a way as to lead unsuspecting employees to do the bidding of a superior.

Another commonality is the tendency for the SEG Phishing solution application providers to cruise the phishing aggregator sites to add reported phishing attacks to their filtering algorithms.

Consider that for a second - after a phishing attack has occurred, the Phishing Solution gets updated – AFTER!

Locking the gate after all the horses have left doesn't do much for the ones that got away. All it takes is one successful phishing attack to cost an organization millions of dollars in hard currency, not to mention the reputational cost, customer trust issues, and internal moral problems.

When we did the data analysis for our 2019 Special Phishing Report, we weren't surprised that the questionable phishing solutions weren't being totally successful at filtering out fraudulent emails. After all, the FBI estimates the annual losses to successful phishing attacks to be in the billions of dollars, but we were shocked though by the sheer volume. The three widely-used SEGs we examined in our 2019 Special Phishing Report allowed over 16,000 malicious emails through in four months over three different customers!

Fake emails from ATT, PayPal, Microsoft, Intuit and eInvoice Connect all smoothly sailed through the SEG's alleged phishing solution defenses and would've made it right into the customer's inboxes if INKY wasn't the last line of defense. Some of them even came with a green 'trusted' sender banner – shocking.

Many CISO's are paying a premium for SEG phishing solutions that are not effective, a 16,000 phishing detection swing in INKY's favor is not statistical noise – it's a phishing landslide.

Phishing attacks are not black and white anymore; they are fifty shades of grey and more. In addition to our advanced filtering technologies and unlike traditional SEGs, INKY uses a ternary rather than binary classification scheme. Our approach gives end users more insight and understanding, effectively training and conditioning your entire user community with every email received every time.

Adding some color to the grey is our anti-phishing banner system which allows email administrators flexibility to determine which emails to quarantine and which to flag with a warning banner.

Here are brief descriptions of our three classifications:

  • SafeThese are neutral emails that INKY would typically add a gray banner to. These emails are predicted to be legitimate messages and are considered safe for the end-user to act on. As noted for the emails analyzed in our 2019 Special Phishing Report, we agreed with the SEG's over 200,000 times.
  • Caution - These are emails requiring warning or specific guidance. These may meet specific negative criteria, may appear, unlike regular mail for the purported sender, or maybe legitimate emails with sensitive content — such as a wire request — requiring a company policy reminder. INKY adds a yellow banner to the top of these emails. Our SEG friends don't do this; all the emails we flag with caution passed through the SEG phishing solutions as being safe.
  • Danger – These are emails for which INKY has high confidence of malicious intent, generally determined via INKY's computer vision, artificial intelligence, and machine learning engines. We manually verified these to ensure they weren't false positives. Customers configure whether these emails are delivered with a red banner or are moved to quarantine; INKY supports either behavior. Per our 2019 Special Phishing Report, this is where the SEG's failed most spectacularly, allowing our now infamous 16,000 phishing attacks into the legitimate email pool.

 

SEG's aren't working as advertised. How much longer can you afford to let phishing attacks pepper your company and your email users?

INKY's advance technology suite brings a potent triple threat to the war on phishing. Computer Vision, Machine Learning, and Artificial Intelligence all combine to make sure that the 16,000 phish that beat the SEG phishing solution filters went nowhere.

We can have your entire organization protected, sometimes in less than an hour. Take a demo today and turn the tide on phishing attacks.

INKY Phight Phish.

 

Topics: phishing solution