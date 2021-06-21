This year is the fiftieth anniversary of the first email in history. In 1971, an American engineer, Ray Tomlinson, invented a new form of direct communication. Tomlinson's creation has become both the most used communication channel, and the main vector of cyber threats in our lives.

By Lucia Milică, Global Resident CISO, Proofpoint

With the advent of social networks and workplace chat apps, many predicted that email would become extinct. They were wrong. Email remains the main digital communication channel in the world. Nearly four billion users send more than 300 billion emails every day, almost evenly split between professional and social use.

The inspiration for email was associated with a U.S. Department of Defense project (ARPANET) in the 1960s that was the forerunner of the Internet. Engineers working on this network could leave notes in electronic mailboxes. Less than ten years later, ARPANET employee Ray Tomlinson imagined a more direct form of communication by allowing users to send messages to each other. Email was born.

This unique form of communication first gained popularity in universities, government offices, and corporate communications, but email did not become widely popular until the 1990s, with the launch of the first free web-based service allowing graphical print simulations and designs. Since then, email has established itself as an essential business ally, prized not only for its simplicity, agility, and accessibility, but also for its tremendous ability to quickly reach a large audience. But as email has become more accessible to the public, companies have taken the tool a step further in their marketing efforts, at times saturating email recipients.

The scourge of spam and a computer virus epidemic

The first unsolicited email, known as spam, arrived early in its history. A marketer for a computer brand new to the American market thought of using email to invite ARPANET users to a product demonstration. He wanted to avoid sending identical messages one at a time, so to save time and duplicative effort, he put several hundred addresses directly in the "recipient" field, creating the first unsolicited bulk mailing.

Mass mailings were like the American Wild West. With no laws or rules to control the practice, spam had wildly proliferated by 2010, when an average of 90% of email messages were spam. The email ecosystem finally developed numerous defenses against the scourge, such as closing botnets, the implementation of certifications, sender reputation scores, and the employment by email operators of anti-spam filters.

But this was done largely without considering the excesses of the Internet itself, on which email is built. As the Internet became more democratic, its development continued. Speeds increased, bandwidths expanded, and the number of Internet users grew exponentially. By the end of the 1990s these technological advances, coupled with the massive use of electronic messaging, made email an excellent vector for propagation. It overwhelmed malicious actors with the temptation to spread computer viruses as widely and quickly as possible.

The Ska worm was the first email virus, spreading from computer to computer. When recipients clicked on an attachment, they opened a window displaying an animated firework. Perhaps that is why the virus was also known as Happy99. Other destructive viruses followed, such as Melissa, which posed as a list of passwords to porn sites. But when the victim opened it, the virus sent itself to the user's contact list, many of whom clicked on it themselves, creating a spiderlike virus web that even infected American government services. Soon after Melissa, the ILOVEYOU virus infected thousands of private computers, corporate networks, and governmental institutions such as the Central Intelligence Agency (CIA) and the British Parliament in a matter of hours. Many system administrators were forced to shut down their email servers, but the damage had been done: one out of every ten computers connected to the Internet worldwide had been infected.

Ransomware practices then became prevalent, with WannaCry in 2017 essentially shutting down more than 300,000 computers in a few hours in nearly 150 countries. Cybercriminals demanded payment in Bitcoins, otherwise threatening to destroy all data in the infected computers.

Social engineering or psychological hacking?

Fast forward to today, and more than 90% of cyberattacks start with email. Threat actors have become experts at tricking their email recipients into clicking malicious links and disclosing personal financial and medical information via fraudulent emails. This practice is called "phishing." Almost all phishing emails share one thing in common: they need humans to interact with them, such as by clicking or opening attachments. This demonstrates the importance of social engineering, the psychological hacking that persuades recipients to click on a link in the email or its attachment.

Social engineering techniques have been used by cybercriminals since the emergence of the first computer viruses and have been constantly perfected. The aim of the threat actor is to destabilize the recipients and encourage them to make a wrong decision, such as entering their personal codes to access financial, shopping, or governmental websites.

Cybercriminals rely on several triggers to cause self-destructive behavior by the recipient of a poisoned email. The first lever is emotion. In his book "Thinking Fast and Slow," Daniel Kahneman describes two distinct systems of thought: the emotional and intuitive process, and the slower process of rational logic. Criminals seek to spark emotions in their victims that make them click quickly in response to the message, ignoring the use of reason: for example, "your Netflix account is about to be suspended" or "your payment has been refused."

They also play on the recipient's fatigue. Many cyberattacks on businesses occur on Friday afternoons, when users are tired from their workweek and let their guard down before the weekend. When our brains are tired, we delegate what appear to be easy choices to lower, more automated brain functions. Cybercriminals who breach on Friday can use the entire weekend to exploit their access, during which time a victim company is less likely to react.

The third lever cybercriminals exploit is trust. When faced with a choice, our brains generally opt for the solution that will inspire the most confidence. Therefore, criminals spoof many trusted brands, such as "DHL" or "Netflix," rather than lesser-known delivery or streaming services. They know that unsuspecting users will look at which link they are being redirected to before clicking, making recipients four times more likely to click on malicious links if they point to Microsoft SharePoint and ten times more likely to click if they point to Microsoft OneDrive.

Goal: Protect email

Email is here to stay, so we must do everything possible to protect ourselves and circumvent the onslaught of cybercriminals who are more motivated to exploit users and businesses. Fortunately, cybersecurity companies, Internet providers, and corporations have employed many initiatives to counter these threats and make the email infrastructure more "natively" secure.

The implementation of the DMARC (Domain-based Message Authentication, Reporting & Conformance) standard is one of the most emblematic initiatives. Major email operators such as Google, Yahoo!, AOL, and Microsoft, created DMARC in 2012. It is a powerful weapon in the fight against spoofing and phishing. DMARC allows for proper authentication of senders, thereby protecting employees, customers, and their partners from cybercriminals who impersonate a trusted brand.

DNSSEC, the DNS security extensions deployed from the 1990s onwards, have also made a significant contribution to securing email. Since the Internet itself depends heavily on DNS, these extensions make it possible to strengthen the security of all interactions, such as web pages consulted, emails sent, or photos retrieved from social networks. Other protocols, such as TLS (Transport Layer Security) encryption, continue to develop and will undoubtedly be powerful weapons used more and more systematically in the future.

Finally, as humans will remain in the eye of this ever more violent storm, we must continue to work to protect ourselves. Companies can no longer avoid a comprehensive cybersecurity strategy focused on people and their potential for unwitting self-destructive email behavior, requiring regular and thorough awareness and training programs.

Defending against a global cyber war

While all the intentions and actions to protect email are commendable, one can legitimately wonder, in the image of the recent SolarWinds-type attacks, whether our present planning and execution of security goals will be sufficient to avoid a much more intensive cyber war on a global scale.

Even Microsoft was very recently attacked by a highly skilled, possibly government-sponsored group, that tried to steal information from some of the world's most prestigious institutions. This poses an existential threat to the entire global economy because of its dependence on this universal operating software.

What happens if the upcoming Microsoft Patch on Tuesday goes live under the control of a third-party attacker? If that Patch affects all the Windows-based computers in the world, the problem is immeasurable and probably irresolvable after the fact.

Too important to fail

Email has become an indispensable tool for businesses and an irreplaceable link for families and friends. Fifty years on, it is nearly impossible to imagine what the world would be like without it. Yet because of its associated problems and security vulnerabilities, we must safeguard our reliance on the medium. It is simply too important for us to allow it to fail. This essential form of global communication and commerce must be saved. And we are the ones to do the job.

