This article was first posted on the Twilio SendGrid Blog.
Twilio SendGrid’s 80,000+ paying customers generate more than 50 billion emails per month. When we reviewed the volume of email we process on behalf of our global customer base, it became apparent that we touch—on a rolling 90-day basis—half the world’s email users.
A footprint that massive only happens when compliance and the overall security of the world’s inboxes is addressed in a scalable and performant manner. In Q2 of 2019, Twilio SendGrid achieved a 99.99% Inbox Protection Rate.
Today, we’re excited to announce an improvement of two 100th’s of a percent, thus achieving four 9’s of protection for the world’s email ecosystem.
This improvement is significant.
When you consider the devastating effects that phishing attacks can have on an individual’s financial records and identity, those effects are vastly amplified when spear phishing is employed to compromise a businesses’ top management echelons.
Every bit counts!
Resting on one’s laurels is anathema to any security professional or organization that has a vested stake in ensuring their platform and technology isn’t used by bad actors. However, achieving scale means you inherit the problems of scale.
Twilio SendGrid developed a machine learning model based on Tensor Flow called, Phisherman, to identify phish in-flight and prevent the messages from being sent. When trained and set up correctly, machine learning models are virtuous circles that can be “taught” to correct their mistakes.
For the record, this isn’t Skynet. However, the more badness Phisherman is exposed to, the more accurate it becomes in detecting bad actors. Phisherman is further buoyed by human intelligence across several teams of specialists who examine false positives and manually reported incidents that may have flown under the radar.
By combining the scale of machine learning and the oversight of human eyes, Phisherman is constantly being improved in both its ability to stop attacks and ensure the timely delivery of wanted mail.
Not the only form of email abuse
Phishing is not the only form of email abuse; 419 scams, or as they’re more commonly referred to–Nigerian Spam, prey on an individual’s greed by promising them vast wealth for small up front fees or through the exchange of personally identifiable information (PII) which is then used to clear out their bank accounts.
However, phishing accounted for 90% of the world’s data breaches.
The average phishing attack costs a medium-sized business $1.6 million and that number goes up as businesses scale, not to mention the frequency of attacks also increase. Phishing is a distinct form of abuse that at its heart is a social engineering attack that even when directed at a small group can have grave consequences depending on the information that’s compromised.
As part of our continued work to prevent abuse and ensure the viability of the Internet’s first and most prolific communication channel, we’ve been focusing on the varieties of phishing and the sectors most targeted by these attacks:
Top Phished Verticals For Last 30 Days
- Cloud Services (email platforms, documents, storage and other cloud tools)
- Financial Services (banks, payment processors and other financial services)
- Education (attacks centered around university resources such as a bursar’s office)
It should come as no surprise that financial services companies such as banks and payment processors are the most phished sectors. It stands to reason that gaining access to a person’s financial data is a lucrative pursuit for cybercriminals.
However, compromising a person’s cloud services accounts, such as email and other tools we rely on as part of our digital lives, is less obvious. The most common forms of phishing we’ve seen over the last 30 days have taken the form of:
- Voicemail phish—you’ve received a voicemail, click here to listen to it—which links to a malware site or other exploit.
- Document phish—a shared document is sent with instructions to click here to view—which deploys an infection or other malicious attacks on the local machine.
Large retail and electronics brands continue to be in the crosshairs of cybercriminals because of the weight their brand carries in the marketplace. As I mentioned before, achieving scale means you inherit the problems of scale, and that rule applies across all fronts, even anti-abuse.
The educational phish category focuses on college students who are vulnerable to seemingly official notices from a university office or department. This is not unlike the way that older populations are targeted with IRS and medical scams. Phishing is a social engineering attack and the sophisticated phishers focus their content on the demographic they’re intending to defraud.
Understanding the evolution of attacks, and cataloging the various tactics employed by cybercriminals, is how we ensure our defenses are up to the task of maintaining a 99.99% Inbox Protection Rate.
And it works!
The reason phishing continues to be a problem is because it works! Based on 2016 research conducted by Verizon, 30% of recipients open phishing emails. Therefore, preventing phishing requires an all hands on deck approach.
From email service providers to brands with a dedicated recipient base, everyone has a vested interest in decreasing the efficacy of this attack vector and safeguarding our inboxes. What can you as a sender do about phishing? Here are a few things you should consider:
- Make sure that your SPF, DKIM and DMARC are correctly aligned and at enforcement. This will not stop your brand from being phished per say, but it will make it harder, and depending on the kind of attack, it may prevent it all together. By leveraging email authentication and ensuring that your DMARC policy is set to quarantine or reject, you are essentially telling the receiving domains that if your email fails an SPF or DKIM check (not you sending, or the content has been tampered with), don’t deliver it. Despite the massive adoption of these technologies by the mailbox provider community, the uptake in the private sector has been slow according to 250ok.
- Don’t use your email as a blunt force tool. That’s what spammers and cyber criminals do. Personalize your emails to ensure that from the subject line to the greeting and calls to action, you know your recipient. This is something that phishing emails commonly lack: personalization. With the exception of spear phishing, which tends to be highly researched, targeted and individualized, phishing attacks are spray and pray blasts to scraped lists, stolen address books or other ill-sourced email addresses. By taking the time to create personalized experiences, you’re actually creating the expectation that your brand knows your recipient. Things that seem out of the norm may bubble up as potentially fraudulent. Good email habits breed increased awareness of abuse and that’s good for the entire mailbox ecosystem.
- Educate your employees on how to spot the telltale signs of phishing attacks: poorly written verbiage, odd requests for approvals of funds, or warnings within the email client that something may be dangerous to open. Empower your employees to not open attachments out of habit and seek guidance from IT and InfoSec professionals.
Create a structure for reporting a potential Business Email Compromise (BEC) and conduct internal training and testing of your employee base through phishing simulations conducted by an InfoSec team or third party vendor. BEC attacks have been on the rise according to FBI statistics.
These kinds of attacks can lead to data breaches and the compromise of customer personal identifiable information (PII) not to mention massively impact a company’s bottom line.
Inbox Protection Rate Methodology
The Inbox Protection Rate is a measure of email that transits Twilio SendGrid’s servers deemed to be legitimate, non-phishing email sent by legitimate businesses. The Inbox Protection Rate is not a measure of spam or how that email is received, since spam is subjective. In addition to analyzing outbound messages, Twilio SendGrid analyzes email bounces indicative of phishing and other forms of delivery issues.
Twilio SendGrid manually reviews suspended accounts to determine whether a sender has been phishing. Each account found to contain phishing content is terminated and tagged as phish. Twilio SendGrid then counts the sum of messages delivered via tagged accounts as phish, and incorporates the phish into its automated defenses to improve their efficiency, robustness and detection rate.
Phisherman is a machine learning model built in-house at Twilio SendGrid and created from our vast knowledge of abusive email content to catch phish in our mail pipeline. Phisherman utilizes a trained TensorFlow neural network to determine the probability that any given piece of email is phish using genericized word-to-vector comparisons to identify patterns in large data sets that are then compared against a carefully crafted model designed to isolate phish from good mail.
Len Shneyder is a 15+ year email and digital messaging veteran and the VP of Industry Relations at Twilio SendGrid. He can be reached at lshneyder [at] twilio.com.