Karl Knowles is Global Head of Cyber at international law firm HFW. Tessian’s Customer Success Manager, Amelia Dunton, spoke to Karl about building defense and depth to combat advanced inbound attacks.

Tell us a bit about your role as Head of Cyber at HFW—What do you think companies should be most aware of when it comes to email security, specifically inbound email attacks? 

One of the first things we need to consider is that email isn’t going anywhere—despite the fact that everybody wants it to go somewhere. It does seem to be the main preference of communication, and for all different businesses and industries—not just in legal. 

But since the pandemic, there’s been a huge spike in email threats, as we all know. In fact, Mimecast pushed out a report where they had detected a 64% increase in email attacks as people move towards more hybrid environments.

And what we’ve seen, and what we continue to see, are increased impersonation attacks… You have to see Microsoft, Google, Dropbox—they’re all being impersonated on a daily basis. In fact, impersonation attacks account for nearly half of our email attacks that we receive. And then, of course, we’ve got the issues around domain spoofing and account takeovers all becoming more sophisticated—more difficult to see.

And certainly, you need to be conscious at all times when you receive an email. You need to take a breath—you need to take a bit of time, and you have to look at it. But that’s not always the case, and it’s never as easy as just having that taking that time, taking that moment. Because, as you know, the domain impersonations are very realistic. Some of the emails have been crafted better, so you need something else to help you with that. 

Regarding inbound attacks specifically, is there a vulnerability gap when relying solely on a secure email gateway (SEG)?

Well firstly, it’s about evolving threats. And as we evolve our defenses, we’ve got to remember our adversaries are doing the same. Their TTPs are changing all the time, so we need to be on our toes.  And we’ve seen the examples of this, as I mentioned before, with the amount of impersonation attacks—where people email from other locations purporting to be from areas where they are registered. And this is where we need to be warning our users. 

But we’ve also seen new domains being spun up. Why shouldn’t you be allowed to create a domain if you know how? It doesn’t mean to say that just because you’re creating an email domain, you’re going to use it for nefarious reasons. But the secure email gateway itself won’t just put that domain on a blacklist—and nor should it. Because, just because a domain’s been spun up, it doesn’t mean to say it’s malicious. 

So that’s where you need something like Tessian Defender to kick in—because the SEG isn’t going to block it. It’s going to say, “Well, actually, just because you’re new, doesn’t mean to say you’re malicious.” But then what Defender will do is, it will just prompt you as you receive that email to say: “Hey, you know this is the first time your organization has seen this new domain?” So it just acts as a bit of a pause. 

But this will also pick up when your normal sender’s domains come from a different location. As I said before with account takeovers, you can be communicating with an organization from Hong Kong, and you can have regular emails—maybe a dozen a day—and all of a sudden, an email comes from that domain—but it’s not in Hong Kong, it’s in The Netherlands. 

So you need something to do that—because the secure email gateway isn’t always going to pick that up. So you need a bit of a: “Hey, do you realize that this email has come from a completely different location to where that domain normally sends its emails from?” 

What do you think security leaders need to rethink? What’s your advice to them? 

Well firstly, we need to say that malicious emails aren’t going anywhere. They’re getting more and more sophisticated by the day—so we can’t think that you know one tool is going to fix everything. Maybe one day, but as it is at the moment—we’ve got to make sure that we have the technology just to protect our people. But we also need to make sure that our users — as the goalkeepers, as we refer to, the “last line of defense”— know what their responsibilities are, as well. 

Because for me, as a security leader—it’s all well and good, me showing them a warning. Tessian will show a warning if an account takeover is triggered, or it’s an official email, or it’s a newly-observed domain—which is really good, but unless the user actually does something with that. and reports that, or blocks it, then it doesn’t actually mean too much. 

Because if they can continue to communicate with that malicious domain, then you’ve got yourself a problem—it doesn’t matter about the technology. So, the first thing is: it’s getting more sophisticated but we need to work with our staff, our users, to make sure that they understand the important role that they play. and that they can’t just rely on technology. The technology’s there to support them, but it’s not the be-all-and-end-all

We also can’t expect our users to spot these emails just with the naked eye. We’ve got to appreciate that they’re working now in more hybrid environments, using devices such as mobile telephones, iPads, laptops, computers. And each one of those will display things differently. 

And depending on where they’re working, whether they’re working in a train, a cafe, at home, or in the office. what we’ve got to consider is the factors that are going on around them at that time: what their mood is, what stresses are going on at the time…

The people that want to gain something from them know this, and they will prey on our weaknesses, by using a sense of urgency, by crafting words correctly. And when you’re operating in such an environment, where you’re got multiple things to consider and you’re doing a lot of things at the same time, this is when you need to take a step back and briefly just make sure you think before you click that link. 

If you haven’t got that secure email gateway… if you haven’t got that machine learning at the top end of that, and then right the way back to the human layer—which is the goalkeeper—making it as easy as possible for them to make the right decision at the right time.