Skip to content

Email Security is the Overlooked Step in Cybersecurity

Josh Bartolomie talks about email security, phishing, and what businesses get wrong about security.

Cybercriminals these days are doing their homework. They study how companies, organizations, and individuals create emails, and they design theirs to match. It takes time to verify if an email is authentic, and many employees just want to do the task and get it off their plate. Email security isn’t new or flashy or the next cool thing, so many organizations just do the minimum required for compliance. But solid email security can stop many threats in their tracks.


See Phishing Attack Awareness and Training with Josh Bartolomie for a complete transcript of the Easy Prey podcast episode.

Josh Bartolomie has worked in cybersecurity since the late 1990s. He got his start doing IT work as a civilian defense contractor on an Air Force base. Some government contracts needed technical people for a cybersecurity project. At the time, Josh didn’t have formal education in security – that long ago, there wasn’t much available – but his technical knowledge got him started. He did digital forensics and taught cybersecurity principles to law enforcement for a decade. A little over six years ago, he joined Cofense Email Security as their Director of Research and Development. Since then, he’s risen through the ranks. Now he is Cofense’s Vice President of Global Threat Services, where he heads their managed services and overall threat services.

Email Security is Still a Concern

We’re now nearly thirty years into email scams and phishing being a problem. And email is still one of the primary methods of security breaches. Josh likes to explain this with a quote from Willie Sutton, a famous bank robber. When asked why he kept robbing banks, Willie responded, “That’s where the money is.” People are on email, so that’s where the scammers and cybercriminals target.

Email is easy because I can send out a million emails. Even if I get a 1.2% rate [of] victimization, that’s still huge.

Josh Bartolomie

We used to get chain letters in the mail, and “Nigerian prince” and 419 scams came in as physical letters. Those translated great to email. Like any widespread technology, any kind of security advancement for email is a challenge. Many initiatives for making email more secure haven’t really taken off because there’s such a large global infrastructure around it. It’s difficult to do anything quickly.

Email is also the lifeblood of most organizations now. It came to the forefront during the pandemic, when many offices went suddenly remote. Now many workplaces are staying remote or working on a hybrid model. When not everybody is in the office at the same time, email and chat messaging are how you communicate with your team. Attackers are going to be wherever there are a lot of people. And just about everybody is on email.

Why Email Security Is Challenging

Many people don’t realize there are different types of threat actors when it comes to email-based attacks. One type are the crime syndicates. These groups do nothing but commit these kinds of attacks. Some are nation-state sponsored, but others are just criminal groups. The other is what are called “script kiddies” – opportunistic people who don’t have a ton of technical knowledge and are just trying things to see what happens.

The more coordinated groups run themselves like a business. They keep an eye on what’s happening, what the security community is doing, and what new email security tactics are out there. And they’re constantly changing their tactics to get around security methods. And our increasing reliance on email without increasing our email security is putting us at risk.

Criminals are Targeting You Specifically

Threat actors are doing their research. Josh uses Microsoft Office 365 for his email client. He recently got a phishing email saying that he needs to change his Office credentials. The attackers know he uses Office 365 for his email. They’re doing their research and targeting people. A lot of what we do is available on the internet, and it only takes a little research to figure out what email client your business uses. They can use that to build a sophisticated targeted email that looks like it’s coming from your IT team.

Many people assume that phishing is static. The phishing email Josh got recently is the same kind of phishing email he might have gotten twenty years ago. The goal is the same. But what’s different is what goes into it. The criminals do their research to make sure they’re not sending a Gmail error to someone with an Outlook account. They craft emails more carefully and more realistically. And they use different tricks and techniques to get around the email security systems already set up. All of those aspects are constantly evolving.

A lot of people have the misconception that phishing is static. … The goal is the same, but the actual email, the tactics, the checks [are] constantly evolving.

Josh Bartolomie

Every week, Josh sees variations on decade-old themes getting through, reaching inboxes, and being exploited to compromise passwords and accounts. We need to have blocks and barriers in our processes as a form of email security to avoid losses. It’s like home security – the goal isn’t to stop a crime in progress as much as to dissuade them from doing it in the first place or delay them long enough to get caught. The same is true for email security.

Employees and Email Security

Employee behavior is a large factor in email security. One of the risks is a malicious insider. A disgruntled employee within the company may intentionally click a malicious link or install malicious software. That’s a different kind of risk that many people don’t consider when they think about email security.

Much of the risk around email security is employees who don't know the current threats.

More often, though, the risk is a normal user who doesn’t know the current threats. It looks like an email from the IT team, and they just don’t know why they shouldn’t click the link. A lot of people are just busy. They want to get it done and off their plate, and they don’t have time to verify it. They’re just going to do what the email asks. It’s a mixture of factors that ads up. There are always improvements, and we’re better at email security now than we were ten years ago. But so are the cybercriminals targeting us.

We’re doing a lot better than we did 10-15 years ago, [but] so are the attackers.

Josh Bartolomie

Modern Phishing is Unique

A lot of scam detection involves looking for patterns. But with modern tools, phishing emails are unique and the patterns change. Look at what’s happening with artificial intelligence and machine learning. A criminal could set up a large language model (LLM) AI, teach it with data from a company website and published emails, and create an AI that writes emails exactly like the company would. If a data breach exposed some of the company’s emails, now they have even more data to create even more realistic communications.

Attackers are leveraging the same things the businesses are trying to leverage because they’re handling [phishing] like a business.

Josh Bartolomie

Attackers can and do use all the technological advancements that businesses use, because they’re treating compromising your email security like a business. They’ll use all the tools at their disposal and tailor the messages to you. Josh sees it happen all the time. Recently, a few customers had malicious actors get into their infrastructure through malicious phishing links. Luckily those threats were dealt with quickly, but these attacks happen frequently.

Phishing Targets Everyone

Some people assume that cybercriminals want to target the people at the top or the people in accounting or finance. But phishing targets everyone. It’s not so much random as it is opportunistic. That’s why email security is essential for everyone in an organization. A janitor might not have the ability to wire someone money, but if a criminal can get into the system through a janitor’s account, they could get a lot of places where they shouldn’t be.

Really, everybody’s a target, I wouldn’t say there’s anybody that isn’t a target.

Josh Bartolomie

Josh has what he calls a “phishing almanac” because, believe it or not, who is most targeted depends on the time of year. Especially in the United States, the end of the year is a big time to target HR and ordinary employees. Everyone is doing their annual benefits enrollments, which commonly makes them think to update their W2s and direct deposit information. All those changes are a great opportunity for scammers to slip in. Finance teams tend to get targeted towards the end of quarters and at the end of the fiscal year when they’re trying to wrap up invoices.

They’re also opportunistic with information they get. Cofense recently had a booth at a conference, and Josh went to man the booth and attend the conference. Phishers buy lists of attendees, so they knew he was there and what talks he went to. Now he’s getting phishing emails saying, “I don’t know if you remember me, we met at such-and-such a talk at this conference, I’ve attached my resume that we talked about.” And the file attached is malicious. They use whatever techniques they think will work to get them what they want.

How Companies Can Improve Email Security

The biggest thing any company can do to improve their email security and protect against phishing is to not be an ostrich. Don’t put your head in the sand. Know that it can and does happen. And if it does happen, don’t sweep it under the rug. Communicate it with the company. It’s a humbling thing to admit that you’ve been a victim, but it’s also a great educational opportunity. Josh has been a victim himself multiple times, and he does this for a living. It can happen to anyone.

Don’t put your head in the sand. Acknowledge that [phishing] can happen and does happen.

Josh Bartolomie
You can't improve email security if you can't admit that phishing can and does happen - even to you and your company.

Better Security Awareness Training

Cofense was one of the first pioneers in phishing simulations, so they’ve seen firsthand how much training your employees can help with email security. Don’t just do the training for compliance. You need it for compliance, but make it actually useful. So many companies provide training with examples from ten years ago. Instead, use new phishing tactics. Get your employees familiar with the real attacks that are happening right now. If you can use ones that targeted your company, or even that successfully got into your company, that’s even better.

A lot of email security and the training about it comes down to slowing down and look. Josh’s wife owns a website, and he hosts it. At one point, she got an email from a “web administrator” saying her account needed to be reset. She asked him why he did that, and he knew immediately that he didn’t and it was phishing. So they looked at it together. The sender’s domain was it-support-forfree.com – Josh had no idea what that was. And when she hovered over the link, that URL was unfamiliar, too. Sometimes it just comes down to the basics. The basics of email security are still great basics.

Have Policies in Place

When it comes to departments like HR or finance, email security includes policy measures. If HR gets an email request to change the direct deposit account for an employee, have a policy that they send a notification email, or even better, pick up the phone to call that person. Same thing with any finance-related departments. Call the vendor and verify any invoice or payment changes before making them. It’s a little bit of extra work, but makes it much less likely that your company will lose money to phishing.

Cofense had a customer that received fraudulent invoices and didn’t verify them. The finance team just paid the invoices. It turned out that those services were never requested or provided. The company was out $60,000 and had no way to get it back. Just a quick phone call could have confirmed that the invoice wasn’t real and avoided that loss.

Just that extra step, the trust but verify … that’s really what most people can do.

Josh Bartolomie

Reporting Culture is Essential

Build a culture in your company where reporting phishing is celebrated. Don’t punish employees that fall for phishing. They don’t learn from punishment. Instead, integrate it into a learning opportunity. Also deploy a “suspicious email” button or method of reporting. Have it go to an abuse box that the security team checks every day. That provides a feedback loop for both the employee and the company on what kind of threats are coming in.

Josh heads up the managed services at Cofense. Customers using that service have a report button that sends emails to an abuse box for his team to analyze. They look at hundreds of thousands of suspicious-looking emails every month. Regardless of what kind of pre-inbox email security a company has set up, about 15% of all reported emails they get are phishing. These are emails that made it through the company’s security systems and into people’s inboxes.

Josh’s team analyzes the emails, usually within a few minutes. They let the employee know if the email is safe or suspicious, and then sends the data to the security team. The 85% of emails that aren’t phishing are usually spam or some sort of business communication, such as an email blast through a third party. But this rapid response makes a difference. For Cofense customers who get that response to their reports and who have good training with recent examples, they report a higher percentage of malicious emails because they know what to look for. If you don’t know what to look for, you’ll never see it.

Technology can’t solve people, people can’t solve technology, but working together it augments each other.

Josh Bartolomie

The Big Concerns in Email (and Other) Security

There are a lot of different aspects of email security and cybersecurity in general that concern Josh. A big thing that he worked on with Cofense is targeted phishing threat intelligence. It helps minimize the noise in real time. It doesn’t just include what’s in their managed services, but also what other Cofense customers are seeing in their environment.

What really keeps Josh up at night is the fact that cybersecurity has been doing roughly the same things, at least when it comes to email, for more than twenty-five years. When there’s a budget crunch, IT and security are often the first to get cut. There’s also a tendency for companies to chase what’s new and shiny when they still don’t have the fundamentals. Endpoint protection is fantastic, firewalls and proxies are important. But why is email security to stop the threats from entering in the first place always a last thought? Attackers are exploiting this vulnerability.

Why not add augmentation to your email security stack and stop an attack before it happens? It’s easier to close the door on the submarine before you submerge than it is after.

Josh Bartolomie

Don’t put your head in the sand. Don’t discount email security. It’s not new and flashy. In fact, it’s the same thing we’ve been talking about for decades. You can stop the fire before it starts if you put effort into those fundamentals. So many companies skip it. Don’t take that risk.

You can connect with Josh Bartolomie on LinkedIn. Learn more about Cofense on LinkedIn or at cofense.com. They have a lot of resources, information, and insights available. Feel free to reach out to Josh or Cofense to continue the conversation.

Related Articles

All
  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking Basics: Learn How Networks Work
  • Online Privacy
  • Online Safety
  • Uncategorized
Michael Lyborg talks about the promises and risks of business automation.

Business Automation is Great – But Some Things Should Be Left to Humans

As we see an increase in cyberattacks, it’s more important than ever for companies to be able…

[Read More]
How to Spot Fake Emails.

How to Spot Fake Emails and Avoid Danger

The good news is that you don’t have to become a cybersecurity pro to protect yourself from...

[Read More]
Introducing the Brick

The Brick Turns Off Distracting Apps, Makes Your Life Less Distracted

Here are some details. Brick is a combined software and hardware app that helps temporarily “remove” distracting...

[Read More]
Howard Goodman talks about cybersecurity and business.

Education and Communication are Key to Business Cybersecurity

The landscape of both technology and cyber threats is constantly changing. That means that cybersecurity and business…

[Read More]
Money Lender “Dave”

Money Lender “Dave” is In Hot Water with the FTC and DOJ. Scam or False Advertising?

Money-lender Dave does the one thing that all scammers do: It lied to its target through its...

[Read More]
Christiaan Brand talks about passkey security and why it's the future of authentication.

Passkey Security is the Future of Account Access

Phishing and account breaches have been a problem for years, and it’s not going away. In fact,…

[Read More]