Phish Are Getting To Your Inbox: Why Your “Secure” Email Gateway Isn’t

Once delivered to the inbox, phish tempt users to click and give up network or personal credentials, activate malware, or fall for scams like sextortion or wire transfer fraud. According to researchers at TAG Cyber and New York University, over 50% of enterprises report that phishing emails reach the inbox roughly once a week.

Since SEGs are missing so many phish, there’s a good chance other technologies—firewalls, anti-virus, and EDR – also aren’t spotting these threats. Such gaps can leave you vulnerable for hours or even days.

Bottom line: you can’t rely on SEGs alone. They’re the first line of defense, not the last one.

What’s a SEG?

Secure email gateways—AKA email gateways or email security solutions—are the most common type of perimeter technology used to stop phish from reaching the inbox.

Unlike firewalls and other security technologies, SEGs receive no regulatory or compliance oversight. That’s right, SEGs get zero validation testing against the problem they’re meant to solve—phishing, the #1 global cyber-threat.

In 2019, ICSA Labs tested and accredited 22 firewalls. But in recent years, only two SEGs have been tested, both in 2016. In fact, Gartner has retired its SEG Magic Quadrant.

Why SEGs Fail

As we’ve seen, SEGs can handle the basics of perimeter phishing defense. But today’s attacks are anything but basic. Here are three reasons why technology fails to stop determined attackers.

Register for It’s Always a Phish. Combat the Latest Threats With the 2022 Annual State of Phishing Report and receive a copy of the New 2022 Report on March 30th. Listen in as Cofense CTO & Co-Founder, Aaron Higbee & Senior Strategic Security Advisor, Tonia Dudley share the best and worst of 2021 and what we learned about credential theft, business email compromise, ransomware, and more. Register now