Even as attackers are growing ever more sophisticated in their methods, it seems there’s no point in messing with the tried-and-true.
According to cyber insurance company At-Bay’s 2025 InsurSec Rankings Report, email and remote access remain the most prominent cyber threat vectors, accounting for 90% of cyber insurance claims in 2024.
And, no surprise, larger companies continue to get hit hardest. But, interestingly, the virtual private networks (VPNs) many rely on are anything but secure, despite assumptions to the contrary.
“We know from our data that phishes get by e-mail filters and land in user inboxes,” said David Shipley of Beauceron Security. “This is a fascinating look at the consequences of that from an insurance data point.”
Email still the weakest point
At-Bay performed a comprehensive analysis of cyber claims between 2021 and the first quarter of 2025. By far, it found, good old email continues to be the top entry vector for attacks (43% of all incidents in 2024). Dovetailing with this, the frequency of claims involving email continues to rise, increasing by 30% year-over-year in 2024.
These attacks are the “fastest-growing and most persistent risks to businesses,” and have “accelerated dramatically” as hackers have increasingly experimented with generative AI, the researchers note.
Alarmingly, it said, 83% of fraud attacks begin with an email, and the consequences are costly: The average amount of funds transferred in an incident was $286,000, with the largest single transaction $5 million.
The report laid out the anatomy of an email fraud attack:
The infiltration: Hackers steal credentials to compromise an email system and search for information on relationships and transactions.
The setup: The attacker finds an invoice from an employee to a customer, then registers a domain that is a “near-perfect match” to the employee’s real one (for example, acme.co instead of acme.com).
The impersonation: The threat actor creates an email account on the new imposter domain and uses the same name, address, and signature as a real employee.
The request: The hacker emails the customer who sent an invoice and asks them to reroute the payment, including the original thread to make it seem legitimate.
The payout: If the victim falls for the request, and fraud isn’t detected in real time, the attacker gets the funds.
The researchers point out that in these cases, the victim organization didn’t have a security failure; an employee was just duped. “There are few opportunities for victims to detect abnormal or malicious activity until it’s too late,” they said.
Google Workspace is the most secure email provider, the report said, although claims involving the platform did triple year-over-year. Microsoft 365 users also had an increase in claims, although At-Bay didn’t quantify the growth.
Larger enterprises most at risk
The research also indicates that larger enterprises make juicy targets: Businesses with revenues between $100 million and $500 million had more than 3X the email claim frequency than those with far lower revenues (below $25 million). Furthermore, claims by large enterprises rose 70% in a single year.
“Larger companies routinely execute bigger financial transactions, manage higher balances, and handle more payment volume, making them more attractive to attackers,” the researchers write. Broader vendor networks and complex organizational structures also introduce more weaknesses and allow hackers to intercept communications and blend in.
The average claim frequency among customers using email security tools grew by 53% year-over-year, the researchers said. Users of nearly all email security tools had higher claim frequencies, except Sophos; At-Bay attributes this to Sophos’ early investment in natural language processing (NLP) that can detect the frauds. Other platforms analyzed included Proofpoint, Mimecast, Barracuda, Intermedia, and Appriver.
The dangers of VPNs and remote access
Virtual private networks (VPNs) are also a major intrusion vector, according to At-Bay’s findings. In 2024, for instance, 80% of ransomware attacks began with a remote access tool, with 83% of them involving a VPN.
Interestingly, self-managed, on-premises VPNs posed the highest risk: Their users were 4X more likely to be victims of ransomware attacks than companies with cloud-based VPNs, or even those with no VPN at all. Notably, Cisco and Citrix were the most at-risk VPNs in 2024; businesses using them were nearly 7X more likely to be victims of ransomware.
That, noted At-Bay CISO for customers Adam Tyra, is because modern remote access devices are increasingly complex and vulnerable, “making ransomware intrusions harder to prevent and more inevitable.” Professionally-managed detection and response seem to be the only control that consistently stopped full encryption from ransomware, he said.
“I’m not surprised to see the impact of attacks on network security devices; this matches the stories we’ve seen all year,” added Beauceron’s Shipley. “The bad news is that, with the ability to weaponize vulnerabilities now in as little as 15 minutes from CVE publication, and for as little as a dollar, it’s likely going to get worse in 2026.”
Enterprises need to be vigilant
At-Bay researchers noted that managed detection and response (MDR) tools helped prevent encryption, but secure email gateway (SEG) platforms repeatedly failed to detect email abuse, false content in email threads, and malicious emails sent between users in the same company.
“We were surprised to find that most email security tools we tested caught almost no fraud emails whatsoever,” the researchers said. “The few that worked well were the newest tools, built with AI from the start. This mattered because fraud emails often don’t show obvious signs that traditional rule-based tools can detect.”
AI-based tools can identify language patterns (a user’s tone or writing style) to flag abnormalities, detect easy-to-miss artifacts, flag homoglyphs (when characters look similar to the naked eye but have different underlying code, like “I” versus “1”), and catch other tricks and subtle changes (such as to phone numbers, signatures, or headers).
“I think here’s a great data point for why cyber defense-in-depth needs to include security awareness and not just reliance on cybersecurity tools like e-mail filters,” said Shipley.
Companies aren’t able to patch fast enough, he noted, emphasizing that the only solution is better product quality from network security vendors.
“However, given that focus has been lost from a US regulatory leadership standpoint with the end of Biden-era executive orders, the future looks a bit grim,” said Shipley.
Changing attacker tactics don’t help. Jim Routh, chief trust officer at Saviynt, pointed out that threat actors are using AI about 50% of the time to make phishing emails and SMS messages more compelling, thus lowering the time they can move laterally to about 18 minutes.
In response, he said, enterprises should build a “digital immune system” with data science tools that can compare online attributes to previously validated patterns and determine deviation scores. Pre-determined thresholds can trigger automated workflows to help organizations remediate and recover from incidents “in milliseconds.”
“This approach does not need AI, but it can help with agents supporting workflows,” said Routh.
No Responses