Email security relates to the different security measures your company can take to keep the content of your email accounts and email services safe and secure from cybercriminals.
Without taking email security measures, there’s little to no guarantee that the information relayed in your email communications isn’t being spied on or stolen by prying eyes.
Some of the most common methods that cybercriminals use to steal your information through email include:
- Phishing attacks
- Email spoofing
- Others that we’ll be touching on in later sections of this article
Another important thing to keep in mind is that, although most cloud email services come with basic email security, these are often not enough to keep your communications safe from more sophisticated cyber attacks.
There are many things you can do to protect against these attacks, such as applying basic email protection measures, but for more guaranteed safety, it’s best to take advantage of more advanced forms of protection.
Before we touch on what some of those protection measures are, it’s prudent to go through the various types of email threats and vulnerabilities so that you can get a good understanding of what you’re defending against.
Understanding Email Threats & Vulnerabilities
While this list does cover the threats that currently exist, you should keep in mind that the world of cyber threats is a changing landscape, and new email threats will inevitably emerge as hackers become more sophisticated.
This is one of many types of social engineering attacks. It’s plagued internet users for a long time and even managed to give Nigerian princes a bad name. They’re often used to steal data, login credentials, and other forms of valuable information.
How does the attacker get away with it?
Phishing emails take the guise of emails that come from ordinary and or legitimate companies, but they’re rarely ever perfect copies. For instance, if you receive an email that looks like it’s from Chase Bank, but there are misspellings and weird grammar, you’d be right to be suspicious.
When you open the email, it may prompt you to click on a link or download an attachment that contains malware. These attacks can be devastating for companies and individuals alike.
These emails, while dangerous, rarely target specific individuals or organizations. They’re typically like roaming sharks trying to get any particular user of an application or service.
More targeted phishing attacks come in the form of the next threat we’re covering.
If Phishing attacks are the army, Spear Phishing is the special forces. Like ordinary Phishing emails, the aim of this cyber attack is to steal your information or money.
However, Spear Phishing attacks tend to be more dangerous because their targets are better researched, and the attacker is, therefore, more able to impersonate a legitimate sender.
For instance, the Spear Phishing email you receive may look like an email from your boss or one of your employees.
Unfortunately, because of social media sites like Facebook and LinkedIn, it’s becoming easier for criminals to get information about people you know and impersonate them.
Because these types of attacks take more time and energy to prepare, they’re usually aimed at larger organizations that have more to lose.
What is a Whaling attack? Perhaps its other name will give you a clearer idea: CEO fraud.
Like Phishing, it’s used by cybercriminals to impersonate a legitimate company or individual to trick you into giving up valuable information, money, or system credentials.
But while Phishing attacks target a general user base, and Spear Phishing targets organizations that were previously scouted, Whaling attacks specifically go after the “whales” of a company: executives, senior staff, etc.
Whaling attacks manage to do this by masquerading as other senior people within an organization.
It’s much easier to refuse to give up valuable information to a “Nigerian prince” or “Mike from IT” than it is to refuse a request that looks like it’s from senior management. Especially since the former two can’t fire you.
These types of social engineering attacks are high-stakes and, unfortunately, are also on the rise. According to the FBI, Whaling attacks that occurred in 2018 alone resulted in a loss of over $12.5 billion.
Business Email Compromise
Business Email Compromise (BEC) cyberattacks are ones in which the attacker poses as someone within the organization of which they are attacking in order to ask for system credentials, sensitive information, or requests money.
According to the FBI, a hacker might get access to the information needed to carry out a BEC attack in a few ways:
- Spoofing an email account or website using a slight variation on a real email address, eg firstname.lastname@example.org vs. email@example.com.
- Spearphishing emails can be sent in an initial attack that tricks one user into revealing confidential information that lets criminals access company accounts, calendars, and data from which they can extract the details they need to carry out their second BEC attack.
- Malware can be used to get access to legitimate email accounts and/or gain information such as regular invoicing schedules so they can time their BEC attack accordingly.
Because malware isn’t always involved, it can be difficult to detect these kinds of attacks through automated software and hardware tools – another reason regular security awareness training is critical for keeping your company safe.
Once an attacker has the information they need to successfully impersonate a legitimate business email, there are four primary types of BEC attacks they’ll carry out:
- Account Compromise — This is when an employee’s email is hacked and used to request money from other people within the organization.
- Attorney Impersonation — This is when an attacker impersonates a lawyer or legal representative. Lower-level employees are commonly targeted through these types of attacks where one wouldn’t have the knowledge needed to question the validity of the request.
- False Invoice Scheme — Whereas the other BEC attacks impersonate members of an organization, false invoice schemes pretend to be foreign supplies that request payment for a seemingly legitimate invoice.
- Data Theft — This attack aims to acquire data belonging to individuals within a company, often CEOs and other executives, as a way to better plan future attacks. For this reason, these attacks are typically aimed at HR employees.
These pernicious email attacks guise themselves as ordinary attachments and documents that, once clicked or opened, launch an attack on your computer. Sometimes the attack is a virus that takes your information, and sometimes it puts your critical data up for ransom.
These attacks may also just be one step in a larger attack, especially if the cybercriminal aims to launch a Whaling attack.
Unsolicited Email (Spam)
This is a type of attack that you are no doubt aware of as every email service comes with a spam folder.
What you might not be aware of, however, is that this is also known as an Unsolicited Commercial Email. Spam emails tend to just be unwanted advertisements sent at a large scale, but they’re also a hotbed for nefarious content.
Other times, however, they’re just a newsletter you subscribed for that ended up in the wrong folder.
Spammers are often businesses that purchase legitimate mailing lists or that use web-scrapers to collect publicly available email addresses. While not all spam emails are from cybercriminals, many of them are, so be wary of them.
Email Password-Based Attacks
This threat is fairly straightforward, but if overlooked, it can severely undermine the security of your organization’s email communications.
When your company doesn’t adhere to password best practices it becomes easy for a cybercriminal to break into your IT-related accounts – including email.
There are many ways a hacker might attempt to breach your email security through passwords, including:
- Brute Force Attacks — When a hacker tries to break into your email account by attempting to log in several times by guessing different possible passwords. This isn’t done manually, of course. The hacker will use a program to auto-generate potential passwords and then repeatedly and rapidly try to log in. These programs can sometimes make a thousand password guesses per minute. Most modern logins restrict the number of login attempts for this reason.
- Traffic Interception Attacks — When a cybercriminal utilizes a traffic interception tool to intercept your wireless data. With enough data packets, the hacker is able to breach your network security to decipher any encrypted data, including passwords.
- Man in the Middle Attacks — When a hacker puts themselves in the middle of the communication between you (the client) and your server.
- Keylogger Attacks — Although far less common than the attacks previously covered, this attack is still dangerous when successfully applied. The hacker will utilize keylogging software that tracks the keys you type into your keyboard. They will then use the data gathered by the software to uncover any passwords or any other valuable data.
Sharing of Sensitive Data
Most of the time, email is a great and convenient way to share business information throughout your entire organization. But there are some types of information you simply don’t want to communicate via email.
Things like bank account information, password information, and other types of sensitive data should be delivered in a more secure medium.
This is especially important if your organization works in the medical industry as you or your employees may accidentally share personal health information (PHI) on your email servers.
If your emails aren’t armored up with encryption and other safety precautions, sharing PHI via email may result in a HIPAA violation that could end up costing your company up to $1.5 million.
Email can be made safer if you utilize software solutions that can encrypt your messages and protect your accounts against malware.
One such solution isn’t technically email. It works by sending a link to the person you want to email. When they click that link, they’ll be able to securely sign in to a web page that displays the contents of your email there.
How to Strengthen the Email Security of Your Company
Now that you’ve become more familiar with email security and its various threats, we’re going to go through some of the best things you and your employees can do to defend against them.
Run Regular Phishing Exercises
Most people fall prey to phishing attacks because they either weren’t aware of their existence or because they didn’t know how to spot one.
In your organization, there are no doubt some people who have side-stepped these attacks, but in order to make sure that everyone is aware of how to protect against them, it’s best to conduct a company-wide simulated phishing attack.
This is a type of exercise where your employees are intentionally sent emails that look like phishing attacks, which helps your employees become familiar with what these emails look like.
If you conduct the phishing exercise and your employees fail to spot the mock emails, no worries!
A phishing exercise is a perfect place for your employees to mess up so that they can learn from their mistakes without running the risk of giving up any valuable company information.
In addition to conducting regular phishing exercises, your company can utilize email protection software that’s capable of not only detecting phishing emails but also quarantining them so that your employees are less likely to encounter them.
Multi-Factor Authentication (MFA)
Passwords are the front-line of defense for your email accounts, but why stop there?
By utilizing MFA, you ensure that no one is able to break into your business applications or accounts unless two or more pieces of evidence are used to indicate that it is you, not an impersonator, who is trying to get into your account.
If you have an email account with Google then you’ve likely already experienced MFA in action whenever they send you a certain code to enter in before allowing you access to your account, sometimes even texting the code directly to your cell phone.
Quarantine and Remediate Messages
Your email accounts undoubtedly receive unwanted messages, from simply inappropriate content to more nefarious content like phishing links. Even if you get your employees training on how to spot and avoid these emails, you still don’t want them sitting in your inboxes.
For this reason, it’s good practice to quarantine nefarious emails. Your IT team or MSP could do this manually, but it’s more efficient to utilize a program that does the job on autopilot.
Once the emails have been quarantined, the next step is to remediate them via deletion.
Preview Shortened URLs Before Opening Them
Shortened URLs often come from bit.ly or goo.gl. They’re convenient for compressing long URLs down to a reasonable size, but they tend to mask the destination of the URL. Before clicking on such links, make sure to preview the shortened URL before following it.
To not do this is to risk being taken to a spoofed domain or getting your device infected with malware.
Enforce Solid Password Policies
Ultimately, when it comes to password protection, if your people aren’t prepared, your company isn’t prepared. This is especially true for some of the more sophisticated social engineering attacks.
In order to keep your entire organization on the same page regarding password security, you should create and enforce solid password protocols.
This can involve things like imposing a minimum password length, creating an account lockout policy that triggers after a certain number of login attempts and requiring employees to use special characters in their passwords.
One of the most important email protocols for your employees to understand is that they should not share their passwords with other employees—even the IT team.
Email Fraud Defence
Software solutions exist that help your business authentic legitimate emails and block fraudulent messages before they even have a chance to reach your inboxes. If you’re working with an MSP, be sure to ask them about this service.
Keep Your Email Accounts Safe From Prying Eyes
As mentioned early in the article, email cyberattacks are only going to continue becoming more sophisticated.
But if your organization also continues to improve your account security measures and actively engages with email security best practices, you’ll significantly lower your chances of getting your private communications hacked.
- What is Email Security? — Email security is about the different security measures your company can take to keep your email messages safe from cybercriminals
- Threats to Email Security
- Phishing, Spear Phishing, and Whaling Attacks — Phishing attacks are when an attacker sends a malicious email that impersonates a legitimate website, business, or person. Spear Phishing is a more targeted version of ordinary Phishing attacks and often appears to come from people in your organization. Whaling is the next level of Phishing attacks that go after senior-level employees in an organization. The aim of these attacks is to steal money, information, or credentials.
- Business Email Compromise Attacks — When a cyber criminal pretends to be sending an email from a legitimate source (such as someone in your organization, your attorney, or even a foreign supplier) in order to get access to sensitive business data or request illegitimate funds transfers.
- Malware Attacks — Disguised as ordinary documents or attachments, these pernicious email attacks aim to give your computer a virus, steal your information, or put your device up for ransom.
- Spam — While some spam is harmless, other types of spam are more nefarious and contain malware.
- Weak Passwords — Weak passwords are dangerous in part because passwords are the first line of defense for your email accounts. Weak passwords are easy to breach.
- Sharing Sensitive Data — You don’t want to share sensitive information over unprotected email servers because your communications could be hacked. This can be especially problematic for compliance reasons.
- Phishing Simulations — This exercise helps your employees become more aware of what Phishing attacks look like without actually compromising your email accounts.
- Multi-Factor Authentication — Utilizing multi-factor authentication adds an extra layer of security to your email accounts. It requires two or more pieces of evidence to indicate that it is in fact you trying to get access to your account.
- Quarantine and Remediate Messages — When you spot a nefarious email, you don’t just want to avoid it. Either someone in your IT team or your email security software should isolate and remove the nefarious email.
- Preview Shortened URLs — Shortened URLs may lead you to a malicious site that infects your device with a virus. Make sure you check the full URL before following the link.
- Enforce Password Policies — If your people aren’t prepared to protect your company passwords then there will always be a significant chance that your email accounts get breached. Setting up and enforcing password policies can mitigate this issue.
- Email Fraud Defence — There are software solutions that exist to help your business authentic legitimate emails and block nefarious messages before they touch your inbox.
Are Your Organization’s Emails Secure?
As you’ve probably gathered from this article, email security is a multifaceted subject that can take up a decent amount of your company’s time and energy, especially if you’re only just becoming familiar with all that goes into it.
Without a dedicated IT team to maintain the security of your work email accounts, you run the risk of unwanted third parties taking a peek into your communications or manipulating your employees to accidentally give up critical business data.
At Commprise, we believe not only in providing solutions to these problems but in personalizing said solutions to your company, rather than slapping on cookie-cutter patches to your unique cybersecurity problems.
With our Managed Security Services, you get top-of-the-line cybersecurity solutions that automate much of the tedious work that you’d normally need to do to counter the slew of email attacks that barrage businesses like yours.