Hey, did you get that sketchy email? You know, the one from that malicious hacker always trying to fool us into clicking on some malware? Boy, these criminals are relentless. Wait, what? You clicked on it? Uh-oh...
A hypothetical scenario, but one that plays out every day in organizations across the globe. The truth is that it is a very real scenario that offers a good opportunity to dive deeper into the topic of email security.
- Email is one of the top communication tools for businesses — and one of the most vulnerable.
- Sophisticated email phishing attacks are one of the top cybersecurity threats.
- Phishing attacks account for more than 80% of reported security incidents and lead to estimated losses of $17,700 every minute.
Such Black Hat campaigns continue to dog businesses because email is such a treasure trove of valuable information. Of course, the scope of email security goes well beyond phishing and its variations. Strong email security also demands protection against spam, viruses, ransomware, mail breaches involving theft of passwords, attachments and sensitive information and more. Read on for some tips and strategies for keeping your email safe.
1. Beware of sophisticated email phishing schemes
Email threats have been around for decades, but the threats continue to evolve and become more sophisticated. Different types of phishing attacks include:
- Spear phishing: targeting specific individuals rather than sending emails to thousands of recipients.
- Vishing: targeting people using similar strategies but by phone instead of email.
- Smishing: using SMS/text messaging to trick the unsuspecting victim.
- Whaling: targeting “whales”, or important people with greater access to information assets such as C-level executives.
Then there’s the Business Email Compromise (BEC) ruse in which criminals send what looks like a legitimate payment request (invoice, wire transfer, etc.) from a vendor, colleague, or boss. All too often, these schemes work. The FBI calls BEC scams “one of the most financially damaging online crimes”, and it’s no wonder: The 2022 Internet Crime Report noted that ransomware cost just over $34 million in adjusted losses while BEC losses totaled $2.7 billion. That should put things into perspective.
2. Know what to look for in a suspicious email
Fortunately, cybercriminals often leave clues to their trickery. They’re usually not as blatant as phishing emails offering to share their inheritance with you in return for your bank account and routing numbers, but there are definitely some dead giveaways. These include:
- Typos: Some malicious hackers may struggle with spelling, while others include typos for a reason: vetting their marks. According to cybersecurity advisor Joseph Steinberg, scammers may “insert sufficient clues into their messages so as to discourage responses from anyone who isn’t sufficiently gullible so as to ultimately fall prey to the scam.” The thinking is that people who are bad at spotting typos may be easier to fool.
- Unusual URLs: Scammers often use fake URLs designed to impersonate a respected organization at a glance. However, if you hover over the link, you can usually confirm whether it’s legitimate or not.
- Additional clues: Here are a few more telltale signs of a phony email:
- The sender’s email address doesn’t match the company
- The email contains multiple requests to click on a line
- The footer contains a slightly different company name
- Grammatical errors and mixed upper and lower case in the header
- Poor layout or formatting
- Requests for personal information
3. Download with caution
File attachments are popular places for scammers to hide computer viruses and other types of malware. “Unsolicited emails that contain attachments reek of hackers,” according to SecurityMetrics.com. “Typically, authentic institutions don’t randomly send you emails with attachments, but instead direct you to download documents or files on their own website.” Therefore, it’s best to avoid opening attachments unless you’re sure they’re legitimate.
4. Don’t click on links from a company or person you don’t know
This one should go without saying, but if you aren’t sure about the sender or the link they are trying to share with you, don’t click. Even when the sender and link look legitimate, it’s always important to exercise caution as many accounts are spoofed.
5. Use password best practices
While most of us understand we should use strong password policies, bad password practices are still rampant. In a recent poll of 3,250 people across the globe, 91% said they knew that using the same password for multiple accounts posed a security risk; however, a staggering 66% still did so (either “mostly” or “always”).
For a strong password, stay away from obvious words or phrases. The more random, the better! Also, use numbers and characters in addition to long strings. For this purpose, the FBI recommends using longer “passphrases” instead of just one word. This involves combining multiple words into a string of at least 15 characters.
6. Be mindful of oversharing
All kinds of personal information - the name of your cat, schools you’ve attended, your birthday, family members — can be used against you in a court of law, yet most people think nothing of sharing such sensitive information on social media. It may seem harmless and usually is. However, malicious hackers can scrape this data or just pluck it right off of a platform when they’re looking to develop a rapport for phishing schemes.
7. When in doubt, call it out
Certain emails may ask you to verify your personal information by clicking on a link. This is a challenge because the email request may even seem legitimate. But keep in mind, most companies won’t ask you for personal information in this way.
If unsure, you can call the person or company behind the email to confirm its legitimacy. Then, if it is a scam, strike a blow against email fraud by reporting it to a government agency that uses this information to track patterns in the ongoing fight against email scams.
8. Update or install antivirus software
Tech solutions — specifically antivirus software platforms - help protect individuals and organizations from viruses, spyware, malware, phishing attacks, spam attacks and other online threats. Solutions today include enterprise-level AV platforms that integrate with your specific environment.
9. Use encryption software
Exchanging sensitive files or financial information by email comes with a certain amount of risk. That’s because most email is transmitted in plain text and is not well protected as it travels between servers. Email encryption software can be of use here.
“The contents of email messages, as well as their attachments, can be intercepted and read by an attacker en route between sender and recipient (to say nothing of archived email stored on a server),” according to Tech Target, which describes encryption software as “specialized security technology for protecting the confidentiality and integrity of email messages and attachments while in transit or in storage.”
Email encryption can offer valuable protection in any industry, but it is a requirement for others. For example, medical records and government data are both examples of information that must be encrypted before being shared.
10. Implement an email archiving solution
Many businesses — especially those whose email correspondence must be preserved for regulatory compliance or who may require access to eDiscovery in the event of possible litigation — utilize an email archiving solution. This not only preserves messages but provides instant, searchable access to archived email correspondence.
Fingertip access to company emails can also be helpful in tracking potential email security issues. For example, an email archiving solution enables you to search all company emails within a specified time frame. You can then search the word “password” and see how many times people have shared this kind of sensitive information within the specified parameters. In this instance, this kind of specific, easily accessible information will give you a good idea of whether cyber awareness training might be needed.
11. Back up important data
Even doing things right doesn’t completely ensure an individual won’t meet with a phishing attack. To be prepared, back up everything you can.
Better yet, invest in data backup management software that will automatically back up all email communication, including your contacts, calendar items, and other relevant data. This can also be helpful if you need to search through emails around the time of a data breach to see what kind of information may have been compromised.
12. Implement a Security Operations Center
Protecting your email is just one part of the vast cybersecurity landscape. Large organizations may want to think of the big picture and consider creating (or hiring out) a Security Operations Center (SOC). SOCs are a team of cybersecurity professionals responsible for monitoring your environment, identifying potential threats and developing a plan of action to eliminate them.
The Email Inbox: Stay Safe in There
Securing your email is just like locking the front door to your network. What enters there can adversely affect the rest of your ecosystem, and hackers know that. That’s why, for organizations of all sizes across all sectors, implementing robust email security protocols is an essential precaution.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.