Imagine your bank sending your account details together with your pin on the back of a post card. Ludicrous idea, right? Well, failing to secure your email is much the same. An email security breach can cost you money. And not just in hours of lost productivity, but more severely through your customers losing faith in your brand - a dire cost indeed.
When considering email security you first need to understand that email is, was and always will be an easy target for hackers. Essentially it’s an open portal straight into your network and all a hacker has to do is send an email with a compromised attachment and hope a single employee opens it. Once they’re in, they’re able to freely navigate your network and access your proprietary data and information.
Cybercriminals use a combination of ‘tricks and tools’ to get this right, and one of the best ways of thwarting them is to be be aware of their tactics. Let’s take a look at 3 of the most common threats when it comes to our inbox.
3 Common Email Threats
Phishing (pronounced ‘fishing’) is often the first phase of an attack and one of the most talked about email threats. It’s objective is to identify active users or accounts and solicit personal information from the user. This is often done via innocuous looking emails that are sent to unsuspecting users asking them to click a link, respond or open an attachment.
Once the user responds in anyway to the sender they know the account is alive making them a viable target for more advanced forms of phishing. Examples include an email that looks like it’s from your bank prompting you to login to your Internet banking or a software vendor asking you to reset your password. If the user takes the bait, they inadvertently surrender personal details such as usernames and passwords to the hacker allowing him to access previously protected information.
Education is key in minimising successful phishing attempts. While some phishing emails are rudimentary, generic and quite obviously fake, many - if not most - are rather sophisticated, well-crafted and emulate professional, legitimate businesses well. Users need to be mindful of phishing and be able to scrutinise emails that may be attacks. Educate employees on typical phishing tricks and encourage them to carefully examine emails that aren’t expected or look even marginally different from a sender’s normal style. And when in doubt, it’s probably best to delete!
Malware, short for malicious software, is a type of application specifically designed to infect your machine, steal information, break software and be a general nuisance. It includes the likes of spyware, viruses, Trojan horses which are often hidden within attachments or other downloads.
Strong antivirus protection, updated regularly, on both user machines and mail servers, is a good measure to prevent your email as acting as a hacker’s gateway to your system. Historically, email antivirus and endpoint virus applications required a dedicated piece of hardware to manage them, which meant additional costs to businesses. Today you can protect your email through cloud managed services such as Google Apps and Office 365, which have antivirus baked in. Similarly, endpoints can now be protected by cloud services such as Sophos, which significantly reduces the administration burden on IT departments.
In a spoofing attack, the hopeful hacker masquerades as a legitimate entity - one you’re probably familiar with - and sends you email from an address you generally consider as safe. Spoofers rely on the fact you have an existing communication relationship with the address in question, and as such wouldn’t necessarily be wary about clicking on an embedded link or opening an infected attachment from your trusted contact.
Occasionally they’ll get this right if your email server doesn’t require authentication (tip here: require authentication!) but increasingly hackers spoof your email via setting their own “from” address and directing through a new email server. Unfortunately you can’t stop an email server from pretending to be you but can notify mail servers to only accept email from your specified email server. You do this by specifying Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records with your domain registrar. This prevents rogue email servers posing as your company and exploiting your contacts customers.
Email is an ubiquitous element of our online activity and a primary communication tool used to build relationships and trust with clients. As a critical channel, security should be high up on your agenda. Educate your employees on how to identify potentially harmful emails and what action they should take. Ensure your machines and servers run reliable, current antivirus software and add a layer of protection to your email by setting SPF and DKIM records. These small practices can make a big difference to your email security and deter would-be hackers.
Concerned about your email security or network protection in general? Get in touch and let's have a chat about how we can assist.