Hey, did you get that sketchy email? You know, the one from that malicious hacker trying to fool us into clicking on some malware? Boy, these criminals are relentless. Wait, what? You clicked on it? Uh-oh.
A hypothetical scenario, but one that plays out every day in organizations across the globe — a very real scenario that provides a good reason to take a deep dive into the topic of email security. Here are some more good reasons:
Such black-hat campaigns continue to dog businesses because email is such a treasure trove of valuable information. Of course, the scope of email security goes well beyond phishing and its variations. Strong email security also demands protection against spam, viruses, ransomware, mail breaches involving theft of passwords, attachments and sensitive information and more.
Read on for some tips and strategies for keeping your email safe.
Email Security — Top Tips & Strategies
- Beware of sophisticated email phishing schemes
We’re not done warning you about phishing yet; not even close. Email threats have been around for decades, but the threats continue to evolve and become more sophisticated. The different types of phishing attacks include:
- Spear phishing: targeting specific individuals rather than sending emails to thousands
- Vishing: targeting people using similar strategies but by phone instead of email
- Smishing: using SMS/text messaging to trick the unsuspecting
- Whaling: targeting “whales” – important people with greater access to information assets such as company CEOs
Then there’s the Business Email Compromise (BEC) ruse in which criminals send an email that looks like it’s a legitimate request from a legitimate source such as a vendor you work with frequently, a colleague or supervisor. The FBI calls BEC scams “one of the most financially damaging online crimes.” A scammer might spoof an email account or website with slight variations to trick people into thinking they are real. Examples include offering a coupon for a free item, saying your account is on hold and you must make a payment, asking you to confirm personal information, warning you there is suspicious activity on your account, etc.
- Know what to look for in a suspicious email
Fortunately, cybercriminals aren’t always the brightest bulbs, and they often leave clues to their trickery. They’re usually not as blatant as the fake guy sitting on a pile of gold and offering to share it with you in exchange for your bank account and routing numbers, but there are definitely some dead giveaways. These include:
- Typos!!! — Some malicious hackers have a subpar command of English; however, others may include typos for a reason — vetting their marks. According to cybersecurity advisor Joseph Steinberg, scammers may “insert sufficient clues into their messages so as to discourage responses from anyone who isn’t sufficiently gullible so as to ultimately fall prey to the scam.” The thinking is that people who are bad at spotting typos may be easier to fool. Either way, avoid opening any emails from the Untied (sic) States government.
- Unusual URLs — Scammers sometimes type in fake URLs to make it look like they’re connected to or offering information from a respected organization. However, if you hover over the link, you can usually confirm whether it’s legit.
- Additional clues — Here are a few more helpful tips on sniffing out phony emails:
- The sender’s email address doesn’t match the company
- The email contains multiple requests to click on a link
- The footer contains a slightly different company name
- Grammatical errors and mixed upper and lower case in the header
- Poor layout/formatting
- Requests for personal information
Can you spot a phishing email? You can take an online quiz to test your knowledge.
- Download with caution
File attachments are popular places for scammers to hide computer viruses and other types of malware. “Unsolicited emails that contain attachments reek of hackers,” according to SecurityMetrics.com. “Typically, authentic institutions don’t randomly send you emails with attachments, but instead direct you to download documents or files on their own website.” Therefore, it’s best to avoid opening attachments unless you’re sure they’re legitimate.
- Don’t click on links from a company or person you don’t know
This one should go without saying, but if you aren’t sure about the sender of the email or the link they are trying to share with you, don’t click. Even if you know the sender or the email looks legitimate, it’s always important to exercise caution.
- Use password best practices
Most people know they should use strong passwords and be careful about guarding them; nevertheless, bad password practices are still rampant. In a recent poll of 3,250 people across the globe, 91% said they knew that using the same password for multiple accounts posed a security risk, but 66% said they did so “mostly” or “always.”
For a strong password, stay away from obvious words or phrases. The more random, the better! Also, use numbers and characters. The FBI recommends using longer “passphrases” instead of just one word. This involves combining multiple words into a string of at least 15 characters.
“Contrary to conventional wisdom, experts now say that you don’t need to change your passwords on a regular basis,” according to a Consumer Reports article offering tips for better passwords. But if an account is hacked or your password is revealed in a data breach, you need to change it.
- Be mindful of oversharing
All kinds of personal information — even the name of your dog or cat, schools you’ve attended, your birthday and those of family members, etc. — can be used against you, yet most people think nothing of sharing such info on social media. It may seem harmless (and usually is); however, malicious hackers use such data to try to guess passwords or establish a personal connection in a phony email.
- When in doubt, call to verify
Certain emails may ask you to verify your personal information by clicking on a link, and the email request may even seem legitimate. But keep in mind that most companies won’t ask you for personal information through an email.
Therefore, if you’re unsure, simply call up the person or company behind the email to confirm its legitimacy. Then, if it is a scam, strike a blow against email fraud by reporting it to a government agency that uses this information to track patterns in the ongoing fight against email scams.
- Update or install antivirus software
OK, time to talk tech solutions — specifically antivirus software that helps protect individuals and organizations from viruses, spyware, malware, phishing attacks, spam attacks and other online threats. Here are reviews of some of the top antivirus solutions from TechRadar and PCMag.
- Use encryption software
Exchanging sensitive files or financial information by email comes with a certain amount of risk. That’s because most email is transmitted in plain text and is not well protected as it travels between servers. That’s why many organizations use email encryption software.
“The contents of email messages, as well as their attachments, can be intercepted and read by an attacker en route between sender and recipient (to say nothing of archived email stored on a server),” according to Tech Target, which describes encryption software as “specialized security technology for protecting the confidentiality and integrity of email messages and attachments while in transit or in storage.”
Email encryption can offer valuable protection in any industry, but it is a requirement for others. For example, medical records and government data are both examples of information that must be encrypted before being shared.
- Implement an email archiving solution
Many businesses — especially those whose email correspondence must be preserved for regulatory compliance or who may require access for eDiscovery in the event of possible litigation — utilize an email archiving solution that preserves and provides instant, searchable access to archived email correspondence.
Fingertip access to company emails can also be helpful in tracking potential email security issues. For example, an email archiving solution enables you to search all company emails within a specified time frame for, say, the word “password” and see how many times people have shared this kind of sensitive information. This will give you a good idea of where your employees stand on email security and whether cyber awareness training might be needed.
Archiving solutions create an automatic backup of all email communication, which helps keep your email secure in the event of technical problems or system issues that do not involve outside interference.
- Back up important information & data
- You may do everything right to prevent an email phishing attack, but the reality is they still do happen, especially since we use email so frequently.
- In 2020, approximately 4 billion emails will be sent and received around the world.
- In order to be prepared, you should back up everything you can. Better yet, invest in an email archiving solution that will automatically back up all email communication, your contacts, calendar items and other relevant data. This can also be helpful if you need to search through emails around the time of a data breach to see what kind of information may have been compromised.
- Implement a Security Operations Center
Protecting your email is just one part of the vast cybersecurity landscape. Large organizations may want to think big picture and consider implementing a Security Operations Center (SOC), which refers to a team of cybersecurity professionals responsible for monitoring your environment, identifying potential threats and developing a plan of action to eliminate them.
Keeping your email safe and secure may not always seem worthy of being a top priority. But for organizations of all sizes across all sectors, implementing robust email security protocols is an essential precaution.
About the Author: Chuck Bane is academic director and professor of practice for the University of San Diego’s online Master of Science in Cyber Security Engineering program; he is a retired naval officer whose experience includes collaboration on cybersecurity projects with the Department of Homeland Security, the NSA and the DoD.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.