For many organizations, email is the biggest source of communication with the outside world. A huge amount of data passes in and out of companies’ servers through this channel, much of it involving sensitive information and personal details that business owners would be horrified to have intercepted. And when everybody from the mailroom to the CEO uses the same mail client, security is paramount.
But despite this great need for protection, a lot of companies are surprisingly lax in their efforts to keep out cybercriminals and encrypt their data. Email is such a routine part of the day, and much of it is so mundane, that it’s easy to overlook as a threat. But one group that never overlooks this vulnerability is cybercriminals, who use it to gain easy access to company information. And because email is ubiquitous throughout organizations, they can take their time and search for the weakest link.
Email attacks can take many forms, and it’s important for organizations to understand the common methods used by cybercriminals so that they can be prepared for the inevitable attempts on their network.
- Phishing is one of the most popular forms of email-based cybercrime, a form of social engineering involving deceptive messages intended to bait the victim into revealing sensitive information or downloading malicious attachments, which can then infect the victim’s computer.
- Infected attachments are a threat we recently encountered ourselves at Switchfast, a form of intrusion that involves harmless-looking email attachments that actually contain malware such as viruses, worms, spyware, Trojan horses, ransomware, and other malicious software. Thankfully, Switchfast has precautionary measures in place to catch those emails, and safely deal with the attachments.
- Spoofed URLs are similar to infected attachments, but instead of including innocuous-looking files, they include false links, which lead victims to sites built to steal their personal information or infect their computer with malware. These sites are often clones of popular websites, and when the victim enters in their personal information such as logins or credit card details, the attacker can save those for their own use.
Email Security Software
Every organization should have some sort of scanning and filtering system for their email client to weed out malware and phishing attempts, before they get to employees. It is also a good idea to ensure that whatever software solution you employ has attachment protection, which, as explained above, prevents malicious attacks from slipping through your filters and prevents those that make it past from doing any harm. Our email security client has a feature called Attachment Protect, which allows employees to open suspicious attachments in a safe manner.
For those who regularly send emails containing sensitive information, it is worth obtaining a digital certificate allowing you to encrypt your communications. For large companies, a PKI (Public Key Infrastructure) provides a system to implement that encryption across the organization. If neither of these options are a good fit for your organization, you can simply use a third party, secure email service.
The easiest way to defend against malicious emails is to arm your employees with the tools to do so themselves. Establish company-wide rules about procedures for handling email from unknown senders, and provide training to employees in order to prepare them for the inevitable phishing attempts. If they know what to look out for, they will be much less likely to take the bait.
In addition to these measures, it is important to remember your standard email security rules: choose strong passwords, keep your email address guarded, protect the computer on which you’re using email, and beware of using your email on public computers or public Wi-Fi. Most successful attacks involve some level of carelessness on the part of the victim, some slipup that provides cybercriminals an opportunity. But with some basic precautions, you can eliminate those possibilities and ensure that your email and your organization remain safe.
Written by Luke Robbins