In order to avoid becoming another organization that suffers from not taking email security seriously, you have to understand what email security is, why it’s important, and what tangible steps you can take to protect your business from the relevant threats.
Email security relates to the different security measures your company can take to keep the content of your email accounts and email services safe and secure from cybercriminals. Without taking email security measures, there’s little to no guarantee that the information relayed in your email communications isn’t being spied on or stolen by prying eyes.
Although most cloud email services come with basic email security, these are often not enough to keep your communications safe from more sophisticated cyber attacks. There are things you can do to protect against these attacks, like applying basic email protection measures, but for more guaranteed safety it’s best to take advantage of more advanced forms of protection.
Understanding Email Threats & Vulnerabilities
This is one of many types of social engineering attacks. It’s plagued internet users for a long time and even managed to give Nigerian princes a bad name. They’re often used to steal data, login credentials, and other forms of valuable information.
How does the attacker get away with it?
Phishing emails take the guise of emails that come from ordinary and or legitimate companies, but they’re rarely ever perfect copies. For instance, if you receive an email that looks like it’s from Chase Bank, but there are misspellings and weird grammar, you’d be right to be suspicious.
When you open the email, it may prompt you to click on a link or download an attachment that contains malware. These attacks can be devastating for companies and individuals alike.
These emails, while dangerous, rarely target specific individuals or organizations. They’re typically like roaming sharks trying to get any particular user of an application or service.
More targeted phishing attacks come in the form of the next threat we’re covering.
If Phishing attacks are the army, Spear Phishing is the special forces. Like ordinary Phishing emails, the aim of this cyber attack is to steal your information or money.
However, Spear Phishing attacks tend to be more dangerous because their targets are better researched, and the attacker is, therefore, more able to impersonate a legitimate sender.
For instance, the Spear Phishing email you receive may look like an email from your boss or one of your employees.
With social media sites like Facebook and LinkedIn, it’s becoming easier for criminals to get information about people you know and impersonate them. Because these types of attacks take more time and energy to prepare, they’re usually aimed at larger organizations that have more to lose.
Like Phishing, it’s used by cybercriminals to impersonate a legitimate company or individual to trick you into giving up valuable information, money, or system credentials. But while Phishing attacks target a general user base, and Spear Phishing targets organizations that were previously scouted, Whaling attacks specifically go after the “whales” of a company: executives, senior staff, etc.
Whaling attacks manage to do this by masquerading as other senior people within an organization. It’s much easier to refuse to give up valuable information to a “Nigerian prince” or “Mike from IT” than it is to refuse a request that looks like it’s from senior management. Especially since the former two can’t fire you.
Business Email Compromise
Business Email Compromise (BEC) cyberattacks are ones in which the attacker poses as someone within the organization of which they are attacking in order to ask for system credentials, sensitive information, or requests money.
According to the FBI, a hacker might get access to the information needed to carry out a BEC attack in a few ways:
- Spoofing an email account or website using a slight variation on a real email address, eg [email protected] vs. [email protected].
- Spearphishing emails can be sent in an initial attack that tricks one user into revealing confidential information that lets criminals access company accounts, calendars, and data from which they can extract the details they need to carry out their second BEC attack.
- Malware can be used to get access to legitimate email accounts and/or gain information such as regular invoicing schedules so they can time their BEC attack accordingly.
Because malware isn’t always involved, it can be difficult to detect these kinds of attacks through automated software and hardware tools – another reason regular security awareness training is critical for keeping your company safe.
Once an attacker has the information they need to successfully impersonate a legitimate business email, there are four primary types of BEC attacks they’ll carry out:
- Account Compromise — This is when an employee’s email is hacked and used to request money from other people within the organization.
- Attorney Impersonation — This is when an attacker impersonates a lawyer or legal representative. Lower-level employees are commonly targeted through these types of attacks where one wouldn’t have the knowledge needed to question the validity of the request.
- False Invoice Scheme — Whereas the other BEC attacks impersonate members of an organization, false invoice schemes pretend to be foreign supplies that request payment for a seemingly legitimate invoice.
- Data Theft — This attack aims to acquire data belonging to individuals within a company, often CEOs and other executives, as a way to better plan future attacks. For this reason, these attacks are typically aimed at HR employees.
These pernicious email attacks guise themselves as ordinary attachments and documents that, once clicked or opened, launch an attack on your computer. Sometimes the attack is a virus that takes your information, and sometimes it puts your critical data up for ransom.
These attacks may also just be one step in a larger attack, especially if the cybercriminal aims to launch a Whaling attack.
Unsolicited Email (Spam)
This is a type of attack that you are no doubt aware of as every email service comes with a spam folder.
What you might not be aware of, however, is that this is also known as an Unsolicited Commercial Email. Spam emails tend to just be unwanted advertisements sent at a large scale, but they’re also a hotbed for nefarious content.
Other times, however, they’re just a newsletter you subscribed for that ended up in the wrong folder.
Spammers are often businesses that purchase legitimate mailing lists or that use web-scrapers to collect publicly available email addresses. While not all spam emails are from cybercriminals, many of them are, so be wary of them.
Email Password-Based Attacks
This threat is fairly straightforward, but if overlooked, it can severely undermine the security of your organization’s email communications.
When your company doesn’t adhere to password best practices it becomes easy for a cybercriminal to break into your IT-related accounts – including email.
There are many ways a hacker might attempt to breach your email security through passwords, including:
- Brute Force Attacks — When a hacker tries to break into your email account by attempting to log in several times by guessing different possible passwords. This isn’t done manually, of course. The hacker will use a program to auto-generate potential passwords and then repeatedly and rapidly try to log in. These programs can sometimes make a thousand password guesses per minute. Most modern logins restrict the number of login attempts for this reason.
- Traffic Interception Attacks — When a cybercriminal utilizes a traffic interception tool to intercept your wireless data. With enough data packets, the hacker is able to breach your network security to decipher any encrypted data, including passwords.
- Man in the Middle Attacks — When a hacker puts themselves in the middle of the communication between you (the client) and your server.
- Keylogger Attacks — Although far less common than the attacks previously covered, this attack is still dangerous when successfully applied. The hacker will utilize keylogging software that tracks the keys you type into your keyboard. They will then use the data gathered by the software to uncover any passwords or any other valuable data.
Sharing of Sensitive Data
Most of the time, email is a great and convenient way to share business information throughout your entire organization. But there are some types of information you simply don’t want to communicate via email.
Things like bank account information, password information, and other types of sensitive data should be delivered in a more secure medium.
This is especially important if your organization works in the medical industry as you or your employees may accidentally share personal health information (PHI) on your email servers.
If your emails aren’t armored up with encryption and other safety precautions, sharing PHI via email may result in a HIPAA violation that could end up costing your company up to $1.5 million.
Email can be made safer if you utilize software solutions that can encrypt your messages and protect your accounts against malware.
One such solution isn’t technically email. It works by sending a link to the person you want to email. When they click that link, they’ll be able to securely sign in to a web page that displays the contents of your email there.
Are Your Organization’s Emails Secure?
With our Managed Security Services, you get top-of-the-line cybersecurity solutions that automate much of the tedious work that you’d normally need to do to counter the slew of email attacks that barrage businesses like yours.