Picture a typical Monday morning. You’re up and ready to start the week. You take a sip of coffee, maybe check sports scores or news for a few minutes, then finally set out to work by logging into your email account, only to get an invalid username or password error. You try a few more times, then contact your admin, who has some surprising news for you – the logs show that you changed your password over the weekend. Not just your email password, but all your passwords.
Only you didn’t. You don’t quite remember how you spent your Saturday and Sunday, but randomly changing your work passwords over the weekend for no reason doesn’t seem very “you”.
What’s happened here? The most likely explanation – you’ve been hacked. And the most likely source is the resource you just tried to access – your email.
Why Email Security Is Important
Email is the most common source of security breaches for businesses. The 2020 Verizon Data Breach Investigations Report found that over 67% of malware infections came from email.
Why is that? For one, it’s one of the few ways people from outside your organization can send you stuff electronically and unsolicited. It’s not like people you don’t know with no connection to your business can send you files directly to your company Dropbox or file share without any prior communication or permission, or message you on your internal Slack or Teams.
Secondly, we all use email, and some of us are especially busy, or not very tech savvy, or both. Especially if we have 50+ unread emails in our inbox, we may not think twice about open a file or clicking on a link in an email that supposedly contains an applicant’s resume or an unpaid invoice, but actually causes us to open or download malware.
And because email is necessary to running a business, you can’t block it from your networks like you can other potential sources of malware, like social media, unsafe websites, and USB thumb drives.
Third, hacking attempts via email can be difficult to stop if you don’t have the right tools or a workforce that knows and follows security best practices. Blocking malicious email attachments isn’t that hard if you have an email security gateway, an email service like Gmail with built-in antivirus, or just block attachments from non-whitelisted external emails altogether. Malicious URLs are a bit harder to detect, as are attempts by hackers to trick employees into sharing passwords and other sensitive information.
Email Security Best Practices
1) The Basics
There are a variety of ways for hackers to break into your networks via email, including malware-infected attachments and links to sites that force you to download malware or trick you into providing your credentials. And to protect yourself from a variety of threats, you need a variety of IT security solutions, including:
- Spam filtering. Use an email spam filter or email security gateway to block malware-containing emails and reduce the overall spam (including phishing attempts) entering your mailbox.
- Antivirus software. If malware gets past your spam filter, the next line of defense is antivirus software, which typically scans all new, downloaded files before you open them. It’ll quarantine and delete any malware it finds.
- Employee security training. Teach your employees the basic email security best practices listed below. Even the most robust security measures won’t help you if your employees don’t know the basics, like double-checking suspicious links and common phishing methods to look out for.
2) Click Carefully
Don’t click on suspicious-looking links. Pay close attention to the domain, because hackers will sometimes buy close misspellings of popular domains. For example, you might get an email from someone claiming to be from Bank of America customer support, but their link is bankofamerica.fakesite.com or www.bankofamreica.com, with a bunch of meaningless parameters behind the URL to throw you off.
Also, be aware that the destination URL can be different from the blue anchor text, so the blue anchor text may say bankofamerica.com but the destination URL leads to fakehackingsite.com. In most email clients and browsers, you can display the true destination URL by hovering your cursor over the link without clicking. If you want to be extra safe, you can usually just navigate to the relevant site yourself without clicking on the email – just open a browser and go to bankofamerica.com and then to your account, for example.
Complicating things, at least with mass email blasts, is the fact that sometimes unfamiliar links can actually be legit. The sender may be using an email service, marketing tracking tool, or URL shortener, which will redirect to the destination URL. You shouldn’t see any links like this in a personal email. Again, just navigate to the relevant site yourself if you’re unsure.
3) Beware Attachments
Be very careful when opening attachments sent from people you don’t know and/or that you weren’t expecting. Many different types of files can contain malware, including Word and Excel docs, PDFs, ZIP files, and executables such as EXE and BAT. Scan them with your antivirus before opening, and also be aware that your antivirus software may not detect the malware if the malware is too new or your antivirus software is out of date.
If you’re unsure about a file, ask your IT department or MSP to inspect it for you. They’ll typically be happy to spend a few seconds checking out your file, instead of a few days cleaning up the unholy mess of a malware infection.
4) Watch Out for Impostors
Don’t assume that just because you’re familiar with the name of the sender that an email or its links or attachments are legit. There are still a number of ways that the email could be a potential security risk:
- A hacker could be in control of the email account in question
- The sender may be sharing a malware-infected file without knowing it
- A hacker may simply have changed their “From” email name to someone you know; if you check the actual sending address in the email header, it may be something completely unknown, like [email protected]
- Even if you verify that the sending address is correct, be aware that even this can be “spoofed”, so that it appears to be really coming from the person you know’s actual email address (note that you can set up something called SPF records to prevent someone from doing this using your domain, reach out if you need help with this)
The point here isn’t to make you so paranoid that you dive and take cover under your desk every time you get an email. Just be aware that these forms of email trickery exist and be vigilant, especially if it involves requests for sensitive information like passwords or payment info. A lot of hackers are lazy and inept or simply don’t write very good English, so it can be easy to spot most phishing attempts where hackers pretend to be someone you know. Or they’re extremely vague or make unusual requests – check out this picture do you know this person?, I need you to buy 10 $100 gift cards for me I’ll pay you back, etc.
If something seems fishy (or phishy, rather), though, go ahead and take the extra step and verify with the person that they actually sent the email via an in-person conversation or phone call.
5) Consider Email Encryption
Email encryption prevents your emails from being intercepted on their way to and from your mailbox. Many companies use it as an extra layer of security when sending sensitive data like payment info, SSNs, and health records. There a variety of email encryption solutions out there like ZixMail and Smarsh that’ll even automatically detect when someone is sending sensitive data and encrypt it for them. Ask your IT department or MSP for details.
Need Any Help?
If you need any help or have any questions regarding email security, reach out to XO or (866) 888-9901 at any time. We can help you create and implement email security policies, deploy and manage IT security solutions, and more.